Merge branch '12822-keepproxy-token-scope'
[arvados.git] / services / api / test / unit / container_test.rb
1 # Copyright (C) The Arvados Authors. All rights reserved.
2 #
3 # SPDX-License-Identifier: AGPL-3.0
4
5 require 'test_helper'
6
7 class ContainerTest < ActiveSupport::TestCase
8   include DbCurrentTime
9
10   DEFAULT_ATTRS = {
11     command: ['echo', 'foo'],
12     container_image: 'fa3c1a9cb6783f85f2ecda037e07b8c3+167',
13     output_path: '/tmp',
14     priority: 1,
15     runtime_constraints: {"vcpus" => 1, "ram" => 1},
16   }
17
18   REUSABLE_COMMON_ATTRS = {
19     container_image: "9ae44d5792468c58bcf85ce7353c7027+124",
20     cwd: "test",
21     command: ["echo", "hello"],
22     output_path: "test",
23     runtime_constraints: {
24       "ram" => 12000000000,
25       "vcpus" => 4,
26     },
27     mounts: {
28       "test" => {"kind" => "json"},
29     },
30     environment: {
31       "var" => "val",
32     },
33   }
34
35   def minimal_new attrs={}
36     cr = ContainerRequest.new DEFAULT_ATTRS.merge(attrs)
37     cr.state = ContainerRequest::Committed
38     act_as_user users(:active) do
39       cr.save!
40     end
41     c = Container.find_by_uuid cr.container_uuid
42     assert_not_nil c
43     return c, cr
44   end
45
46   def check_illegal_updates c, bad_updates
47     bad_updates.each do |u|
48       refute c.update_attributes(u), u.inspect
49       refute c.valid?, u.inspect
50       c.reload
51     end
52   end
53
54   def check_illegal_modify c
55     check_illegal_updates c, [{command: ["echo", "bar"]},
56                               {container_image: "arvados/apitestfixture:june10"},
57                               {cwd: "/tmp2"},
58                               {environment: {"FOO" => "BAR"}},
59                               {mounts: {"FOO" => "BAR"}},
60                               {output_path: "/tmp3"},
61                               {locked_by_uuid: "zzzzz-gj3su-027z32aux8dg2s1"},
62                               {auth_uuid: "zzzzz-gj3su-017z32aux8dg2s1"},
63                               {runtime_constraints: {"FOO" => "BAR"}}]
64   end
65
66   def check_bogus_states c
67     check_illegal_updates c, [{state: nil},
68                               {state: "Flubber"}]
69   end
70
71   def check_no_change_from_cancelled c
72     check_illegal_modify c
73     check_bogus_states c
74     check_illegal_updates c, [{ priority: 3 },
75                               { state: Container::Queued },
76                               { state: Container::Locked },
77                               { state: Container::Running },
78                               { state: Container::Complete }]
79   end
80
81   test "Container create" do
82     act_as_system_user do
83       c, _ = minimal_new(environment: {},
84                       mounts: {"BAR" => "FOO"},
85                       output_path: "/tmp",
86                       priority: 1,
87                       runtime_constraints: {"vcpus" => 1, "ram" => 1})
88
89       check_illegal_modify c
90       check_bogus_states c
91
92       c.reload
93       c.priority = 2
94       c.save!
95     end
96   end
97
98   test "Container valid priority" do
99     act_as_system_user do
100       c, _ = minimal_new(environment: {},
101                       mounts: {"BAR" => "FOO"},
102                       output_path: "/tmp",
103                       priority: 1,
104                       runtime_constraints: {"vcpus" => 1, "ram" => 1})
105
106       assert_raises(ActiveRecord::RecordInvalid) do
107         c.priority = -1
108         c.save!
109       end
110
111       c.priority = 0
112       c.save!
113
114       c.priority = 1
115       c.save!
116
117       c.priority = 500
118       c.save!
119
120       c.priority = 999
121       c.save!
122
123       c.priority = 1000
124       c.save!
125
126       assert_raises(ActiveRecord::RecordInvalid) do
127         c.priority = 1001
128         c.save!
