# SPDX-License-Identifier: AGPL-3.0
require 'whitelist_update'
+require 'arvados/collection'
class ContainerRequest < ArvadosModel
include ArvadosModelUpdates
primary_key: :uuid,
}
- serialize :properties, Hash
+ # Posgresql JSONB columns should NOT be declared as serialized, Rails 5
+ # already know how to properly treat them.
+ attribute :properties, :jsonbHash, default: {}
+ attribute :secret_mounts, :jsonbHash, default: {}
+
serialize :environment, Hash
serialize :mounts, Hash
serialize :runtime_constraints, Hash
serialize :command, Array
serialize :scheduling_parameters, Hash
- serialize :secret_mounts, Hash
before_validation :fill_field_defaults, :if => :new_record?
before_validation :validate_runtime_constraints
validate :validate_state_change
validate :check_update_whitelist
validate :secret_mounts_key_conflict
- before_save :scrub_secret_mounts
+ validate :validate_runtime_token
+ before_save :scrub_secrets
before_create :set_requesting_container_uuid
before_destroy :set_priority_zero
after_save :update_priority
AttrsPermittedAlways = [:owner_uuid, :state, :name, :description, :properties]
AttrsPermittedBeforeCommit = [:command, :container_count_max,
:container_image, :cwd, :environment, :filters, :mounts,
- :output_path, :priority,
+ :output_path, :priority, :runtime_token,
:runtime_constraints, :state, :container_uuid, :use_existing,
:scheduling_parameters, :secret_mounts, :output_name, :output_ttl]
end
def logged_attributes
- super.except('secret_mounts')
+ super.except('secret_mounts', 'runtime_token')
end
def state_transitions
end
def skip_uuid_read_permission_check
- # XXX temporary until permissions are sorted out.
- %w(modified_by_client_uuid container_uuid requesting_container_uuid)
+ # The uuid_read_permission_check prevents users from making
+ # references to objects they can't view. However, in this case we
+ # don't want to do that check since there's a circular dependency
+ # where user can't view the container until the user has
+ # constructed the container request that references the container.
+ %w(container_uuid)
end
def finalize_if_needed
- if state == Committed && Container.find_by_uuid(container_uuid).final?
- reload
- act_as_system_user do
- leave_modified_by_user_alone do
- finalize!
+ return if state != Committed
+ while true
+ # get container lock first, then lock current container request
+ # (same order as Container#handle_completed). Locking always
+ # reloads the Container and ContainerRequest records.
+ c = Container.find_by_uuid(container_uuid)
+ c.lock!
+ self.lock!
+
+ if container_uuid != c.uuid
+ # After locking, we've noticed a race, the container_uuid is
+ # different than the container record we just loaded. This
+ # can happen if Container#handle_completed scheduled a new
+ # container for retry and set container_uuid while we were
+ # waiting on the container lock. Restart the loop and get the
+ # new container.
+ redo
+ end
+
+ if state == Committed && c.final?
+ # The current container is
+ act_as_system_user do
+ leave_modified_by_user_alone do
+ finalize!
+ end
end
end
+ return true
end
end
# Finalize the container request after the container has
# finished/cancelled.
def finalize!
- out_coll = nil
- log_coll = nil
- c = Container.find_by_uuid(container_uuid)
- ['output', 'log'].each do |out_type|
- pdh = c.send(out_type)
+ container = Container.find_by_uuid(container_uuid)
+ update_collections(container: container)
+
+ if container.state == Container::Complete
+ log_col = Collection.where(portable_data_hash: container.log).first
+ if log_col
+ # Need to save collection
+ completed_coll = Collection.new(
+ owner_uuid: self.owner_uuid,
+ name: "Container log for container #{container_uuid}",
+ properties: {
+ 'type' => 'log',
+ 'container_request' => self.uuid,
+ 'container_uuid' => container_uuid,
+ },
+ portable_data_hash: log_col.portable_data_hash,
+ manifest_text: log_col.manifest_text)
+ completed_coll.save_with_unique_name!
+ end
+ end
+
+ update_attributes!(state: Final)
+ end
+
+ def update_collections(container:, collections: ['log', 'output'])
+ collections.each do |out_type|
+ pdh = container.send(out_type)
next if pdh.nil?
coll_name = "Container #{out_type} for request #{uuid}"
trash_at = nil
end
manifest = Collection.where(portable_data_hash: pdh).first.manifest_text
- coll = Collection.new(owner_uuid: owner_uuid,
- manifest_text: manifest,
- portable_data_hash: pdh,
- name: coll_name,
- trash_at: trash_at,
- delete_at: trash_at,
- properties: {
- 'type' => out_type,
- 'container_request' => uuid,
- })
- coll.save_with_unique_name!
- if out_type == 'output'
- out_coll = coll.uuid
- else
- log_coll = coll.uuid
+ coll_uuid = self.send(out_type + '_uuid')
+ coll = coll_uuid.nil? ? nil : Collection.where(uuid: coll_uuid).first
+ if !coll
+ coll = Collection.new(
+ owner_uuid: self.owner_uuid,
+ name: coll_name,
+ manifest_text: "",
+ properties: {
+ 'type' => out_type,
+ 'container_request' => uuid,
+ })
end
+
+ if out_type == "log"
+ # Copy the log into a merged collection
+ src = Arv::Collection.new(manifest)
+ dst = Arv::Collection.new(coll.manifest_text)
+ dst.cp_r("./", ".", src)
+ dst.cp_r("./", "log for container #{container.uuid}", src)
+ manifest = dst.manifest_text
+ end
+
+ coll.assign_attributes(
+ portable_data_hash: Digest::MD5.hexdigest(manifest) + '+' + manifest.bytesize.to_s,
+ manifest_text: manifest,
+ trash_at: trash_at,
+ delete_at: trash_at)
+ coll.save_with_unique_name!
