1 # Copyright (C) The Arvados Authors. All rights reserved.
3 # SPDX-License-Identifier: AGPL-3.0
5 require 'whitelist_update'
6 require 'arvados/collection'
8 class ContainerRequest < ArvadosModel
9 include ArvadosModelUpdates
12 include CommonApiTemplate
13 include WhitelistUpdate
15 belongs_to :container, foreign_key: :container_uuid, primary_key: :uuid
16 belongs_to :requesting_container, {
17 class_name: 'Container',
18 foreign_key: :requesting_container_uuid,
22 # Posgresql JSONB columns should NOT be declared as serialized, Rails 5
23 # already know how to properly treat them.
24 attribute :properties, :jsonbHash, default: {}
25 attribute :secret_mounts, :jsonbHash, default: {}
27 serialize :environment, Hash
28 serialize :mounts, Hash
29 serialize :runtime_constraints, Hash
30 serialize :command, Array
31 serialize :scheduling_parameters, Hash
33 before_validation :fill_field_defaults, :if => :new_record?
34 before_validation :validate_runtime_constraints
35 before_validation :set_default_preemptible_scheduling_parameter
36 before_validation :set_container
37 validates :command, :container_image, :output_path, :cwd, :presence => true
38 validates :output_ttl, numericality: { only_integer: true, greater_than_or_equal_to: 0 }
39 validates :priority, numericality: { only_integer: true, greater_than_or_equal_to: 0, less_than_or_equal_to: 1000 }
40 validate :validate_datatypes
41 validate :validate_scheduling_parameters
42 validate :validate_state_change
43 validate :check_update_whitelist
44 validate :secret_mounts_key_conflict
45 validate :validate_runtime_token
46 before_save :scrub_secrets
47 before_create :set_requesting_container_uuid
48 before_destroy :set_priority_zero
49 after_save :update_priority
50 after_save :finalize_if_needed
52 api_accessible :user, extend: :common do |t|
54 t.add :container_count
55 t.add :container_count_max
56 t.add :container_image
72 t.add :requesting_container_uuid
73 t.add :runtime_constraints
74 t.add :scheduling_parameters
79 def self._index_requires_parameters
83 type: 'boolean', required: false, description: "Include container requests whose owner project is trashed."
88 def self._show_requires_parameters
92 type: 'boolean', required: false, description: "Show container request even if its owner project is trashed."
97 # Supported states for a container request
100 (Uncommitted = 'Uncommitted'),
101 (Committed = 'Committed'),
105 State_transitions = {
106 nil => [Uncommitted, Committed],
107 Uncommitted => [Committed],
111 AttrsPermittedAlways = [:owner_uuid, :state, :name, :description, :properties]
112 AttrsPermittedBeforeCommit = [:command, :container_count_max,
113 :container_image, :cwd, :environment, :filters, :mounts,
114 :output_path, :priority, :runtime_token,
115 :runtime_constraints, :state, :container_uuid, :use_existing,
116 :scheduling_parameters, :secret_mounts, :output_name, :output_ttl]
118 def self.limit_index_columns_read
122 def logged_attributes
123 super.except('secret_mounts', 'runtime_token')
126 def state_transitions
130 def skip_uuid_read_permission_check
131 # The uuid_read_permission_check prevents users from making
132 # references to objects they can't view. However, in this case we
133 # don't want to do that check since there's a circular dependency
134 # where user can't view the container until the user has
135 # constructed the container request that references the container.
139 def finalize_if_needed
140 return if state != Committed
142 # get container lock first, then lock current container request
143 # (same order as Container#handle_completed). Locking always
144 # reloads the Container and ContainerRequest records.
145 c = Container.find_by_uuid(container_uuid)
149 if container_uuid != c.uuid
150 # After locking, we've noticed a race, the container_uuid is
151 # different than the container record we just loaded. This
152 # can happen if Container#handle_completed scheduled a new
153 # container for retry and set container_uuid while we were
154 # waiting on the container lock. Restart the loop and get the
159 if state == Committed && c.final?
160 # The current container is
161 act_as_system_user do
162 leave_modified_by_user_alone do
171 # Finalize the container request after the container has
172 # finished/cancelled.