129       end
130     end
131   end
132
133
134   test "Container serialized hash attributes sorted before save" do
135     env = {"C" => 3, "B" => 2, "A" => 1}
136     m = {"F" => {"kind" => 3}, "E" => {"kind" => 2}, "D" => {"kind" => 1}}
137     rc = {"vcpus" => 1, "ram" => 1, "keep_cache_ram" => 1}
138     c, _ = minimal_new(environment: env, mounts: m, runtime_constraints: rc)
139     assert_equal c.environment.to_json, Container.deep_sort_hash(env).to_json
140     assert_equal c.mounts.to_json, Container.deep_sort_hash(m).to_json
141     assert_equal c.runtime_constraints.to_json, Container.deep_sort_hash(rc).to_json
142   end
143
144   test 'deep_sort_hash on array of hashes' do
145     a = {'z' => [[{'a' => 'a', 'b' => 'b'}]]}
146     b = {'z' => [[{'b' => 'b', 'a' => 'a'}]]}
147     assert_equal Container.deep_sort_hash(a).to_json, Container.deep_sort_hash(b).to_json
148   end
149
150   test "find_reusable method should select higher priority queued container" do
151     set_user_from_auth :active
152     common_attrs = REUSABLE_COMMON_ATTRS.merge({environment:{"var" => "queued"}})
153     c_low_priority, _ = minimal_new(common_attrs.merge({use_existing:false, priority:1}))
154     c_high_priority, _ = minimal_new(common_attrs.merge({use_existing:false, priority:2}))
155     assert_not_equal c_low_priority.uuid, c_high_priority.uuid
156     assert_equal Container::Queued, c_low_priority.state
157     assert_equal Container::Queued, c_high_priority.state
158     reused = Container.find_reusable(common_attrs)
159     assert_not_nil reused
160     assert_equal reused.uuid, c_high_priority.uuid
161   end
162
163   test "find_reusable method should select latest completed container" do
164     set_user_from_auth :active
165     common_attrs = REUSABLE_COMMON_ATTRS.merge({environment: {"var" => "complete"}})
166     completed_attrs = {
167       state: Container::Complete,
168       exit_code: 0,
169       log: 'ea10d51bcf88862dbcc36eb292017dfd+45',
170       output: '1f4b0bc7583c2a7f9102c395f4ffc5e3+45'
171     }
172
173     c_older, _ = minimal_new(common_attrs.merge({use_existing: false}))
174     c_recent, _ = minimal_new(common_attrs.merge({use_existing: false}))
175     assert_not_equal c_older.uuid, c_recent.uuid
176
177     set_user_from_auth :dispatch1
178     c_older.update_attributes!({state: Container::Locked})
179     c_older.update_attributes!({state: Container::Running})
180     c_older.update_attributes!(completed_attrs)
181
182     c_recent.update_attributes!({state: Container::Locked})
183     c_recent.update_attributes!({state: Container::Running})
184     c_recent.update_attributes!(completed_attrs)
185
186     reused = Container.find_reusable(common_attrs)
187     assert_not_nil reused
188     assert_equal reused.uuid, c_older.uuid
189   end
190
191   test "find_reusable method should select oldest completed container when inconsistent outputs exist" do
192     set_user_from_auth :active
193     common_attrs = REUSABLE_COMMON_ATTRS.merge({environment: {"var" => "complete"}, priority: 1})
194     completed_attrs = {
195       state: Container::Complete,
196       exit_code: 0,
197       log: 'ea10d51bcf88862dbcc36eb292017dfd+45',
198     }
199
200     cr = ContainerRequest.new common_attrs
201     cr.use_existing = false
202     cr.state = ContainerRequest::Committed
203     cr.save!
204     c_output1 = Container.where(uuid: cr.container_uuid).first
205
206     cr = ContainerRequest.new common_attrs
207     cr.use_existing = false
208     cr.state = ContainerRequest::Committed
209     cr.save!
