fix(shared-ols): review fixes — watcher starvation, atomic render, O(N) chown, safe meta parse

Addresses the local code-review on the OLS-tier images: - [HIGH] ols-htaccess-watcher.sh: the debounce drain read ALL inotify events unfiltered, so on a busy multi-tenant server it never timed out and the restart was STARVED (rewrite changes silently never applied). Now coalesces with a hard DEBOUNCE-bounded window. Verified under continuous noise. - [HIGH] render-shared-ols-config.sh: built httpd_config.conf in-place across several appends, so a concurrent OLS restart (watcher) or parallel render could read a half-written config and 503 the whole tier. Now flock-serialized, built in a temp file and atomically moved into place; refuses to publish empty. - [MED] render + entrypoint: replaced recursive chown of the whole conf tree (O(N-sites) on every single-site change / boot) with a targeted chown of just the file written. - [MED] render: parse site.meta with sed instead of sourcing it (do not execute panel-written data as shell). - [cleanup] removed the unused configs/shared-ols/vhconf.tpl (the panel copy is the single source; the image never read it). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-10 08:34:55 -07:00
parent 7552760ba0
commit 6bb494c72f
4 changed files with 65 additions and 87 deletions
--- a/configs/shared-ols/vhconf.tpl
+++ b/configs/shared-ols/vhconf.tpl
@@ -1,72 +0,0 @@
-## Per-site OLS vhost detail — rendered by the WHP panel (shared_ols_manager)
-## to $SITES_ROOT/<vhname>/vhconf.conf and referenced from the vhost stanza's
-## `configFile` in httpd_config.conf. ~~PLACEHOLDERS~~ are filled by the panel
-## (matches the shared-vhost-template.tpl convention). One directive per line —
-## OLS PlainConf does NOT accept ';' separators.
-##
-## docRoot is /mnt/users/<user>/<domain>/public_html — the shared-ols container's
-## view (bulk /docker/users->/mnt/users mount). OLS sends lsphp exactly this path
-## (no remap); the cac-lsphp sidecar symlinks /mnt/users/<user>/<domain> -> its
-## real /home/<user> mount, so PHP canonicalises it to /home/<user>/public_html.
-
-docRoot                   ~~DOCROOT~~
-enableScript              1
-
-## Remote detached lsphp over LSAPI/TCP. address = the site's sidecar container
-## on the docker network. autoStart 0 = OLS NEVER spawns it (it's a separate
-## container). maxConns MUST equal the sidecar's PHP_LSAPI_CHILDREN — the panel
-## writes both from the single fpm_max_children value so they can't drift.
-## NO `env` lines: detached lsphp owns its env in the sidecar (spec 5.2).
-## NOTE on `path`: required syntactically but UNUSED for a remote autoStart-0
-## processor (OLS never spawns it). Point it at a path that always exists in the
-## shared-ols image (the stock fcgi-bin/lsphp), NOT a version-specific
-## /usr/local/lsws/lsphpNN — the shared-ols image carries only one lsphp build,
-## while sites may run any PHP version on their sidecar. The sidecar owns the
-## real PHP runtime/version.
-extprocessor ~~VHNAME~~_lsphp {
-  type                    lsapi
-  address                 ~~SIDECAR~~:9000
-  maxConns                ~~MAXCONNS~~
-  autoStart               0
-  path                    /usr/local/lsws/fcgi-bin/lsphp
-  initTimeout             60
-  retryTimeout            0
-  respBuffer              0
-  persistConn             1
-}
-
-scripthandler {
-  add                     lsapi:~~VHNAME~~_lsphp php
-}
-
-## context / drives static serving + .htaccess. RewriteFile .htaccess is OLS's
-## autoLoadHtaccess equivalent — re-read on graceful restart (the watcher
-## triggers that within the documented window).
-context / {
-  allowBrowse             1
-  location                $DOC_ROOT/
-  rewrite {
-    enable                1
-    RewriteFile           .htaccess
-  }
-  addDefaultCharset       off
-}
-
-## LSCache is enabled at MODULE scope (httpd_config_base.tpl) and honored per
-## response via the LiteSpeed Cache WP plugin's X-LiteSpeed-Cache-Control
-## headers — a `configFile`-loaded vhost in OLS 1.8.4 does NOT accept a bare
-## `cache {}` block (verified 2026-06-10), so there is intentionally no per-vhost
-## cache block here. OLS stores each vhost's cache in its own subdir under the
-## module storagePath automatically (per-vhost isolation, spec 5.2).
-
-## Per-vhost logs in the shared-ols container's OWN writable log dir (NOT
-## /home/<user>, which doesn't exist here, and NOT the read-only /mnt/users mount).
-errorlog /usr/local/lsws/logs/~~VHNAME~~.error_log {
-  logLevel                WARN
-  rollingSize             50M
-  keepDays                7
-}
-accesslog /usr/local/lsws/logs/~~VHNAME~~.access_log {
-  rollingSize             50M
-  keepDays                7
-}