174 update_collections(container: Container.find_by_uuid(container_uuid))
175 update_attributes!(state: Final)
178 def update_collections(container:, collections: ['log', 'output'])
179 collections.each do |out_type|
180 pdh = container.send(out_type)
182 coll_name = "Container #{out_type} for request #{uuid}"
184 if out_type == 'output'
186 coll_name = self.output_name
188 if self.output_ttl > 0
189 trash_at = db_current_time + self.output_ttl
192 manifest = Collection.where(portable_data_hash: pdh).first.manifest_text
194 coll_uuid = self.send(out_type + '_uuid')
195 coll = coll_uuid.nil? ? nil : Collection.where(uuid: coll_uuid).first
197 coll = Collection.new(
198 owner_uuid: self.owner_uuid,
203 'container_request' => uuid,
208 src = Arv::Collection.new(manifest)
209 dst = Arv::Collection.new(coll.manifest_text)
210 dst.cp_r("./", ".", src)
211 dst.cp_r("./", "log for container #{container.uuid}", src)
212 manifest = dst.manifest_text
215 coll.assign_attributes(
216 portable_data_hash: Digest::MD5.hexdigest(manifest) + '+' + manifest.bytesize.to_s,
217 manifest_text: manifest,
220 coll.save_with_unique_name!
221 self.send(out_type + '_uuid=', coll.uuid)
225 def self.full_text_searchable_columns
226 super - ["mounts", "secret_mounts", "secret_mounts_md5", "runtime_token"]
231 def fill_field_defaults
232 self.state ||= Uncommitted
233 self.environment ||= {}
234 self.runtime_constraints ||= {}
236 self.secret_mounts ||= {}
238 self.container_count_max ||= Rails.configuration.Containers.MaxRetryAttempts
239 self.scheduling_parameters ||= {}
240 self.output_ttl ||= 0
245 if (container_uuid_changed? and
246 not current_user.andand.is_admin and
247 not container_uuid.nil?)
248 errors.add :container_uuid, "can only be updated to nil."
251 if state_changed? and state == Committed and container_uuid.nil?
253 c = Container.resolve(self)
255 if c.state == Container::Cancelled
256 # Lost a race, we have a lock on the container but the
257 # container was cancelled in a different request, restart
258 # the loop and resolve request to a new container.
261 self.container_uuid = c.uuid
265 if self.container_uuid != self.container_uuid_was
266 if self.container_count_changed?
267 errors.add :container_count, "cannot be updated directly."
270 self.container_count += 1
271 if self.container_uuid_was
272 old_container = Container.find_by_uuid(self.container_uuid_was)
273 old_logs = Collection.where(portable_data_hash: old_container.log).first
275 log_coll = self.log_uuid.nil? ? nil : Collection.where(uuid: self.log_uuid).first
276 if self.log_uuid.nil?
277 log_coll = Collection.new(
278 owner_uuid: self.owner_uuid,
279 name: coll_name = "Container log for request #{uuid}",
283 # copy logs from old container into CR's log collection
284 src = Arv::Collection.new(old_logs.manifest_text)
285 dst = Arv::Collection.new(log_coll.manifest_text)
286 dst.cp_r("./", "log for container #{old_container.uuid}", src)
287 manifest = dst.manifest_text
289 log_coll.assign_attributes(
290 portable_data_hash: Digest::MD5.hexdigest(manifest) + '+' + manifest.bytesize.to_s,
291 manifest_text: manifest)
292 log_coll.save_with_unique_name!
293 self.log_uuid = log_coll.uuid
300 def set_default_preemptible_scheduling_parameter
301 c = get_requesting_container()
302 if self.state == Committed
303 # If preemptible instances (eg: AWS Spot Instances) are allowed,
304 # ask them on child containers by default.
305 if Rails.configuration.Containers.UsePreemptibleInstances and !c.nil? and
306 self.scheduling_parameters['preemptible'].nil?
