"var" => "val",
},
secret_mounts: {},
+ runtime_user_uuid: "zzzzz-tpzed-xurymjxw79nv3jz",
+ runtime_auth_scopes: ["all"]
}
+ def request_only attrs
+ attrs.reject {|k| [:runtime_user_uuid, :runtime_auth_scopes].include? k}
+ end
+
def minimal_new attrs={}
- cr = ContainerRequest.new DEFAULT_ATTRS.merge(attrs)
+ cr = ContainerRequest.new request_only(DEFAULT_ATTRS.merge(attrs))
cr.state = ContainerRequest::Committed
- act_as_user users(:active) do
- cr.save!
- end
+ cr.save!
c = Container.find_by_uuid cr.container_uuid
assert_not_nil c
return c, cr
assert_equal c1.runtime_status, {}
assert_equal Container::Queued, c1.state
- assert_raises ActiveRecord::RecordInvalid do
+ assert_raises ArvadosModel::PermissionDeniedError do
c1.update_attributes! runtime_status: {'error' => 'Oops!'}
end
end
test "Container serialized hash attributes sorted before save" do
+ set_user_from_auth :active
env = {"C" => "3", "B" => "2", "A" => "1"}
m = {"F" => {"kind" => "3"}, "E" => {"kind" => "2"}, "D" => {"kind" => "1"}}
rc = {"vcpus" => 1, "ram" => 1, "keep_cache_ram" => 1}
end
test "find_reusable method should select higher priority queued container" do
+ Rails.configuration.Containers.LogReuseDecisions = true
set_user_from_auth :active
common_attrs = REUSABLE_COMMON_ATTRS.merge({environment:{"var" => "queued"}})
c_low_priority, _ = minimal_new(common_attrs.merge({use_existing:false, priority:1}))
log: 'ea10d51bcf88862dbcc36eb292017dfd+45',
}
- cr = ContainerRequest.new common_attrs
+ cr = ContainerRequest.new request_only(common_attrs)
cr.use_existing = false
cr.state = ContainerRequest::Committed
cr.save!
c_output1 = Container.where(uuid: cr.container_uuid).first
- cr = ContainerRequest.new common_attrs
+ cr = ContainerRequest.new request_only(common_attrs)
cr.use_existing = false
cr.state = ContainerRequest::Committed
cr.save!
c_output2.update_attributes!({state: Container::Running})
c_output2.update_attributes!(completed_attrs.merge({log: log1, output: out2}))
- reused = Container.resolve(ContainerRequest.new(common_attrs))
+ set_user_from_auth :active
+ reused = Container.resolve(ContainerRequest.new(request_only(common_attrs)))
assert_equal c_output1.uuid, reused.uuid
end
runtime_status: {'warning' => 'This is not an error'},
progress: 0.15})
c_faster_started_second.update_attributes!({state: Container::Locked})
+ assert_equal 0, Container.where("runtime_status->'error' is not null").count
c_faster_started_second.update_attributes!({state: Container::Running,
runtime_status: {'error' => 'Something bad happened'},
progress: 0.2})
+ assert_equal 1, Container.where("runtime_status->'error' is not null").count
reused = Container.find_reusable(common_attrs)
assert_not_nil reused
# Selected the non-failing container even if it's the one with less progress done
test "find_reusable with logging enabled" do
set_user_from_auth :active
- Rails.configuration.log_reuse_decisions = true
+ Rails.configuration.Containers.LogReuseDecisions = true
Rails.logger.expects(:info).at_least(3)
Container.find_reusable(REUSABLE_COMMON_ATTRS)
end
+ def runtime_token_attr tok
+ auth = api_client_authorizations(tok)
+ {runtime_user_uuid: User.find_by_id(auth.user_id).uuid,
+ runtime_auth_scopes: auth.scopes,
+ runtime_token: auth.token}
+ end
+
+ test "find_reusable method with same runtime_token" do
+ set_user_from_auth :active
+ common_attrs = REUSABLE_COMMON_ATTRS.merge({use_existing:false, priority:1, environment:{"var" => "queued"}})
+ c1, _ = minimal_new(common_attrs.merge({runtime_token: api_client_authorizations(:container_runtime_token).token}))
+ assert_equal Container::Queued, c1.state
+ reused = Container.find_reusable(common_attrs.merge(runtime_token_attr(:container_runtime_token)))
+ assert_not_nil reused
+ assert_equal reused.uuid, c1.uuid
+ end
+
+ test "find_reusable method with different runtime_token, same user" do
+ set_user_from_auth :active
+ common_attrs = REUSABLE_COMMON_ATTRS.merge({use_existing:false, priority:1, environment:{"var" => "queued"}})
+ c1, _ = minimal_new(common_attrs.merge({runtime_token: api_client_authorizations(:crt_user).token}))
