From 88c46168c3b284521638e12a52f5aaeea1b5f4b9 Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Tue, 7 Mar 2023 21:17:15 +0800
Subject: [PATCH] fix: enforce only one instance of an in-pod cronjob running
 at once

This change enforces that in-pod cronjobs have only one instance of the
job running at any one time.

Specifically, this change fixes the issue where minutely cronjobs which
take longer than a minute to run result in dozens of instances of the
job running at the same time. In some cases this can cause Lagoon users
to DoS themselves or use excessive CPU or memory resources.
---
 legacy/build-deploy-docker-compose.sh | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/legacy/build-deploy-docker-compose.sh b/legacy/build-deploy-docker-compose.sh
index e0fdf2df..f5a7c567 100755
--- a/legacy/build-deploy-docker-compose.sh
+++ b/legacy/build-deploy-docker-compose.sh
@@ -1484,6 +1484,10 @@ do
 
       if cronScheduleMoreOftenThan30Minutes "$CRONJOB_SCHEDULE_RAW" ; then
         # If this cronjob is more often than 30 minutes, we run the cronjob inside the pod itself
+        # Lagoon enforces that only a single instance of a cronjob can run at any one time.
+        # https://man7.org/linux/man-pages/man1/flock.1.html
+        # https://www.gnu.org/savannah-checkouts/gnu/bash/manual/bash.html#Shell-Parameter-Expansion
+        CRONJOB_COMMAND="flock -n '/tmp/cron.lock.$(echo "$CRONJOB_COUNTER $CRONJOB_COMMAND" | sha256sum | awk '{ print $1 }')' -c ${CRONJOB_COMMAND@Q}"
         CRONJOBS_ARRAY_INSIDE_POD+=("${CRONJOB_SCHEDULE} ${CRONJOB_COMMAND}")
       else
         # This cronjob runs less ofen than every 30 minutes, we create a kubernetes native cronjob for it.