1 # Copyright (C) The Arvados Authors. All rights reserved.
3 # SPDX-License-Identifier: AGPL-3.0
5 require 'whitelist_update'
7 class ContainerRequest < ArvadosModel
8 include ArvadosModelUpdates
11 include CommonApiTemplate
12 include WhitelistUpdate
14 belongs_to :container, foreign_key: :container_uuid, primary_key: :uuid
15 belongs_to :requesting_container, {
16 class_name: 'Container',
17 foreign_key: :requesting_container_uuid,
21 serialize :properties, Hash
22 serialize :environment, Hash
23 serialize :mounts, Hash
24 serialize :runtime_constraints, Hash
25 serialize :command, Array
26 serialize :scheduling_parameters, Hash
27 serialize :secret_mounts, Hash
29 before_validation :fill_field_defaults, :if => :new_record?
30 before_validation :validate_runtime_constraints
31 before_validation :set_default_preemptible_scheduling_parameter
32 before_validation :set_container
33 validates :command, :container_image, :output_path, :cwd, :presence => true
34 validates :output_ttl, numericality: { only_integer: true, greater_than_or_equal_to: 0 }
35 validates :priority, numericality: { only_integer: true, greater_than_or_equal_to: 0, less_than_or_equal_to: 1000 }
36 validate :validate_datatypes
37 validate :validate_scheduling_parameters
38 validate :validate_state_change
39 validate :check_update_whitelist
40 validate :secret_mounts_key_conflict
41 validate :validate_runtime_token
42 before_save :scrub_secrets
43 before_create :set_requesting_container_uuid
44 before_destroy :set_priority_zero
45 after_save :update_priority
46 after_save :finalize_if_needed
48 api_accessible :user, extend: :common do |t|
50 t.add :container_count
51 t.add :container_count_max
52 t.add :container_image
68 t.add :requesting_container_uuid
69 t.add :runtime_constraints
70 t.add :scheduling_parameters
75 # Supported states for a container request
78 (Uncommitted = 'Uncommitted'),
79 (Committed = 'Committed'),
84 nil => [Uncommitted, Committed],
85 Uncommitted => [Committed],
89 AttrsPermittedAlways = [:owner_uuid, :state, :name, :description, :properties]
90 AttrsPermittedBeforeCommit = [:command, :container_count_max,
91 :container_image, :cwd, :environment, :filters, :mounts,
92 :output_path, :priority, :runtime_token,
93 :runtime_constraints, :state, :container_uuid, :use_existing,
94 :scheduling_parameters, :secret_mounts, :output_name, :output_ttl]
96 def self.limit_index_columns_read
100 def logged_attributes
101 super.except('secret_mounts', 'runtime_token')
104 def state_transitions
108 def skip_uuid_read_permission_check
109 # The uuid_read_permission_check prevents users from making
110 # references to objects they can't view. However, in this case we
111 # don't want to do that check since there's a circular dependency
112 # where user can't view the container until the user has
113 # constructed the container request that references the container.
117 def finalize_if_needed
118 if state == Committed && Container.find_by_uuid(container_uuid).final?
120 act_as_system_user do
121 leave_modified_by_user_alone do
128 # Finalize the container request after the container has
129 # finished/cancelled.
131 update_collections(container: Container.find_by_uuid(container_uuid))
132 update_attributes!(state: Final)
135 def update_collections(container:, collections: ['log', 'output'])
136 collections.each do |out_type|
137 pdh = container.send(out_type)
139 coll_name = "Container #{out_type} for request #{uuid}"
141 if out_type == 'output'
143 coll_name = self.output_name
145 if self.output_ttl > 0
146 trash_at = db_current_time + self.output_ttl
149 manifest = Collection.where(portable_data_hash: pdh).first.manifest_text
151 coll_uuid = self.send(out_type + '_uuid')
152 coll = coll_uuid.nil? ? nil : Collection.where(uuid: coll_uuid).first
154 coll = Collection.new(
155 owner_uuid: self.owner_uuid,
159 'container_request' => uuid,
162 coll.assign_attributes(
163 portable_data_hash: pdh,
164 manifest_text: manifest,
167 coll.save_with_unique_name!
168 self.send(out_type + '_uuid=', coll.uuid)
172 def self.full_text_searchable_columns
173 super - ["mounts", "secret_mounts", "secret_mounts_md5", "runtime_token"]
178 def fill_field_defaults
179 self.state ||= Uncommitted
180 self.environment ||= {}
181 self.runtime_constraints ||= {}
184 self.container_count_max ||= Rails.configuration.container_count_max
185 self.scheduling_parameters ||= {}
186 self.output_ttl ||= 0
191 if (container_uuid_changed? and
192 not current_user.andand.is_admin and
193 not container_uuid.nil?)
194 errors.add :container_uuid, "can only be updated to nil."
197 if state_changed? and state == Committed and container_uuid.nil?
198 self.container_uuid = Container.resolve(self).uuid
200 if self.container_uuid != self.container_uuid_was
201 if self.container_count_changed?
202 errors.add :container_count, "cannot be updated directly."