+ assert_equal Container::Queued, c1.state
+ reused = Container.find_reusable(common_attrs.merge(runtime_token_attr(:container_runtime_token)))
+ assert_not_nil reused
+ assert_equal reused.uuid, c1.uuid
+ end
+
+ test "find_reusable method with nil runtime_token, then runtime_token with same user" do
+ set_user_from_auth :crt_user
+ common_attrs = REUSABLE_COMMON_ATTRS.merge({use_existing:false, priority:1, environment:{"var" => "queued"}})
+ c1, _ = minimal_new(common_attrs)
+ assert_equal Container::Queued, c1.state
+ assert_equal users(:container_runtime_token_user).uuid, c1.runtime_user_uuid
+ reused = Container.find_reusable(common_attrs.merge(runtime_token_attr(:container_runtime_token)))
+ assert_not_nil reused
+ assert_equal reused.uuid, c1.uuid
+ end
+
+ test "find_reusable method with different runtime_token, different user" do
+ set_user_from_auth :crt_user
+ common_attrs = REUSABLE_COMMON_ATTRS.merge({use_existing:false, priority:1, environment:{"var" => "queued"}})
+ c1, _ = minimal_new(common_attrs.merge({runtime_token: api_client_authorizations(:active).token}))
+ assert_equal Container::Queued, c1.state
+ reused = Container.find_reusable(common_attrs.merge(runtime_token_attr(:container_runtime_token)))
+ # See #14584
+ assert_equal c1.uuid, reused.uuid
+ end
+
+ test "find_reusable method with nil runtime_token, then runtime_token with different user" do
+ set_user_from_auth :active
+ common_attrs = REUSABLE_COMMON_ATTRS.merge({use_existing:false, priority:1, environment:{"var" => "queued"}})
+ c1, _ = minimal_new(common_attrs.merge({runtime_token: nil}))
+ assert_equal Container::Queued, c1.state
+ reused = Container.find_reusable(common_attrs.merge(runtime_token_attr(:container_runtime_token)))
+ # See #14584
+ assert_equal c1.uuid, reused.uuid
+ end
+
+ test "find_reusable method with different runtime_token, different scope, same user" do
+ set_user_from_auth :active
+ common_attrs = REUSABLE_COMMON_ATTRS.merge({use_existing:false, priority:1, environment:{"var" => "queued"}})
+ c1, _ = minimal_new(common_attrs.merge({runtime_token: api_client_authorizations(:runtime_token_limited_scope).token}))
+ assert_equal Container::Queued, c1.state
+ reused = Container.find_reusable(common_attrs.merge(runtime_token_attr(:container_runtime_token)))
+ # See #14584
+ assert_equal c1.uuid, reused.uuid
+ end
+
test "Container running" do
+ set_user_from_auth :active
c, _ = minimal_new priority: 1
set_user_from_auth :dispatch1
end
test "Lock and unlock" do
+ set_user_from_auth :active
c, cr = minimal_new priority: 0
set_user_from_auth :dispatch1
auth_exp = ApiClientAuthorization.find_by_uuid(auth_uuid_was).expires_at
assert_operator auth_exp, :<, db_current_time
+
+ assert_nil ApiClientAuthorization.validate(token: ApiClientAuthorization.find_by_uuid(auth_uuid_was).token)
+ end
+
+ test "Exceed maximum lock-unlock cycles" do
+ Rails.configuration.Containers.MaxDispatchAttempts = 3
+
+ set_user_from_auth :active
+ c, cr = minimal_new
+
+ set_user_from_auth :dispatch1
+ assert_equal Container::Queued, c.state
+ assert_equal 0, c.lock_count
+
+ c.lock
+ c.reload
+ assert_equal 1, c.lock_count
+ assert_equal Container::Locked, c.state
+
+ c.unlock
+ c.reload
+ assert_equal 1, c.lock_count
+ assert_equal Container::Queued, c.state
+
+ c.lock
+ c.reload
+ assert_equal 2, c.lock_count
+ assert_equal Container::Locked, c.state
+
+ c.unlock
+ c.reload
+ assert_equal 2, c.lock_count
+ assert_equal Container::Queued, c.state
+
+ c.lock
+ c.reload
+ assert_equal 3, c.lock_count
+ assert_equal Container::Locked, c.state
+
+ c.unlock
+ c.reload
+ assert_equal 3, c.lock_count
+ assert_equal Container::Cancelled, c.state
+
+ assert_raise(ArvadosModel::LockFailedError) do
+ # Cancelled to Locked is not allowed
+ c.lock
+ end
end
test "Container queued cancel" do
+ set_user_from_auth :active
c, cr = minimal_new({container_count_max: 1})
set_user_from_auth :dispatch1
assert c.update_attributes(state: Container::Cancelled), show_errors(c)
