+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
require 'whitelist_update'
class ContainerRequest < ArvadosModel
+ include ArvadosModelUpdates
include HasUuid
include KindAndEtag
include CommonApiTemplate
include WhitelistUpdate
+ belongs_to :container, foreign_key: :container_uuid, primary_key: :uuid
+ belongs_to :requesting_container, {
+ class_name: 'Container',
+ foreign_key: :requesting_container_uuid,
+ primary_key: :uuid,
+ }
+
serialize :properties, Hash
serialize :environment, Hash
serialize :mounts, Hash
serialize :runtime_constraints, Hash
serialize :command, Array
serialize :scheduling_parameters, Hash
+ serialize :secret_mounts, Hash
before_validation :fill_field_defaults, :if => :new_record?
before_validation :validate_runtime_constraints
before_validation :validate_scheduling_parameters
before_validation :set_container
validates :command, :container_image, :output_path, :cwd, :presence => true
+ validates :output_ttl, numericality: { only_integer: true, greater_than_or_equal_to: 0 }
+ validates :priority, numericality: { only_integer: true, greater_than_or_equal_to: 0, less_than_or_equal_to: 1000 }
validate :validate_state_change
- validate :validate_change
+ validate :check_update_whitelist
+ validate :secret_mounts_key_conflict
+ before_save :scrub_secret_mounts
+ before_create :set_requesting_container_uuid
+ before_destroy :set_priority_zero
after_save :update_priority
after_save :finalize_if_needed
- before_create :set_requesting_container_uuid
api_accessible :user, extend: :common do |t|
t.add :command
t.add :output_name
t.add :output_path
t.add :output_uuid
+ t.add :output_ttl
t.add :priority
t.add :properties
t.add :requesting_container_uuid
Committed => [Final]
}
+ AttrsPermittedAlways = [:owner_uuid, :state, :name, :description]
+ AttrsPermittedBeforeCommit = [:command, :container_count_max,
+ :container_image, :cwd, :environment, :filters, :mounts,
+ :output_path, :priority, :properties,
+ :runtime_constraints, :state, :container_uuid, :use_existing,
+ :scheduling_parameters, :secret_mounts, :output_name, :output_ttl]
+
+ def self.limit_index_columns_read
+ ["mounts"]
+ end
+
+ def logged_attributes
+ super.except('secret_mounts')
+ end
+
def state_transitions
State_transitions
end
if state == Committed && Container.find_by_uuid(container_uuid).final?
reload
act_as_system_user do
- finalize!
+ leave_modified_by_user_alone do
+ finalize!
+ end
end
end
end
['output', 'log'].each do |out_type|
pdh = c.send(out_type)
next if pdh.nil?
- if self.output_name and out_type == 'output'
- coll_name = self.output_name
- else
- coll_name = "Container #{out_type} for request #{uuid}"
- end
- manifest = Collection.unscoped do
- Collection.where(portable_data_hash: pdh).first.manifest_text
+ coll_name = "Container #{out_type} for request #{uuid}"
+ trash_at = nil
+ if out_type == 'output'
+ if self.output_name
+ coll_name = self.output_name
+ end
+ if self.output_ttl > 0
+ trash_at = db_current_time + self.output_ttl
+ end
end
+ manifest = Collection.where(portable_data_hash: pdh).first.manifest_text
coll = Collection.new(owner_uuid: owner_uuid,
manifest_text: manifest,
portable_data_hash: pdh,
name: coll_name,
+ trash_at: trash_at,
+ delete_at: trash_at,
properties: {
'type' => out_type,
'container_request' => uuid,
end
def self.full_text_searchable_columns
- super - ["mounts"]
+ super - ["mounts", "secret_mounts", "secret_mounts_md5"]
end
protected
self.cwd ||= "."
self.container_count_max ||= Rails.configuration.container_count_max
self.scheduling_parameters ||= {}
+ self.output_ttl ||= 0
+ self.priority ||= 0
end
def set_container
end
end
- def validate_change
- permitted = [:owner_uuid]
+ def check_update_whitelist
+ permitted = AttrsPermittedAlways.dup
- case self.state
- when Uncommitted
- # Permit updating most fields
- permitted.push :command, :container_count_max,
- :container_image, :cwd, :description, :environment,
- :filters, :mounts, :name, :output_path, :priority,
- :properties, :requesting_container_uuid, :runtime_constraints,
- :state, :container_uuid, :use_existing, :scheduling_parameters,
- :output_name
+ if self.new_record? || self.state_was == Uncommitted
+ # Allow create-and-commit in a single operation.
