Merge pull request #2825 from pi-hole/development

Pi-hole FTL v6.6

Author: PromoFaux

.github/workflows/build.yml

@@ -104,18 +104,18 @@ jobs:
       # QEMU should come before Buildx
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 #v3.7.0
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a #v4.0.0
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f #v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd #v4.0.0
       -
         name: Print directory contents
         shell: bash
         run: ls -l
       -
         name: Build FTL in ftl-build container (QEMU)
         # Creates an image to build FTL and load it into the local Docker daemon
-        uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 #v3.0.2
+        uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 #v4.0.0
         with:
           max_attempts: 3
           timeout_minutes: 15
@@ -134,7 +134,7 @@ jobs:
         name: Test FTL in ftl-build container (QEMU)
         # Uses the ftl-builder image to run tests
         # set STATIC to true for all except clang builds as we do in build.sh
-        uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 #v3.0.2
+        uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 #v4.0.0
         with:
           max_attempts: 3
           timeout_minutes: 10
@@ -169,13 +169,13 @@ jobs:
           sha1sum pihole-FTL-* > ${{ matrix.bin_name }}.sha1
       -
         name: Upload pihole-FTL binary
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f #v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f #v7.0.0
         with:
           name: ${{ matrix.bin_name }}-binary
           path: '${{ matrix.bin_name }}*'
       -
         name: Generate artifact attestation
-        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f #v3.2.0
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 #v4.1.0
         # Skip attestation if ACTIONS_ID_TOKEN_REQUEST_URL env variable is not
         # available (e.g., PR originating from a fork)
         if: env.DO_DEPLOY == 'true' && env.ACTIONS_ID_TOKEN_REQUEST_URL != ''
@@ -184,21 +184,21 @@ jobs:
       -
         name: Upload documentation files
         if: matrix.bin_name == 'pihole-FTL-amd64'
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f #v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f #v7.0.0
         with:
           name: pihole-api-docs
           path: 'api-docs.tar.gz'
       -
         name: Upload pihole.toml template
         if: matrix.bin_name == 'pihole-FTL-amd64'
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f #v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f #v7.0.0
         with:
           name: pihole-toml
           path: 'pihole.toml'
       -
         name: Get binaries built in previous jobs
         if: env.DO_DEPLOY == 'true'
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 #v7.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c #v8.0.1
         id: download
         with:
           path: ftl_builds/
@@ -207,14 +207,14 @@ jobs:
       -
         name: Get documentation files built in previous jobs
         if: env.DO_DEPLOY == 'true' && matrix.bin_name == 'pihole-FTL-amd64'
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 #v7.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c #v8.0.1
         with:
           path: ftl_builds/
           name: pihole-api-docs
       -
         name: Get pihole.toml built in previous job
         if: env.DO_DEPLOY == 'true' && matrix.bin_name == 'pihole-FTL-amd64'
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 #v7.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c #v8.0.1
         with:
           path: ftl_builds/
           name: pihole-toml
@@ -265,7 +265,7 @@ jobs:
       -
         name: Attach binaries to release
         if: github.event_name == 'release'
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b #v2.5.0
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe #v2.6.1
         with:
           tag_name: ${{ github.event.release.tag_name }}
           files: |

.github/workflows/codeql.yml

@@ -87,7 +87,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@9e907b5e64f6b83e7804b09294d44122997950d6 #v4.32.3
+      uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 #v4.35.1
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
@@ -110,14 +110,14 @@ jobs:
         ./build.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@9e907b5e64f6b83e7804b09294d44122997950d6 #v4.32.3
+      uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 #v4.35.1
       with:
         category: "/language:${{matrix.language}}"
         upload: failure-only # upload only in case of failure, otherwise upload later after filtering
         output: codeql-results
 
     - name: Filter SARIF
-      uses: advanced-security/filter-sarif@f3b8118a9349d88f7b1c0c488476411145b6270d #v1.0.1
+      uses: advanced-security/filter-sarif@2da736ff05ef065cb2894ac6892e47b5eac2c3c0 #v1.1.0.1.1
       with:
         # filter out third-party dependencies
         patterns: |
@@ -136,13 +136,13 @@ jobs:
         output: codeql-results/cpp.sarif
 