assert_equal 1, Container.readable_by(users(:active)).where(state: "Queued").count
end
+ test "Containers with no matching request are readable by admin" do
+ uuids = Container.includes('container_requests').where(container_requests: {uuid: nil}).collect(&:uuid)
+ assert_not_empty uuids
+ assert_empty Container.readable_by(users(:active)).where(uuid: uuids)
+ assert_not_empty Container.readable_by(users(:admin)).where(uuid: uuids)
+ assert_equal uuids.count, Container.readable_by(users(:admin)).where(uuid: uuids).count
+ end
+
test "Container locked cancel" do
+ set_user_from_auth :active
c, _ = minimal_new
set_user_from_auth :dispatch1
assert c.lock, show_errors(c)
end
test "Container locked cancel with log" do
+ set_user_from_auth :active
c, _ = minimal_new
set_user_from_auth :dispatch1
assert c.lock, show_errors(c)
end
test "Container running cancel" do
+ set_user_from_auth :active
c, _ = minimal_new
set_user_from_auth :dispatch1
c.lock
end
end
+ [
+ [Container::Queued, {state: Container::Locked}],
+ [Container::Queued, {state: Container::Running}],
+ [Container::Queued, {state: Container::Complete}],
+ [Container::Queued, {state: Container::Cancelled}],
+ [Container::Queued, {priority: 123456789}],
+ [Container::Queued, {runtime_status: {'error' => 'oops'}}],
+ [Container::Queued, {cwd: '/'}],
+ [Container::Locked, {state: Container::Running}],
+ [Container::Locked, {state: Container::Queued}],
+ [Container::Locked, {priority: 123456789}],
+ [Container::Locked, {runtime_status: {'error' => 'oops'}}],
+ [Container::Locked, {cwd: '/'}],
+ [Container::Running, {state: Container::Complete}],
+ [Container::Running, {state: Container::Cancelled}],
+ [Container::Running, {priority: 123456789}],
+ [Container::Running, {runtime_status: {'error' => 'oops'}}],
+ [Container::Running, {cwd: '/'}],
+ [Container::Complete, {state: Container::Cancelled}],
+ [Container::Complete, {priority: 123456789}],
+ [Container::Complete, {runtime_status: {'error' => 'oops'}}],
+ [Container::Complete, {cwd: '/'}],
+ [Container::Cancelled, {cwd: '/'}],
+ ].each do |start_state, updates|
+ test "Container update #{updates.inspect} when #{start_state} forbidden for non-admin" do
+ set_user_from_auth :active
+ c, _ = minimal_new
+ if start_state != Container::Queued
+ set_user_from_auth :dispatch1
+ c.lock
+ if start_state != Container::Locked
+ c.update_attributes! state: Container::Running
+ if start_state != Container::Running
+ c.update_attributes! state: start_state
+ end
+ end
+ end
+ assert_equal c.state, start_state
+ set_user_from_auth :active
+ assert_raises(ArvadosModel::PermissionDeniedError) do
+ c.update_attributes! updates
+ end
+ end
+ end
+
test "Container only set exit code on complete" do
+ set_user_from_auth :active
c, _ = minimal_new
set_user_from_auth :dispatch1
c.lock
end
test "locked_by_uuid can update log when locked/running, and output when running" do
+ set_user_from_auth :active
logcoll = collections(:real_log_collection)
c, cr1 = minimal_new
cr2 = ContainerRequest.new(DEFAULT_ATTRS)
cr2.reload
assert_equal cr1log_uuid, cr1.log_uuid
assert_equal cr2log_uuid, cr2.log_uuid
- assert_equal [logpdh_time2], Collection.where(uuid: [cr1log_uuid, cr2log_uuid]).to_a.collect(&:portable_data_hash).uniq
- end
-
- test "auth_uuid can set output, progress, runtime_status, state on running container -- but not log" do
- c, _ = minimal_new
- set_user_from_auth :dispatch1
- c.lock
- c.update_attributes! state: Container::Running
-
- auth = ApiClientAuthorization.find_by_uuid(c.auth_uuid)
- Thread.current[:api_client_authorization] = auth
- Thread.current[:api_client] = auth.api_client
- Thread.current[:token] = auth.token
- Thread.current[:user] = auth.user
+ assert_equal 1, Collection.where(uuid: [cr1log_uuid, cr2log_uuid]).to_a.collect(&:portable_data_hash).uniq.length
+ assert_equal ". acbd18db4cc2f85cedef654fccc4a4d8+3 cdd549ae79fe6640fa3d5c6261d8303c+195 0:3:foo.txt 3:195:zzzzz-8i9sb-0vsrcqi7whchuil.log.txt
+./log\\040for\\040container\\040#{cr1.container_uuid} acbd18db4cc2f85cedef654fccc4a4d8+3 cdd549ae79fe6640fa3d5c6261d8303c+195 0:3:foo.txt 3:195:zzzzz-8i9sb-0vsrcqi7whchuil.log.txt