210     c_output2 = Container.where(uuid: cr.container_uuid).first
211
212     assert_not_equal c_output1.uuid, c_output2.uuid
213
214     set_user_from_auth :dispatch1
215
216     out1 = '1f4b0bc7583c2a7f9102c395f4ffc5e3+45'
217     log1 = collections(:real_log_collection).portable_data_hash
218     c_output1.update_attributes!({state: Container::Locked})
219     c_output1.update_attributes!({state: Container::Running})
220     c_output1.update_attributes!(completed_attrs.merge({log: log1, output: out1}))
221
222     out2 = 'fa7aeb5140e2848d39b416daeef4ffc5+45'
223     c_output2.update_attributes!({state: Container::Locked})
224     c_output2.update_attributes!({state: Container::Running})
225     c_output2.update_attributes!(completed_attrs.merge({log: log1, output: out2}))
226
227     reused = Container.resolve(ContainerRequest.new(common_attrs))
228     assert_equal c_output1.uuid, reused.uuid
229   end
230
231   test "find_reusable method should select running container by start date" do
232     set_user_from_auth :active
233     common_attrs = REUSABLE_COMMON_ATTRS.merge({environment: {"var" => "running"}})
234     c_slower, _ = minimal_new(common_attrs.merge({use_existing: false}))
235     c_faster_started_first, _ = minimal_new(common_attrs.merge({use_existing: false}))
236     c_faster_started_second, _ = minimal_new(common_attrs.merge({use_existing: false}))
237     # Confirm the 3 container UUIDs are different.
238     assert_equal 3, [c_slower.uuid, c_faster_started_first.uuid, c_faster_started_second.uuid].uniq.length
239     set_user_from_auth :dispatch1
240     c_slower.update_attributes!({state: Container::Locked})
241     c_slower.update_attributes!({state: Container::Running,
242                                  progress: 0.1})
243     c_faster_started_first.update_attributes!({state: Container::Locked})
244     c_faster_started_first.update_attributes!({state: Container::Running,
245                                                progress: 0.15})
246     c_faster_started_second.update_attributes!({state: Container::Locked})
247     c_faster_started_second.update_attributes!({state: Container::Running,
248                                                 progress: 0.15})
249     reused = Container.find_reusable(common_attrs)
250     assert_not_nil reused
251     # Selected container is the one that started first
252     assert_equal reused.uuid, c_faster_started_first.uuid
253   end
254
255   test "find_reusable method should select running container by progress" do
256     set_user_from_auth :active
257     common_attrs = REUSABLE_COMMON_ATTRS.merge({environment: {"var" => "running2"}})
258     c_slower, _ = minimal_new(common_attrs.merge({use_existing: false}))
259     c_faster_started_first, _ = minimal_new(common_attrs.merge({use_existing: false}))
260     c_faster_started_second, _ = minimal_new(common_attrs.merge({use_existing: false}))
261     # Confirm the 3 container UUIDs are different.
262     assert_equal 3, [c_slower.uuid, c_faster_started_first.uuid, c_faster_started_second.uuid].uniq.length
263     set_user_from_auth :dispatch1
264     c_slower.update_attributes!({state: Container::Locked})
265     c_slower.update_attributes!({state: Container::Running,
266                                  progress: 0.1})
267     c_faster_started_first.update_attributes!({state: Container::Locked})
268     c_faster_started_first.update_attributes!({state: Container::Running,
269                                                progress: 0.15})
270     c_faster_started_second.update_attributes!({state: Container::Locked})
271     c_faster_started_second.update_attributes!({state: Container::Running,
272                                                 progress: 0.2})
273     reused = Container.find_reusable(common_attrs)
274     assert_not_nil reused
275     # Selected container is the one with most progress done
276     assert_equal reused.uuid, c_faster_started_second.uuid
277   end
278
279   test "find_reusable method should select locked container most likely to start sooner" do
280     set_user_from_auth :active
281     common_attrs = REUSABLE_COMMON_ATTRS.merge({environment: {"var" => "locked"}})
282     c_low_priority, _ = minimal_new(common_attrs.merge({use_existing: false}))
283     c_high_priority_older, _ = minimal_new(common_attrs.merge({use_existing: false}))
284     c_high_priority_newer, _ = minimal_new(common_attrs.merge({use_existing: false}))
285     # Confirm the 3 container UUIDs are different.
