Fix remote server socket path exceeding sun_path limit#11009
Conversation
|
I'm starting a first review of this pull request. You can view the conversation on Warp. I completed the review and no human review was requested for this pull request. Comment Powered by Oz |
kevinyang372
changed the title
![oz-for-oss[bot]](https://avatars.githubusercontent.com/in/3450139?s=60&v=4){kind=small}
There was a problem hiding this comment.
Overview
This PR shortens the versioned remote-server socket and PID filenames and adds an early proxy-side path length guard for Unix domain socket limits.
Concerns
- The new
server-{hash}.sockname is still too long for the same realistic identity/home inputs on longer channel directories such as.warp-preview, so Preview users can continue to exceedsun_pathand fail before the daemon starts.
Verdict
Found: 0 critical, 1 important, 0 suggestions
Request changes
Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).
Powered by Oz
|
/oz-review |
|
I'm re-reviewing this pull request in response to a review request. You can view the conversation on Warp. I completed the review and no human review was requested for this pull request. Comment Powered by Oz |
There was a problem hiding this comment.
Overview
This PR shortens remote-server daemon socket/PID paths by hashing the version and identity components, then adds a proxy-side sun_path length guard.
Concerns
- Hashing the identity directory changes the location used by
remote_server_daemon_data_dir, which stores the remote daemon SQLite database, so existing per-identity state under the previous percent-encoded directory becomes unreachable without a migration. - The same new identity directory is only an 8-hex-character hash; because it scopes the daemon socket and data directory, collisions can make distinct identity keys share daemon/data state.
Security
- The 32-bit identity hash is used for identity-scoped daemon/data isolation; a collision can cross-contaminate daemon state between distinct identities.
Verdict
Found: 0 critical, 1 important, 0 suggestions
Request changes
Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).
Powered by Oz
| encoded | ||
| let mut hasher = std::collections::hash_map::DefaultHasher::new(); | ||
| identity_key.hash(&mut hasher); | ||
| format!("{:016x}", hasher.finish())[..8].to_string() |
There was a problem hiding this comment.
remote_server_daemon_data_dir stores the daemon SQLite DB under this directory, so this can orphan existing state or make two identities share daemon/data state. Use a stable digest with enough bits and migrate from the previous percent-encoded directory before switching.
There was a problem hiding this comment.
We don't need migration here. SQLite DB is unused right now
There was a problem hiding this comment.
cool, as long as we use the actual right identity key for sqlite directory i'm good
| anyhow::bail!( | ||
| "daemon socket path is {path_len} bytes, which exceeds the \ | ||
| platform sun_path limit of {SUN_PATH_MAX} bytes: {}", | ||
| socket_path.display() |
There was a problem hiding this comment.
In the case we hit this, what do we or the user do?
There was a problem hiding this comment.