     - name: Upload SARIF
-      uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 #v4.32.3
+      uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 #v4.35.1
       with:
         sarif_file: codeql-results/cpp.sarif
 
     - name: Upload CodeQL results as an artifact
       if: success() || failure()
-      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f #v6.0.0
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f #v7.0.0
       with:
         name: codeql-results
         path: codeql-results

.github/workflows/openapi-validator.yml

@@ -15,7 +15,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
 
       - name: Set up Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 #v6.2.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f #v6.3.0
         with:
           node-version: "20"
           cache: npm

.github/workflows/stale.yml

@@ -17,7 +17,7 @@ jobs:
       issues: write
 
     steps:
-    - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d #v10.1.1
+    - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f #v10.2.0
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         days-before-stale: 30

.github/workflows/stale_pr.yml

@@ -17,7 +17,7 @@ jobs:
       pull-requests: write
 
     steps:
-      - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d #v10.1.1
+      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f #v10.2.0
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           # Do not automatically mark PR/issue as stale

.vscode/c_cpp_properties.json

@@ -5,7 +5,7 @@
             "includePath": [
                 "${workspaceFolder}/src/**"
             ],
-            "compileCommands": "${workspaceFolder}/build/compile_commands.json",
+            "compileCommands": "${workspaceFolder}/cmake/compile_commands.json",
             "defines": [],
             "compilerPath": "/usr/bin/gcc",
             "cStandard": "gnu17",

build.sh

@@ -15,6 +15,13 @@ set -e
 # Set builddir
 builddir="cmake/"
 
+# Enable export of compile commands so IDEs like VSCode can use this information
+# when rendering active and disabled code paths, e.g., for #ifdefs. The
+# compile_commands.json file is generated in the package specific build
+# directory containing the exact compiler calls for all translation units of the
+# project in machine-readable form (JSON).
+export CMAKE_EXPORT_COMPILE_COMMANDS=ON
+
 # Parse arguments
 # If the first argument starts in "-D", we pass it to CMake
 if [[ "${1}" == "-D"* ]]; then

src/CMakeLists.txt

@@ -348,10 +348,37 @@ add_subdirectory(config)
 add_subdirectory(tools)
 add_subdirectory(ntp)
 
+# optional headers - may depend on type or version of the C standard library
+include(CheckIncludeFile)
+
+check_include_file("sys/random.h" HAVE_RANDOM_H)
+if(HAVE_RANDOM_H)
+    target_compile_definitions(config PRIVATE USE_GETRANDOM)
+    target_compile_definitions(core PRIVATE USE_GETRANDOM)
+endif()
+
+# <unwind.h> is part of GCC's libgcc — available on ALL targets (musl+glibc, static+dynamic)
+# _Unwind_Backtrace() is already linked via -lgcc/-static-libgcc; no find_library needed
+check_include_file("unwind.h" HAVE_UNWIND_H)
+if(HAVE_UNWIND_H)
+    target_compile_definitions(core PRIVATE USE_UNWIND)
+    message(STATUS "Building FTL with _Unwind_Backtrace support: YES")
+else()
+    message(STATUS "Building FTL with _Unwind_Backtrace support: NO")
+endif()
+
+# Embed the source root so crash backtraces can show project-relative paths
+# (e.g. "src/args.c" instead of "/home/user/FTL/src/args.c").
+target_compile_definitions(core PRIVATE SOURCE_ROOT="${CMAKE_SOURCE_DIR}/")
+
+
+
+option(USE_READLINE "Build FTL with readline support, if available" ON)
+
 find_library(LIBREADLINE NAMES libreadline${LIBRARY_SUFFIX} readline)
 find_library(LIBHISTORY NAMES libhistory${LIBRARY_SUFFIX} history)
 find_library(LIBTERMCAP NAMES libtermcap${LIBRARY_SUFFIX} termcap)
-if(LIBREADLINE AND LIBHISTORY AND LIBTERMCAP)
+if(LIBREADLINE AND LIBHISTORY AND LIBTERMCAP AND USE_READLINE)
     message(STATUS "Building FTL with readline support: YES")
     target_compile_definitions(lua PRIVATE LUA_USE_READLINE)
     target_compile_definitions(sqlite3 PRIVATE HAVE_READLINE)
@@ -364,19 +391,21 @@ if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
     set(CMAKE_INSTALL_PREFIX "/usr" CACHE PATH "..." FORCE)
 endif()
 