286     assert_equal 3, [c_low_priority.uuid, c_high_priority_older.uuid, c_high_priority_newer.uuid].uniq.length
287     set_user_from_auth :dispatch1
288     c_low_priority.update_attributes!({state: Container::Locked,
289                                        priority: 1})
290     c_high_priority_older.update_attributes!({state: Container::Locked,
291                                               priority: 2})
292     c_high_priority_newer.update_attributes!({state: Container::Locked,
293                                               priority: 2})
294     reused = Container.find_reusable(common_attrs)
295     assert_not_nil reused
296     assert_equal reused.uuid, c_high_priority_older.uuid
297   end
298
299   test "find_reusable method should select running over failed container" do
300     set_user_from_auth :active
301     common_attrs = REUSABLE_COMMON_ATTRS.merge({environment: {"var" => "failed_vs_running"}})
302     c_failed, _ = minimal_new(common_attrs.merge({use_existing: false}))
303     c_running, _ = minimal_new(common_attrs.merge({use_existing: false}))
304     assert_not_equal c_failed.uuid, c_running.uuid
305     set_user_from_auth :dispatch1
306     c_failed.update_attributes!({state: Container::Locked})
307     c_failed.update_attributes!({state: Container::Running})
308     c_failed.update_attributes!({state: Container::Complete,
309                                  exit_code: 42,
310                                  log: 'ea10d51bcf88862dbcc36eb292017dfd+45',
311                                  output: 'ea10d51bcf88862dbcc36eb292017dfd+45'})
312     c_running.update_attributes!({state: Container::Locked})
313     c_running.update_attributes!({state: Container::Running,
314                                   progress: 0.15})
315     reused = Container.find_reusable(common_attrs)
316     assert_not_nil reused
317     assert_equal reused.uuid, c_running.uuid
318   end
319
320   test "find_reusable method should select complete over running container" do
321     set_user_from_auth :active
322     common_attrs = REUSABLE_COMMON_ATTRS.merge({environment: {"var" => "completed_vs_running"}})
323     c_completed, _ = minimal_new(common_attrs.merge({use_existing: false}))
324     c_running, _ = minimal_new(common_attrs.merge({use_existing: false}))
325     assert_not_equal c_completed.uuid, c_running.uuid
326     set_user_from_auth :dispatch1
327     c_completed.update_attributes!({state: Container::Locked})
328     c_completed.update_attributes!({state: Container::Running})
329     c_completed.update_attributes!({state: Container::Complete,
330                                     exit_code: 0,
331                                     log: 'ea10d51bcf88862dbcc36eb292017dfd+45',
332                                     output: '1f4b0bc7583c2a7f9102c395f4ffc5e3+45'})
333     c_running.update_attributes!({state: Container::Locked})
334     c_running.update_attributes!({state: Container::Running,
335                                   progress: 0.15})
336     reused = Container.find_reusable(common_attrs)
337     assert_not_nil reused
338     assert_equal c_completed.uuid, reused.uuid
339   end
340
341   test "find_reusable method should select running over locked container" do
342     set_user_from_auth :active
343     common_attrs = REUSABLE_COMMON_ATTRS.merge({environment: {"var" => "running_vs_locked"}})
344     c_locked, _ = minimal_new(common_attrs.merge({use_existing: false}))
345     c_running, _ = minimal_new(common_attrs.merge({use_existing: false}))
346     assert_not_equal c_running.uuid, c_locked.uuid
347     set_user_from_auth :dispatch1
348     c_locked.update_attributes!({state: Container::Locked})
349     c_running.update_attributes!({state: Container::Locked})
350     c_running.update_attributes!({state: Container::Running,
351                                   progress: 0.15})
352     reused = Container.find_reusable(common_attrs)
353     assert_not_nil reused
354     assert_equal reused.uuid, c_running.uuid
355   end
356
357   test "find_reusable method should select locked over queued container" do
358     set_user_from_auth :active
359     common_attrs = REUSABLE_COMMON_ATTRS.merge({environment: {"var" => "running_vs_locked"}})
360     c_locked, _ = minimal_new(common_attrs.merge({use_existing: false}))
361     c_queued, _ = minimal_new(common_attrs.merge({use_existing: false}))
362     assert_not_equal c_queued.uuid, c_locked.uuid
363     set_user_from_auth :dispatch1
364     c_locked.update_attributes!({state: Container::Locked})
365     reused = Container.find_reusable(common_attrs)
366     assert_not_nil reused
367     assert_equal reused.uuid, c_locked.uuid
368   end
369
370   test "find_reusable method should not select failed container" do
371     set_user_from_auth :active
372     attrs = REUSABLE_COMMON_ATTRS.merge({environment: {"var" => "failed"}})
