[documentation] Update manuals with new options.

documentation/manuals/archiver.1.man

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "KAWIPIKO-ARCHIVER" "1" "2022-09-02" "volution.ro" "kawipiko"
+.TH "KAWIPIKO-ARCHIVER" "1" "2022-09-11" "volution.ro" "kawipiko"
 .SH NAME
 kawipiko -- blazingly fast static HTTP server \- kawipiko-archiver
 .INDENT 0.0
@@ -47,12 +47,12 @@ kawipiko -- blazingly fast static HTTP server \- kawipiko-archiver
 .nf
 .ft C
 \-\-sources <path>
-
 \-\-archive <path>
 
 \-\-compress <gzip | zopfli | brotli | identity>
 \-\-compress\-level <number>
 \-\-compress\-cache <path>
+\-\-sources\-cache  <path>
 
 \-\-exclude\-index
 \-\-exclude\-strip
@@ -124,7 +124,7 @@ The compression level can be chosen, the value depending on the algorithm:
 .UNINDENT
 .UNINDENT
 .sp
-\fB\-\-sources\-cache <path>\fP, and \fB\-\-compress\-cache <path>\fP
+\fB\-\-compress\-cache <path>\fP, and \fB\-\-sources\-cache <path>\fP
 .INDENT 0.0
 .INDENT 3.5
 At the given path a single file is created (that is an BBolt database), that will be used to cache the following information:

documentation/manuals/archiver.html

@@ -370,12 +370,12 @@ ul.auto-toc {
 </pre>
 <pre class="literal-block">
 --sources &lt;path&gt;
-
 --archive &lt;path&gt;
 
 --compress &lt;gzip | zopfli | brotli | identity&gt;
 --compress-level &lt;number&gt;
 --compress-cache &lt;path&gt;
+--sources-cache  &lt;path&gt;
 
 --exclude-index
 --exclude-strip
@@ -420,7 +420,7 @@ The path to the target CDB file that contains the archived static content.</bloc
 <li><tt class="docutils literal">kawipiko</tt> by default uses the maximum compression level for each algorithm;  (i.e. <tt class="docutils literal">9</tt> for <tt class="docutils literal">gzip</tt>, <tt class="docutils literal">30</tt> for <tt class="docutils literal">zopfli</tt>, and <tt class="docutils literal"><span class="pre">-2</span></tt> for <tt class="docutils literal">brotli</tt>;)</li>
 </ul>
 </blockquote>
-<p><tt class="docutils literal"><span class="pre">--sources-cache</span> &lt;path&gt;</tt>, and <tt class="docutils literal"><span class="pre">--compress-cache</span> &lt;path&gt;</tt></p>
+<p><tt class="docutils literal"><span class="pre">--compress-cache</span> &lt;path&gt;</tt>, and <tt class="docutils literal"><span class="pre">--sources-cache</span> &lt;path&gt;</tt></p>
 <blockquote>
 <p>At the given path a single file is created (that is an BBolt database), that will be used to cache the following information:</p>
 <ul class="simple">

documentation/manuals/archiver.rst

@@ -19,12 +19,12 @@ kawipiko -- blazingly fast static HTTP server
 ::
 
     --sources <path>
-
     --archive <path>
 
     --compress <gzip | zopfli | brotli | identity>
     --compress-level <number>
     --compress-cache <path>
+    --sources-cache  <path>
 
     --exclude-index
     --exclude-strip
@@ -80,7 +80,7 @@ Flags
     * (by "algorithm default", it is meant "what that algorithm considers the recommended default compression level";)
     * ``kawipiko`` by default uses the maximum compression level for each algorithm;  (i.e. ``9`` for ``gzip``, ``30`` for ``zopfli``, and ``-2`` for ``brotli``;)
 
-``--sources-cache <path>``, and ``--compress-cache <path>``
+``--compress-cache <path>``, and ``--sources-cache <path>``
 