205 self.container_count += 1
210 def set_default_preemptible_scheduling_parameter
211 c = get_requesting_container()
212 if self.state == Committed
213 # If preemptible instances (eg: AWS Spot Instances) are allowed,
214 # ask them on child containers by default.
215 if Rails.configuration.preemptible_instances and !c.nil? and
216 self.scheduling_parameters['preemptible'].nil?
217 self.scheduling_parameters['preemptible'] = true
222 def validate_runtime_constraints
227 ['keep_cache_ram', false]].each do |k, required|
228 if !required && !runtime_constraints.include?(k)
231 v = runtime_constraints[k]
232 unless (v.is_a?(Integer) && v > 0)
233 errors.add(:runtime_constraints,
234 "[#{k}]=#{v.inspect} must be a positive integer")
240 def validate_datatypes
243 errors.add(:command, "must be an array of strings but has entry #{c.class}")
246 environment.each do |k,v|
247 if !k.is_a?(String) || !v.is_a?(String)
248 errors.add(:environment, "must be an map of String to String but has entry #{k.class} to #{v.class}")
251 [:mounts, :secret_mounts].each do |m|
252 self[m].each do |k, v|
253 if !k.is_a?(String) || !v.is_a?(Hash)
254 errors.add(m, "must be an map of String to Hash but is has entry #{k.class} to #{v.class}")
257 errors.add(m, "each item must have a 'kind' field")
259 [[String, ["kind", "portable_data_hash", "uuid", "device_type",
260 "path", "commit", "repository_name", "git_url"]],
261 [Integer, ["capacity"]]].each do |t, fields|
263 if !v[f].nil? && !v[f].is_a?(t)
264 errors.add(m, "#{k}: #{f} must be a #{t} but is #{v[f].class}")
268 ["writable", "exclude_from_output"].each do |f|
269 if !v[f].nil? && !v[f].is_a?(TrueClass) && !v[f].is_a?(FalseClass)
270 errors.add(m, "#{k}: #{f} must be a #{t} but is #{v[f].class}")
277 def validate_scheduling_parameters
278 if self.state == Committed
279 if scheduling_parameters.include? 'partitions' and
280 (!scheduling_parameters['partitions'].is_a?(Array) ||
281 scheduling_parameters['partitions'].reject{|x| !x.is_a?(String)}.size !=
282 scheduling_parameters['partitions'].size)
283 errors.add :scheduling_parameters, "partitions must be an array of strings"
285 if !Rails.configuration.preemptible_instances and scheduling_parameters['preemptible']
286 errors.add :scheduling_parameters, "preemptible instances are not allowed"
288 if scheduling_parameters.include? 'max_run_time' and
289 (!scheduling_parameters['max_run_time'].is_a?(Integer) ||
290 scheduling_parameters['max_run_time'] < 0)
291 errors.add :scheduling_parameters, "max_run_time must be positive integer"
296 def check_update_whitelist
297 permitted = AttrsPermittedAlways.dup
299 if self.new_record? || self.state_was == Uncommitted
300 # Allow create-and-commit in a single operation.
301 permitted.push(*AttrsPermittedBeforeCommit)
306 permitted.push :priority, :container_count_max, :container_uuid
308 if self.container_uuid.nil?
309 self.errors.add :container_uuid, "has not been resolved to a container."
312 if self.priority.nil?
313 self.errors.add :priority, "cannot be nil"
316 # Allow container count to increment by 1
317 if (self.container_uuid &&
318 self.container_uuid != self.container_uuid_was &&
319 self.container_count == 1 + (self.container_count_was || 0))
320 permitted.push :container_count
323 if current_user.andand.is_admin
324 permitted.push :log_uuid
328 if self.state_was == Committed
329 # "Cancel" means setting priority=0, state=Committed
330 permitted.push :priority
332 if current_user.andand.is_admin
333 permitted.push :output_uuid, :log_uuid
342 def secret_mounts_key_conflict
343 secret_mounts.each do |k, v|
344 if mounts.has_key?(k)
345 errors.add(:secret_mounts, 'conflict with non-secret mounts')
351 def validate_runtime_token
352 if !self.runtime_token.nil? && self.runtime_token_changed?
353 if !runtime_token[0..2] == "v2/"
354 errors.add :runtime_token, "not a v2 token"
357 if ApiClientAuthorization.validate(token: runtime_token).nil?
358 errors.add :runtime_token, "failed validation"
364 if self.state == Final
365 self.secret_mounts = {}
366 self.runtime_token = nil
371 return unless state_changed? || priority_changed? || container_uuid_changed?
372 act_as_system_user do
374 where('uuid in (?)', [self.container_uuid_was, self.container_uuid].compact).
375 map(&:update_priority!)
379 def set_priority_zero
380 self.update_attributes!(priority: 0) if self.state != Final
383 def set_requesting_container_uuid
384 c = get_requesting_container()
386 self.requesting_container_uuid = c.uuid
387 # Determine the priority of container request for the requesting
389 self.priority = ContainerRequest.where(container_uuid: self.requesting_container_uuid).maximum("priority") || 0
393 def get_requesting_container
394 return self.requesting_container_uuid if !self.requesting_container_uuid.nil?
395 Container.for_current_token