+ self.send(out_type + '_uuid=', coll.uuid)
end
- update_attributes!(state: Final, output_uuid: out_coll, log_uuid: log_coll)
end
def self.full_text_searchable_columns
- super - ["mounts", "secret_mounts", "secret_mounts_md5"]
+ super - ["mounts", "secret_mounts", "secret_mounts_md5", "runtime_token"]
end
protected
self.environment ||= {}
self.runtime_constraints ||= {}
self.mounts ||= {}
+ self.secret_mounts ||= {}
self.cwd ||= "."
- self.container_count_max ||= Rails.configuration.container_count_max
+ self.container_count_max ||= Rails.configuration.Containers.MaxRetryAttempts
self.scheduling_parameters ||= {}
self.output_ttl ||= 0
self.priority ||= 0
return false
end
if state_changed? and state == Committed and container_uuid.nil?
- self.container_uuid = Container.resolve(self).uuid
+ while true
+ c = Container.resolve(self)
+ c.lock!
+ if c.state == Container::Cancelled
+ # Lost a race, we have a lock on the container but the
+ # container was cancelled in a different request, restart
+ # the loop and resolve request to a new container.
+ redo
+ end
+ self.container_uuid = c.uuid
+ break
+ end
end
if self.container_uuid != self.container_uuid_was
if self.container_count_changed?
return false
else
self.container_count += 1
+ if self.container_uuid_was
+ old_container = Container.find_by_uuid(self.container_uuid_was)
+ old_logs = Collection.where(portable_data_hash: old_container.log).first
+ if old_logs
+ log_coll = self.log_uuid.nil? ? nil : Collection.where(uuid: self.log_uuid).first
+ if self.log_uuid.nil?
+ log_coll = Collection.new(
+ owner_uuid: self.owner_uuid,
+ name: coll_name = "Container log for request #{uuid}",
+ manifest_text: "")
+ end
+
+ # copy logs from old container into CR's log collection
+ src = Arv::Collection.new(old_logs.manifest_text)
+ dst = Arv::Collection.new(log_coll.manifest_text)
+ dst.cp_r("./", "log for container #{old_container.uuid}", src)
+ manifest = dst.manifest_text
+
+ log_coll.assign_attributes(
+ portable_data_hash: Digest::MD5.hexdigest(manifest) + '+' + manifest.bytesize.to_s,
+ manifest_text: manifest)
+ log_coll.save_with_unique_name!
+ self.log_uuid = log_coll.uuid
+ end
+ end
end
end
end
if self.state == Committed
# If preemptible instances (eg: AWS Spot Instances) are allowed,
# ask them on child containers by default.
- if Rails.configuration.preemptible_instances and !c.nil? and
+ if Rails.configuration.Containers.UsePreemptibleInstances and !c.nil? and
self.scheduling_parameters['preemptible'].nil?
self.scheduling_parameters['preemptible'] = true
end
scheduling_parameters['partitions'].size)
errors.add :scheduling_parameters, "partitions must be an array of strings"
end
- if !Rails.configuration.preemptible_instances and scheduling_parameters['preemptible']
+ if !Rails.configuration.Containers.UsePreemptibleInstances and scheduling_parameters['preemptible']
errors.add :scheduling_parameters, "preemptible instances are not allowed"
end
if scheduling_parameters.include? 'max_run_time' and
permitted.push :container_count
end
+ if current_user.andand.is_admin
+ permitted.push :log_uuid
+ end
+
when Final
if self.state_was == Committed
# "Cancel" means setting priority=0, state=Committed
end
end
- def scrub_secret_mounts
+ def validate_runtime_token
+ if !self.runtime_token.nil? && self.runtime_token_changed?
+ if !runtime_token[0..2] == "v2/"
+ errors.add :runtime_token, "not a v2 token"
+ return
+ end
+ if ApiClientAuthorization.validate(token: runtime_token).nil?
+ errors.add :runtime_token, "failed validation"
+ end
+ end
+ end
+
+ def scrub_secrets
if self.state == Final
self.secret_mounts = {}
+ self.runtime_token = nil
end
end
self.requesting_container_uuid = c.uuid
# Determine the priority of container request for the requesting
# container.
- self.priority = ContainerRequest.
- where('container_uuid=? and priority>0', self.requesting_container_uuid).
- map do |cr|
- cr.priority
- end.max || 0
+ self.priority = ContainerRequest.where(container_uuid: self.requesting_container_uuid).maximum("priority") || 0
end
end
def get_requesting_container
return self.requesting_container_uuid if !self.requesting_container_uuid.nil?
- return if !current_api_client_authorization
- if (c = Container.where('auth_uuid=?', current_api_client_authorization.uuid).select([:uuid, :priority]).first)
- return c
- end
+ Container.for_current_token
end
end