     At the given path a single file is created (that is an BBolt database), that will be used to cache the following information:
 

documentation/manuals/archiver.txt

@@ -9,12 +9,12 @@ NAME
           >> kawipiko-archiver --man
 
           --sources <path>
-
           --archive <path>
 
           --compress <gzip | zopfli | brotli | identity>
           --compress-level <number>
           --compress-cache <path>
+          --sources-cache  <path>
 
           --exclude-index
           --exclude-strip
@@ -80,7 +80,7 @@ FLAGS
           • kawipiko by default uses the maximum compression level for each
             algorithm;  (i.e. 9 for gzip, 30 for zopfli, and -2 for brotli;)
 
-       --sources-cache <path>, and --compress-cache <path>
+       --compress-cache <path>, and --sources-cache <path>
           At the given path a single file is created (that is an BBolt
           database), that will be used to cache the following information:
 
@@ -213,4 +213,4 @@ SYMLINKS, HARDLINKS, LOOPS, AND DUPLICATED FILES
 
 
 
-volution.ro                       2022-09-02              KAWIPIKO-ARCHIVER(1)
+volution.ro                       2022-09-11              KAWIPIKO-ARCHIVER(1)

documentation/manuals/server.1.man

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "KAWIPIKO-SERVER" "1" "2022-09-02" "volution.ro" "kawipiko"
+.TH "KAWIPIKO-SERVER" "1" "2022-09-11" "volution.ro" "kawipiko"
 .SH NAME
 kawipiko -- blazingly fast static HTTP server \- kawipiko-server
 .INDENT 0.0
@@ -69,6 +69,7 @@ kawipiko -- blazingly fast static HTTP server \- kawipiko-server
 
 \-\-processes <count>       (of slave processes)
 \-\-threads <count>         (of threads per process)
+
 \-\-index\-all
 \-\-index\-paths
 \-\-index\-data\-meta
@@ -80,6 +81,8 @@ kawipiko -- blazingly fast static HTTP server \- kawipiko-server
 \-\-security\-headers\-disable
 \-\-security\-headers\-tls
 
+\-\-seccomp\-enable
+\-\-limit\-descriptors <count>
 \-\-limit\-memory      <MiB>
 \-\-timeout\-disable
 
@@ -292,6 +295,25 @@ These instruct the browser to always use HTTPS for the served domain.
 .UNINDENT
 .UNINDENT
 .sp
+\fB\-\-seccomp\-enable\fP
+.INDENT 0.0
+.INDENT 3.5
+On Linux, and if supported, enable a strict \fBseccomp\fP filter to reduce the potential attack surface in case of a security issue.
+.sp
+The current filter is the minimal set of \fBsyscall\fP\(aqs required to have the server working (thus quite safe).
+At each stage (opening the archive, indexing the archive, serving the archive) the non\-required \fBsyscall\fP\(aqs are filtered.
+.sp
+(At the moment the filter is quite strict and determined by experimentation.  If you enable \fBseccomp\fP and the server is \fBkill\fP\-ed, check \fBauditd\fP logs for the problematic \fBsyscall\fP and open an issue report.)
+.UNINDENT
+.UNINDENT
+.sp
+\fB\-\-limit\-descriptors\fP, and \fB\-\-limit\-memory\fP
+.INDENT 0.0
+.INDENT 3.5
+Constrains resource usage by configuring via \fBsetrlimit\fP either \fBRLIMIT_NOFILE\fP (in case of descriptors) or both \fBRLIMIT_DATA\fP and \fBRLIMIT_AS\fP (in case of memory).
+.UNINDENT
+.UNINDENT
+.sp
 \fB\-\-report\fP
 .INDENT 0.0
 .INDENT 3.5

documentation/manuals/server.html

@@ -392,6 +392,7 @@ ul.auto-toc {
 
 --processes <count>       (of slave processes)
 --threads <count>         (of threads per process)
+
 --index-all
 --index-paths
 --index-data-meta
@@ -403,6 +404,8 @@ ul.auto-toc {
 --security-headers-disable
 --security-headers-tls
 