+ permitted.push(*AttrsPermittedBeforeCommit)
+ end
+ case self.state
when Committed
- if container_uuid.nil?
- errors.add :container_uuid, "has not been resolved to a container."
+ permitted.push :priority, :container_count_max, :container_uuid
+
+ if self.container_uuid.nil?
+ self.errors.add :container_uuid, "has not been resolved to a container."
end
- if priority.nil?
- errors.add :priority, "cannot be nil"
+ if self.priority.nil?
+ self.errors.add :priority, "cannot be nil"
end
- # Can update priority, container count, name and description
- permitted.push :priority, :container_count, :container_count_max, :container_uuid,
- :name, :description
-
- if self.state_changed?
- # Allow create-and-commit in a single operation.
- permitted.push :command, :container_image, :cwd, :description, :environment,
- :filters, :mounts, :name, :output_path, :properties,
- :requesting_container_uuid, :runtime_constraints,
- :state, :container_uuid, :use_existing, :scheduling_parameters,
- :output_name
+ # Allow container count to increment by 1
+ if (self.container_uuid &&
+ self.container_uuid != self.container_uuid_was &&
+ self.container_count == 1 + (self.container_count_was || 0))
+ permitted.push :container_count
end
when Final
- if not current_user.andand.is_admin and not (self.name_changed? || self.description_changed?)
- errors.add :state, "of container request can only be set to Final by system."
- end
+ if self.state_was == Committed
+ # "Cancel" means setting priority=0, state=Committed
+ permitted.push :priority
- if self.state_changed? || self.name_changed? || self.description_changed? || self.output_uuid_changed? || self.log_uuid_changed?
- permitted.push :state, :name, :description, :output_uuid, :log_uuid
- else
- errors.add :state, "does not allow updates"
+ if current_user.andand.is_admin
+ permitted.push :output_uuid, :log_uuid
+ end
end
- else
- errors.add :state, "invalid value"
end
- check_update_whitelist permitted
+ super(permitted)
end
- def update_priority
- if self.state_changed? or
- self.priority_changed? or
- self.container_uuid_changed?
- act_as_system_user do
- Container.
- where('uuid in (?)',
- [self.container_uuid_was, self.container_uuid].compact).
- map(&:update_priority!)
+ def secret_mounts_key_conflict
+ secret_mounts.each do |k, v|
+ if mounts.has_key?(k)
+ errors.add(:secret_mounts, 'conflict with non-secret mounts')
+ return false
end
end
end
- def set_requesting_container_uuid
- return !new_record? if self.requesting_container_uuid # already set
+ def scrub_secret_mounts
+ if self.state == Final
+ self.secret_mounts = {}
+ end
+ end
+
+ def update_priority
+ return unless state_changed? || priority_changed? || container_uuid_changed?
+ act_as_system_user do
+ ActiveRecord::Base.connection.execute('LOCK container_requests, containers IN EXCLUSIVE MODE')
+ Container.
+ where('uuid in (?)', [self.container_uuid_was, self.container_uuid].compact).
+ map(&:update_priority!)
+ end
+ end
- token_uuid = current_api_client_authorization.andand.uuid
- container = Container.where('auth_uuid=?', token_uuid).order('created_at desc').first
- self.requesting_container_uuid = container.uuid if container
- true
+ def set_priority_zero
+ self.update_attributes!(priority: 0) if self.state != Final
+ end
+
+ def set_requesting_container_uuid
+ return if !current_api_client_authorization
+ ActiveRecord::Base.connection.execute('LOCK container_requests, containers IN EXCLUSIVE MODE')
+ if (c = Container.where('auth_uuid=?', current_api_client_authorization.uuid).select([:uuid, :priority]).first)
+ self.requesting_container_uuid = c.uuid
+ self.priority = c.priority>0 ? 1 : 0
+ end
end
end