373     c, _ = minimal_new(attrs)
374     set_user_from_auth :dispatch1
375     c.update_attributes!({state: Container::Locked})
376     c.update_attributes!({state: Container::Running})
377     c.update_attributes!({state: Container::Complete,
378                           exit_code: 33})
379     reused = Container.find_reusable(attrs)
380     assert_nil reused
381   end
382
383   test "find_reusable with logging disabled" do
384     set_user_from_auth :active
385     Rails.logger.expects(:info).never
386     Container.find_reusable(REUSABLE_COMMON_ATTRS)
387   end
388
389   test "find_reusable with logging enabled" do
390     set_user_from_auth :active
391     Rails.configuration.log_reuse_decisions = true
392     Rails.logger.expects(:info).at_least(3)
393     Container.find_reusable(REUSABLE_COMMON_ATTRS)
394   end
395
396   test "Container running" do
397     c, _ = minimal_new priority: 1
398
399     set_user_from_auth :dispatch1
400     check_illegal_updates c, [{state: Container::Running},
401                               {state: Container::Complete}]
402
403     c.lock
404     c.update_attributes! state: Container::Running
405
406     check_illegal_modify c
407     check_bogus_states c
408
409     check_illegal_updates c, [{state: Container::Queued}]
410     c.reload
411
412     c.update_attributes! priority: 3
413   end
414
415   test "Lock and unlock" do
416     c, cr = minimal_new priority: 0
417
418     set_user_from_auth :dispatch1
419     assert_equal Container::Queued, c.state
420
421     assert_raise(ArvadosModel::LockFailedError) do
422       # "no priority"
423       c.lock
424     end
425     c.reload
426     assert cr.update_attributes priority: 1
427
428     refute c.update_attributes(state: Container::Running), "not locked"
429     c.reload
430     refute c.update_attributes(state: Container::Complete), "not locked"
431     c.reload
432
433     assert c.lock, show_errors(c)
434     assert c.locked_by_uuid
435     assert c.auth_uuid
436
437     assert_raise(ArvadosModel::LockFailedError) {c.lock}
438     c.reload
439
440     assert c.unlock, show_errors(c)
441     refute c.locked_by_uuid
442     refute c.auth_uuid
443
444     refute c.update_attributes(state: Container::Running), "not locked"
445     c.reload
446     refute c.locked_by_uuid
447     refute c.auth_uuid
448
449     assert c.lock, show_errors(c)
450     assert c.update_attributes(state: Container::Running), show_errors(c)
451     assert c.locked_by_uuid
452     assert c.auth_uuid
453
454     auth_uuid_was = c.auth_uuid
455
456     assert_raise(ArvadosModel::LockFailedError) do
457       # Running to Locked is not allowed
458       c.lock
459     end
460     c.reload
461     assert_raise(ArvadosModel::InvalidStateTransitionError) do
462       # Running to Queued is not allowed
463       c.unlock
464     end
465     c.reload
466
467     assert c.update_attributes(state: Container::Complete), show_errors(c)
468     refute c.locked_by_uuid
469     refute c.auth_uuid
470
471     auth_exp = ApiClientAuthorization.find_by_uuid(auth_uuid_was).expires_at
472     assert_operator auth_exp, :<, db_current_time
473   end
474
475   test "Container queued cancel" do
476     c, _ = minimal_new
477     set_user_from_auth :dispatch1
478     assert c.update_attributes(state: Container::Cancelled), show_errors(c)
479     check_no_change_from_cancelled c
480   end
481
482   test "Container queued count" do
483     assert_equal 1, Container.readable_by(users(:active)).where(state: "Queued").count
484   end
485
486   test "Container locked cancel" do
487     c, _ = minimal_new
488     set_user_from_auth :dispatch1
489     assert c.lock, show_errors(c)
490     assert c.update_attributes(state: Container::Cancelled), show_errors(c)
491     check_no_change_from_cancelled c
492   end
493
494   test "Container locked cancel with log" do
495     c, _ = minimal_new
496     set_user_from_auth :dispatch1
497     assert c.lock, show_errors(c)
498     assert c.update_attributes(
499              state: Container::Cancelled,
500              log: collections(:real_log_collection).portable_data_hash,
501            ), show_errors(c)
502     check_no_change_from_cancelled c
503   end
504
505   test "Container running cancel" do
506     c, _ = minimal_new
507     set_user_from_auth :dispatch1
508     c.lock
509     c.update_attributes! state: Container::Running
510     c.update_attributes! state: Container::Cancelled
511     check_no_change_from_cancelled c
512   end
513
514   test "Container create forbidden for non-admin" do
515     set_user_from_auth :active_trustedclient
516     c = Container.new DEFAULT_ATTRS
517     c.environment = {}
518     c.mounts = {"BAR" => "FOO"}
519     c.output_path = "/tmp"
520     c.priority = 1
521     c.runtime_constraints = {}
522     assert_raises(ArvadosModel::PermissionDeniedError) do
523       c.save!