+option(USE_MBED_TLS "Build FTL with TLS support, if available" ON)
+
 find_library(LIBMBEDCRYPTO NAMES lmbedcrypto${LIBRARY_SUFFIX} mbedcrypto)
 find_library(LIBMBEDX509 NAMES lmbedx509${LIBRARY_SUFFIX} mbedx509)
 find_library(LIBMBEDTLS NAMES lmbedtls${LIBRARY_SUFFIX} mbedtls)
-if(LIBMBEDCRYPTO AND LIBMBEDX509 AND LIBMBEDTLS)
-    # Enable TLS support in civetweb if mbedTLS is available
+if(LIBMBEDCRYPTO AND LIBMBEDX509 AND LIBMBEDTLS AND USE_MBED_TLS)
+    # Enable TLS support in civetweb if mbedTLS is selected and available
     message(STATUS "Building FTL with TLS support: YES")
     target_compile_definitions(core PRIVATE HAVE_MBEDTLS)
     target_compile_definitions(civetweb PRIVATE USE_MBEDTLS)
     target_compile_definitions(webserver PRIVATE HAVE_MBEDTLS)
     # Link against the mbedTLS libraries, the order is important (!)
     target_link_libraries(pihole-FTL ${LIBMBEDTLS} ${LIBMBEDX509} ${LIBMBEDCRYPTO})
 else()
-    # Disable TLS support in civetweb if mbedTLS is not available
+    # Disable TLS support in civetweb if mbedTLS is not selected or not available
     message(STATUS "Building FTL with TLS support: NO")
     target_compile_definitions(civetweb PRIVATE NO_SSL)
 endif()

src/api/action.c

@@ -22,6 +22,8 @@
 // flush_network_table()
 #include "database/network-table.h"
 #include "config/config.h"
+// gravity_running
+#include "daemon.h"
 
 static int run_and_stream_command(struct ftl_conn *api, const char *path, const char *const args[], const char *extra_env)
 {
@@ -57,6 +59,18 @@ static int run_and_stream_command(struct ftl_conn *api, const char *path, const
 		if(extra_env != NULL)
 			setenv(extra_env, "1", 1);
 
+		// Detach child into its own session/process group so signals
+		// sent to the parent's process group (like SIGTERM) do not
+		// propagate to this child.
+		(void)setsid();
+
+		// Ignore SIGTERM so systemd's cgroup-level kill (the
+		// default KillMode=control-group sends SIGTERM to ALL
+		// processes in the cgroup) doesn't terminate gravity
+		// mid-run. SIG_IGN is preserved across execv(), unlike
+		// custom handlers which are reset to SIG_DFL.
+		signal(SIGTERM, SIG_IGN);
+
 		// Run pihole -g
 		execv(path, (char *const *)args);
 
@@ -129,7 +143,16 @@ int api_action_gravity(struct ftl_conn *api)
 		get_bool_var(query, "color", &color);
 
 	const char *extra_env = color ? "FORCE_COLOR" : NULL;
-	return run_and_stream_command(api, "/usr/local/bin/pihole", (const char *const []){ "pihole", "-g", NULL }, extra_env);
+
+	gravity_running = 1;
+	const int ret = run_and_stream_command(api, "/usr/local/bin/pihole", (const char *const []){ "pihole", "-g", NULL }, extra_env);
+	gravity_running = 0;
+
+	// If a termination/restart was requested while gravity was running,
+	// act on it now rather than waiting up to ~1s for the GC thread to pick it up
+	check_if_want_terminate();
+
+	return ret;
 }
 
 int api_action_restartDNS(struct ftl_conn *api)

src/api/api.h

@@ -101,7 +101,7 @@ int api_list(struct ftl_conn *api);
 int api_group(struct ftl_conn *api);
 
 // Auth method
-void init_api(void);
+void init_api_sessions(void);
 void free_api(void);
 int check_client_auth(struct ftl_conn *api, const bool is_api);
 int api_auth(struct ftl_conn *api);