+", Collection.find_by_uuid(cr1log_uuid).manifest_text
+ end
+
+ ["auth_uuid", "runtime_token"].each do |tok|
+ test "#{tok} can set output, progress, runtime_status, state on running container -- but not log" do
+ if tok == "runtime_token"
+ set_user_from_auth :spectator
+ c, _ = minimal_new(container_image: "9ae44d5792468c58bcf85ce7353c7027+124",
+ runtime_token: api_client_authorizations(:active).token)
+ else
+ set_user_from_auth :active
+ c, _ = minimal_new
+ end
+ set_user_from_auth :dispatch1
+ c.lock
+ c.update_attributes! state: Container::Running
+
+ if tok == "runtime_token"
+ auth = ApiClientAuthorization.validate(token: c.runtime_token)
+ Thread.current[:api_client_authorization] = auth
+ Thread.current[:api_client] = auth.api_client
+ Thread.current[:token] = auth.token
+ Thread.current[:user] = auth.user
+ else
+ auth = ApiClientAuthorization.find_by_uuid(c.auth_uuid)
+ Thread.current[:api_client_authorization] = auth
+ Thread.current[:api_client] = auth.api_client
+ Thread.current[:token] = auth.token
+ Thread.current[:user] = auth.user
+ end
- assert c.update_attributes(output: collections(:collection_owned_by_active).portable_data_hash)
- assert c.update_attributes(runtime_status: {'warning' => 'something happened'})
- assert c.update_attributes(progress: 0.5)
- refute c.update_attributes(log: collections(:real_log_collection).portable_data_hash)
- c.reload
- assert c.update_attributes(state: Container::Complete, exit_code: 0)
+ assert c.update_attributes(output: collections(:collection_owned_by_active).portable_data_hash)
+ assert c.update_attributes(runtime_status: {'warning' => 'something happened'})
+ assert c.update_attributes(progress: 0.5)
+ refute c.update_attributes(log: collections(:real_log_collection).portable_data_hash)
+ c.reload
+ assert c.update_attributes(state: Container::Complete, exit_code: 0)
+ end
end
test "not allowed to set output that is not readable by current user" do
+ set_user_from_auth :active
c, _ = minimal_new
set_user_from_auth :dispatch1
c.lock
end
test "other token cannot set output on running container" do
+ set_user_from_auth :active
c, _ = minimal_new
set_user_from_auth :dispatch1
c.lock
c.update_attributes! state: Container::Running
set_user_from_auth :running_to_be_deleted_container_auth
- refute c.update_attributes(output: collections(:foo_file).portable_data_hash)
+ assert_raises(ArvadosModel::PermissionDeniedError) do
+ c.update_attributes(output: collections(:foo_file).portable_data_hash)
+ end
end
test "can set trashed output on running container" do
+ set_user_from_auth :active
c, _ = minimal_new
set_user_from_auth :dispatch1
c.lock
end
test "not allowed to set trashed output that is not readable by current user" do
+ set_user_from_auth :active
c, _ = minimal_new
set_user_from_auth :dispatch1
c.lock
end
end
+ test "user cannot delete" do
+ set_user_from_auth :active
+ c, _ = minimal_new
+ assert_raises ArvadosModel::PermissionDeniedError do
+ c.destroy
+ end
+ assert Container.find_by_uuid(c.uuid)
+ end
+
[
{state: Container::Complete, exit_code: 0, output: '1f4b0bc7583c2a7f9102c395f4ffc5e3+45'},
{state: Container::Cancelled},
].each do |final_attrs|
- test "secret_mounts is null after container is #{final_attrs[:state]}" do
+ test "secret_mounts and runtime_token are null after container is #{final_attrs[:state]}" do
+ set_user_from_auth :active
c, cr = minimal_new(secret_mounts: {'/secret' => {'kind' => 'text', 'content' => 'foo'}},
- container_count_max: 1)
+ container_count_max: 1, runtime_token: api_client_authorizations(:active).token)
set_user_from_auth :dispatch1
c.lock
c.update_attributes!(state: Container::Running)
c.reload
assert c.secret_mounts.has_key?('/secret')
+ assert_equal api_client_authorizations(:active).token, c.runtime_token
c.update_attributes!(final_attrs)
c.reload
assert_equal({}, c.secret_mounts)
+ assert_nil c.runtime_token
cr.reload
assert_equal({}, cr.secret_mounts)
+ assert_nil cr.runtime_token
assert_no_secrets_logged
end
end