524     end
525   end
526
527   test "Container only set exit code on complete" do
528     c, _ = minimal_new
529     set_user_from_auth :dispatch1
530     c.lock
531     c.update_attributes! state: Container::Running
532
533     check_illegal_updates c, [{exit_code: 1},
534                               {exit_code: 1, state: Container::Cancelled}]
535
536     assert c.update_attributes(exit_code: 1, state: Container::Complete)
537   end
538
539   test "locked_by_uuid can set output on running container" do
540     c, _ = minimal_new
541     set_user_from_auth :dispatch1
542     c.lock
543     c.update_attributes! state: Container::Running
544
545     assert_equal c.locked_by_uuid, Thread.current[:api_client_authorization].uuid
546
547     assert c.update_attributes output: collections(:collection_owned_by_active).portable_data_hash
548     assert c.update_attributes! state: Container::Complete
549   end
550
551   test "auth_uuid can set output on running container, but not change container state" do
552     c, _ = minimal_new
553     set_user_from_auth :dispatch1
554     c.lock
555     c.update_attributes! state: Container::Running
556
557     Thread.current[:api_client_authorization] = ApiClientAuthorization.find_by_uuid(c.auth_uuid)
558     Thread.current[:user] = User.find_by_id(Thread.current[:api_client_authorization].user_id)
559     assert c.update_attributes output: collections(:collection_owned_by_active).portable_data_hash
560
561     assert_raises ArvadosModel::PermissionDeniedError do
562       # auth_uuid cannot set container state
563       c.update_attributes state: Container::Complete
564     end
565   end
566
567   test "not allowed to set output that is not readable by current user" do
568     c, _ = minimal_new
569     set_user_from_auth :dispatch1
570     c.lock
571     c.update_attributes! state: Container::Running
572
573     Thread.current[:api_client_authorization] = ApiClientAuthorization.find_by_uuid(c.auth_uuid)
574     Thread.current[:user] = User.find_by_id(Thread.current[:api_client_authorization].user_id)
575
576     assert_raises ActiveRecord::RecordInvalid do
577       c.update_attributes! output: collections(:collection_not_readable_by_active).portable_data_hash
578     end
579   end
580
581   test "other token cannot set output on running container" do
582     c, _ = minimal_new
583     set_user_from_auth :dispatch1
584     c.lock
585     c.update_attributes! state: Container::Running
586
587     set_user_from_auth :not_running_container_auth
588     assert_raises ArvadosModel::PermissionDeniedError do
589       c.update_attributes! output: collections(:foo_file).portable_data_hash
590     end
591   end
592
593   test "can set trashed output on running container" do
594     c, _ = minimal_new
595     set_user_from_auth :dispatch1
596     c.lock
597     c.update_attributes! state: Container::Running
598
599     output = Collection.find_by_uuid('zzzzz-4zz18-mto52zx1s7sn3jk')
600
601     assert output.is_trashed
602     assert c.update_attributes output: output.portable_data_hash
603     assert c.update_attributes! state: Container::Complete
604   end
605
606   test "not allowed to set trashed output that is not readable by current user" do
607     c, _ = minimal_new
608     set_user_from_auth :dispatch1
609     c.lock
610     c.update_attributes! state: Container::Running
611
612     output = Collection.find_by_uuid('zzzzz-4zz18-mto52zx1s7sn3jr')
613
614     Thread.current[:api_client_authorization] = ApiClientAuthorization.find_by_uuid(c.auth_uuid)
615     Thread.current[:user] = User.find_by_id(Thread.current[:api_client_authorization].user_id)
616
617     assert_raises ActiveRecord::RecordInvalid do
618       c.update_attributes! output: output.portable_data_hash
619     end
620   end
621
622 end