+--seccomp-enable
+--limit-descriptors <count>
 --limit-memory      <MiB>
 --timeout-disable
 
@@ -524,6 +527,16 @@ Content-Security-Policy: upgrade-insecure-requests
 <p>These instruct the browser to always use HTTPS for the served domain.
 (Useful even without HTTPS, when used behind a TLS terminator, load-balancer or proxy that do support HTTPS.)</p>
 </blockquote>
+<p><tt class="docutils literal"><span class="pre">--seccomp-enable</span></tt></p>
+<blockquote>
+<p>On Linux, and if supported, enable a strict <tt class="docutils literal">seccomp</tt> filter to reduce the potential attack surface in case of a security issue.</p>
+<p>The current filter is the minimal set of <tt class="docutils literal">syscall</tt>'s required to have the server working (thus quite safe).
+At each stage (opening the archive, indexing the archive, serving the archive) the non-required <tt class="docutils literal">syscall</tt>'s are filtered.</p>
+<p>(At the moment the filter is quite strict and determined by experimentation.  If you enable <tt class="docutils literal">seccomp</tt> and the server is <tt class="docutils literal">kill</tt>-ed, check <tt class="docutils literal">auditd</tt> logs for the problematic <tt class="docutils literal">syscall</tt> and open an issue report.)</p>
+</blockquote>
+<p><tt class="docutils literal"><span class="pre">--limit-descriptors</span></tt>, and <tt class="docutils literal"><span class="pre">--limit-memory</span></tt></p>
+<blockquote>
+Constrains resource usage by configuring via <tt class="docutils literal">setrlimit</tt> either <tt class="docutils literal">RLIMIT_NOFILE</tt> (in case of descriptors) or both <tt class="docutils literal">RLIMIT_DATA</tt> and <tt class="docutils literal">RLIMIT_AS</tt> (in case of memory).</blockquote>
 <p><tt class="docutils literal"><span class="pre">--report</span></tt></p>
 <blockquote>
 Enables periodic reporting of various metrics.

documentation/manuals/server.rst

@@ -40,6 +40,7 @@ kawipiko -- blazingly fast static HTTP server
 
     --processes <count>       (of slave processes)
     --threads <count>         (of threads per process)
+
     --index-all
     --index-paths
     --index-data-meta
@@ -51,6 +52,8 @@ kawipiko -- blazingly fast static HTTP server
     --security-headers-disable
     --security-headers-tls
 
+    --seccomp-enable
+    --limit-descriptors <count>
     --limit-memory      <MiB>
     --timeout-disable
 
@@ -192,6 +195,19 @@ Flags
     These instruct the browser to always use HTTPS for the served domain.
     (Useful even without HTTPS, when used behind a TLS terminator, load-balancer or proxy that do support HTTPS.)
 
+``--seccomp-enable``
+
+    On Linux, and if supported, enable a strict ``seccomp`` filter to reduce the potential attack surface in case of a security issue.
+
+    The current filter is the minimal set of ``syscall``'s required to have the server working (thus quite safe).
+    At each stage (opening the archive, indexing the archive, serving the archive) the non-required ``syscall``'s are filtered.
+
+    (At the moment the filter is quite strict and determined by experimentation.  If you enable ``seccomp`` and the server is ``kill``-ed, check ``auditd`` logs for the problematic ``syscall`` and open an issue report.)
+
+``--limit-descriptors``, and ``--limit-memory``
+
+    Constrains resource usage by configuring via ``setrlimit`` either ``RLIMIT_NOFILE`` (in case of descriptors) or both ``RLIMIT_DATA`` and ``RLIMIT_AS`` (in case of memory).
+
 ``--report``
 