This is realistically never going to happen after this fix. It is just a safe guard so we could return clearer errors rather than hitting generic timeout
) ## Description PR warpdotdev#10782 ("Version aware daemon socket") changed daemon socket filenames from `server.sock` (11 chars) to `server-v0.2026.05.13.09.15.stable_01.sock` (41 chars), adding ~30 bytes to the Unix domain socket path. This pushes users over the `sun_path` limit (107 bytes on Linux, 103 on macOS), causing `UnixListener::bind` to fail silently in the daemon. The proxy then times out after 10s, exits with code 1, and the client sees `ResponseChannelClosed`. This accounts for the ~20% drop in remote server initialization success rate (90% → 70%). Sentry issue: WARP-CLIENT-BETA-STABLE-7M9M (11 occurrences across 9 users, all anonymous with 36-char UUID identity keys). **Fix (two changes):** 1. **Hash the version string** in socket/PID filenames to an 8-hex-char suffix (`server-a1b2c3d4.sock`, 20 chars) instead of the full version string (41 chars). 2. **Hash the identity key** directory name to 8 hex chars instead of using the raw identity key (up to 36 chars for anonymous UUIDs). This is needed because longer channel base dirs like `.warp-preview` (+8 chars vs `.warp`) would otherwise narrow the headroom too much on macOS. Both changes use `std::hash::DefaultHasher` for deterministic, fixed-length output. The existing `cleanup_old_versions()` logic automatically cleans up old long-form files. Also adds an explicit `sun_path` length guard in the proxy that fails fast with a clear error message instead of silently timing out. **Worst-case path after fix:** `/home/{32-char-user}/.warp-preview/remote-server/{8-char-hash}/server-{8-char-hash}.sock` = **97 bytes**, well under both limits (103 macOS, 107 Linux). Fixes WARP-CLIENT-BETA-STABLE-7M9M ## Linked Issue - [x] The linked issue is labeled `ready-to-spec` or `ready-to-implement`. ## Testing - 10 unit tests: version hash determinism, identity key hash (length, determinism, uniqueness), socket/PID name length bounds, and worst-case path length regression test against the preview channel (longest base dir) - Validated via Docker containers on linux/amd64, linux/arm64, and macOS/aarch64 with the actual 9 Sentry-reported identity keys - Cross-referenced Sentry events to confirm all affected users are anonymous (36-char UUID identity keys) - `cargo fmt` and `cargo clippy` pass - [x] I have manually tested my changes locally with `./script/run` ## Agent Mode - [x] Warp Agent Mode - This PR was created via Warp's AI Agent Mode Co-Authored-By: Warp <agent@warp.dev> <!-- CHANGELOG-BUG-FIX: Fixed remote server connections failing for some users due to the daemon socket path exceeding the OS length limit. -->
2 participants
Description
PR #10782 ("Version aware daemon socket") changed daemon socket filenames from
server.sock(11 chars) toserver-v0.2026.05.13.09.15.stable_01.sock(41 chars), adding ~30 bytes to the Unix domain socket path. This pushes users over thesun_pathlimit (107 bytes on Linux, 103 on macOS), causingUnixListener::bindto fail silently in the daemon. The proxy then times out after 10s, exits with code 1, and the client seesResponseChannelClosed.This accounts for the ~20% drop in remote server initialization success rate (90% → 70%). Sentry issue: WARP-CLIENT-BETA-STABLE-7M9M (11 occurrences across 9 users, all anonymous with 36-char UUID identity keys).
Fix (two changes):
Hash the version string in socket/PID filenames to an 8-hex-char suffix (
server-a1b2c3d4.sock, 20 chars) instead of the full version string (41 chars).Hash the identity key directory name to 8 hex chars instead of using the raw identity key (up to 36 chars for anonymous UUIDs). This is needed because longer channel base dirs like
.warp-preview(+8 chars vs.warp) would otherwise narrow the headroom too much on macOS.Both changes use
std::hash::DefaultHasherfor deterministic, fixed-length output. The existingcleanup_old_versions()logic automatically cleans up old long-form files.Also adds an explicit
sun_pathlength guard in the proxy that fails fast with a clear error message instead of silently timing out.Worst-case path after fix:
/home/{32-char-user}/.warp-preview/remote-server/{8-char-hash}/server-{8-char-hash}.sock= 97 bytes, well under both limits (103 macOS, 107 Linux).Fixes WARP-CLIENT-BETA-STABLE-7M9M
Linked Issue
ready-to-specorready-to-implement.Testing
10 unit tests: version hash determinism, identity key hash (length, determinism, uniqueness), socket/PID name length bounds, and worst-case path length regression test against the preview channel (longest base dir)
Validated via Docker containers on linux/amd64, linux/arm64, and macOS/aarch64 with the actual 9 Sentry-reported identity keys
Cross-referenced Sentry events to confirm all affected users are anonymous (36-char UUID identity keys)
cargo fmtandcargo clippypassI have manually tested my changes locally with
./script/runAgent Mode
Co-Authored-By: Warp agent@warp.dev