307 self.scheduling_parameters['preemptible'] = true
312 def validate_runtime_constraints
317 ['keep_cache_ram', false]].each do |k, required|
318 if !required && !runtime_constraints.include?(k)
321 v = runtime_constraints[k]
322 unless (v.is_a?(Integer) && v > 0)
323 errors.add(:runtime_constraints,
324 "[#{k}]=#{v.inspect} must be a positive integer")
330 def validate_datatypes
333 errors.add(:command, "must be an array of strings but has entry #{c.class}")
336 environment.each do |k,v|
337 if !k.is_a?(String) || !v.is_a?(String)
338 errors.add(:environment, "must be an map of String to String but has entry #{k.class} to #{v.class}")
341 [:mounts, :secret_mounts].each do |m|
342 self[m].each do |k, v|
343 if !k.is_a?(String) || !v.is_a?(Hash)
344 errors.add(m, "must be an map of String to Hash but is has entry #{k.class} to #{v.class}")
347 errors.add(m, "each item must have a 'kind' field")
349 [[String, ["kind", "portable_data_hash", "uuid", "device_type",
350 "path", "commit", "repository_name", "git_url"]],
351 [Integer, ["capacity"]]].each do |t, fields|
353 if !v[f].nil? && !v[f].is_a?(t)
354 errors.add(m, "#{k}: #{f} must be a #{t} but is #{v[f].class}")
358 ["writable", "exclude_from_output"].each do |f|
359 if !v[f].nil? && !v[f].is_a?(TrueClass) && !v[f].is_a?(FalseClass)
360 errors.add(m, "#{k}: #{f} must be a #{t} but is #{v[f].class}")
367 def validate_scheduling_parameters
368 if self.state == Committed
369 if scheduling_parameters.include? 'partitions' and
370 (!scheduling_parameters['partitions'].is_a?(Array) ||
371 scheduling_parameters['partitions'].reject{|x| !x.is_a?(String)}.size !=
372 scheduling_parameters['partitions'].size)
373 errors.add :scheduling_parameters, "partitions must be an array of strings"
375 if !Rails.configuration.Containers.UsePreemptibleInstances and scheduling_parameters['preemptible']
376 errors.add :scheduling_parameters, "preemptible instances are not allowed"
378 if scheduling_parameters.include? 'max_run_time' and
379 (!scheduling_parameters['max_run_time'].is_a?(Integer) ||
380 scheduling_parameters['max_run_time'] < 0)
381 errors.add :scheduling_parameters, "max_run_time must be positive integer"
386 def check_update_whitelist
387 permitted = AttrsPermittedAlways.dup
389 if self.new_record? || self.state_was == Uncommitted
390 # Allow create-and-commit in a single operation.
391 permitted.push(*AttrsPermittedBeforeCommit)
396 permitted.push :priority, :container_count_max, :container_uuid
398 if self.container_uuid.nil?
399 self.errors.add :container_uuid, "has not been resolved to a container."
402 if self.priority.nil?
403 self.errors.add :priority, "cannot be nil"
406 # Allow container count to increment by 1
407 if (self.container_uuid &&
408 self.container_uuid != self.container_uuid_was &&
409 self.container_count == 1 + (self.container_count_was || 0))
410 permitted.push :container_count
413 if current_user.andand.is_admin
414 permitted.push :log_uuid
418 if self.state_was == Committed
419 # "Cancel" means setting priority=0, state=Committed
420 permitted.push :priority
422 if current_user.andand.is_admin
423 permitted.push :output_uuid, :log_uuid
432 def secret_mounts_key_conflict
433 secret_mounts.each do |k, v|
434 if mounts.has_key?(k)
435 errors.add(:secret_mounts, 'conflict with non-secret mounts')
441 def validate_runtime_token
442 if !self.runtime_token.nil? && self.runtime_token_changed?
443 if !runtime_token[0..2] == "v2/"
444 errors.add :runtime_token, "not a v2 token"
447 if ApiClientAuthorization.validate(token: runtime_token).nil?
448 errors.add :runtime_token, "failed validation"
454 if self.state == Final
455 self.secret_mounts = {}
456 self.runtime_token = nil
461 return unless state_changed? || priority_changed? || container_uuid_changed?
462 act_as_system_user do
464 where('uuid in (?)', [self.container_uuid_was, self.container_uuid].compact).
465 map(&:update_priority!)
469 def set_priority_zero
470 self.update_attributes!(priority: 0) if self.state != Final
473 def set_requesting_container_uuid
474 c = get_requesting_container()
476 self.requesting_container_uuid = c.uuid
477 # Determine the priority of container request for the requesting
479 self.priority = ContainerRequest.where(container_uuid: self.requesting_container_uuid).maximum("priority") || 0
483 def get_requesting_container
484 return self.requesting_container_uuid if !self.requesting_container_uuid.nil?
485 Container.for_current_token