     Enables periodic reporting of various metrics.

documentation/manuals/server.txt

@@ -31,6 +31,7 @@ NAME
 
           --processes <count>       (of slave processes)
           --threads <count>         (of threads per process)
+
           --index-all
           --index-paths
           --index-data-meta
@@ -42,6 +43,8 @@ NAME
           --security-headers-disable
           --security-headers-tls
 
+          --seccomp-enable
+          --limit-descriptors <count>
           --limit-memory      <MiB>
           --timeout-disable
 
@@ -220,6 +223,25 @@ FLAGS
           domain.  (Useful even without HTTPS, when used behind a TLS
           terminator, load-balancer or proxy that do support HTTPS.)
 
+       --seccomp-enable
+          On Linux, and if supported, enable a strict seccomp filter to reduce
+          the potential attack surface in case of a security issue.
+
+          The current filter is the minimal set of syscall's required to have
+          the server working (thus quite safe).  At each stage (opening the
+          archive, indexing the archive, serving the archive) the non-required
+          syscall's are filtered.
+
+          (At the moment the filter is quite strict and determined by
+          experimentation.  If you enable seccomp and the server is kill-ed,
+          check auditd logs for the problematic syscall and open an issue
+          report.)
+
+       --limit-descriptors, and --limit-memory
+          Constrains resource usage by configuring via setrlimit either
+          RLIMIT_NOFILE (in case of descriptors) or both RLIMIT_DATA and
+          RLIMIT_AS (in case of memory).
+
        --report
           Enables periodic reporting of various metrics.  Also enables
           reporting a selection of metrics if certain thresholds are matched
@@ -258,4 +280,4 @@ FLAGS
 
 
 
-volution.ro                       2022-09-02                KAWIPIKO-SERVER(1)
+volution.ro                       2022-09-11                KAWIPIKO-SERVER(1)

sources/cmd/archiver/manual.txt

@@ -9,12 +9,12 @@ NAME
           >> kawipiko-archiver --man
 
           --sources <path>
-
           --archive <path>
 
           --compress <gzip | zopfli | brotli | identity>
           --compress-level <number>
           --compress-cache <path>
+          --sources-cache  <path>
 
           --exclude-index
           --exclude-strip
@@ -80,7 +80,7 @@ FLAGS
           • kawipiko by default uses the maximum compression level for each
             algorithm;  (i.e. 9 for gzip, 30 for zopfli, and -2 for brotli;)
 
-       --sources-cache <path>, and --compress-cache <path>
+       --compress-cache <path>, and --sources-cache <path>
           At the given path a single file is created (that is an BBolt
           database), that will be used to cache the following information:
 
@@ -213,4 +213,4 @@ SYMLINKS, HARDLINKS, LOOPS, AND DUPLICATED FILES
 
 
 
-volution.ro                       2022-09-02              KAWIPIKO-ARCHIVER(1)
+volution.ro                       2022-09-11              KAWIPIKO-ARCHIVER(1)

sources/cmd/archiver/usage.txt

@@ -2,14 +2,12 @@
   kawipiko-archiver
 
     --sources <path>
-
     --archive <path>
 
     --compress <gzip | zopfli | brotli | identity>
     --compress-level <number>
-
-    --sources-cache <path>
     --compress-cache <path>
+    --sources-cache  <path>
 
     --exclude-index
     --exclude-strip

sources/cmd/server/manual.html

@@ -392,6 +392,7 @@ ul.auto-toc {
 
 --processes <count>       (of slave processes)
 --threads <count>         (of threads per process)
+
 --index-all
 --index-paths
 --index-data-meta
@@ -403,6 +404,8 @@ ul.auto-toc {
 --security-headers-disable
 --security-headers-tls
 
+--seccomp-enable
+--limit-descriptors <count>
 --limit-memory      <MiB>
 --timeout-disable
 
@@ -524,6 +527,16 @@ Content-Security-Policy: upgrade-insecure-requests
 <p>These instruct the browser to always use HTTPS for the served domain.
 (Useful even without HTTPS, when used behind a TLS terminator, load-balancer or proxy that do support HTTPS.)</p>
 </blockquote>
+<p><tt class="docutils literal"><span class="pre">--seccomp-enable</span></tt></p>
+<blockquote>
+<p>On Linux, and if supported, enable a strict <tt class="docutils literal">seccomp</tt> filter to reduce the potential attack surface in case of a security issue.</p>
+<p>The current filter is the minimal set of <tt class="docutils literal">syscall</tt>'s required to have the server working (thus quite safe).
+At each stage (opening the archive, indexing the archive, serving the archive) the non-required <tt class="docutils literal">syscall</tt>'s are filtered.</p>
+<p>(At the moment the filter is quite strict and determined by experimentation.  If you enable <tt class="docutils literal">seccomp</tt> and the server is <tt class="docutils literal">kill</tt>-ed, check <tt class="docutils literal">auditd</tt> logs for the problematic <tt class="docutils literal">syscall</tt> and open an issue report.)</p>
+</blockquote>
+<p><tt class="docutils literal"><span class="pre">--limit-descriptors</span></tt>, and <tt class="docutils literal"><span class="pre">--limit-memory</span></tt></p>
+<blockquote>
+Constrains resource usage by configuring via <tt class="docutils literal">setrlimit</tt> either <tt class="docutils literal">RLIMIT_NOFILE</tt> (in case of descriptors) or both <tt class="docutils literal">RLIMIT_DATA</tt> and <tt class="docutils literal">RLIMIT_AS</tt> (in case of memory).</blockquote>
 <p><tt class="docutils literal"><span class="pre">--report</span></tt></p>
 <blockquote>
 Enables periodic reporting of various metrics.

sources/cmd/server/manual.txt

@@ -31,6 +31,7 @@ NAME
 
           --processes <count>       (of slave processes)
           --threads <count>         (of threads per process)
+
           --index-all
           --index-paths
           --index-data-meta
@@ -42,6 +43,8 @@ NAME
           --security-headers-disable
           --security-headers-tls
 
+          --seccomp-enable
+          --limit-descriptors <count>
           --limit-memory      <MiB>
           --timeout-disable
 
@@ -220,6 +223,25 @@ FLAGS
           domain.  (Useful even without HTTPS, when used behind a TLS
           terminator, load-balancer or proxy that do support HTTPS.)
 
+       --seccomp-enable
+          On Linux, and if supported, enable a strict seccomp filter to reduce
+          the potential attack surface in case of a security issue.
+
+          The current filter is the minimal set of syscall's required to have
+          the server working (thus quite safe).  At each stage (opening the
+          archive, indexing the archive, serving the archive) the non-required
+          syscall's are filtered.
+
+          (At the moment the filter is quite strict and determined by
+          experimentation.  If you enable seccomp and the server is kill-ed,
+          check auditd logs for the problematic syscall and open an issue
+          report.)
+
+       --limit-descriptors, and --limit-memory
+          Constrains resource usage by configuring via setrlimit either
+          RLIMIT_NOFILE (in case of descriptors) or both RLIMIT_DATA and
+          RLIMIT_AS (in case of memory).
+
        --report
           Enables periodic reporting of various metrics.  Also enables
           reporting a selection of metrics if certain thresholds are matched
@@ -258,4 +280,4 @@ FLAGS
 
 
 
-volution.ro                       2022-09-02                KAWIPIKO-SERVER(1)
+volution.ro                       2022-09-11                KAWIPIKO-SERVER(1)

sources/cmd/server/usage.txt

@@ -36,6 +36,8 @@
     --security-headers-disable
     --security-headers-tls
 
+    --secomp-enable
+    --limit-descriptors <count>
     --limit-memory      <MiB>
     --timeout-disable