X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/080c940d7a8134a6e277a53b7e45eb27e2b2c87f..b6d7efab2c4bffa3fabd55b166e44cca8ac1391f:/services/api/app/models/container_request.rb diff --git a/services/api/app/models/container_request.rb b/services/api/app/models/container_request.rb index dd3ff767dd..b30b8cc1d9 100644 --- a/services/api/app/models/container_request.rb +++ b/services/api/app/models/container_request.rb @@ -3,6 +3,7 @@ # SPDX-License-Identifier: AGPL-3.0 require 'whitelist_update' +require 'arvados/collection' class ContainerRequest < ArvadosModel include ArvadosModelUpdates @@ -18,13 +19,16 @@ class ContainerRequest < ArvadosModel primary_key: :uuid, } - serialize :properties, Hash + # Posgresql JSONB columns should NOT be declared as serialized, Rails 5 + # already know how to properly treat them. + attribute :properties, :jsonbHash, default: {} + attribute :secret_mounts, :jsonbHash, default: {} + serialize :environment, Hash serialize :mounts, Hash serialize :runtime_constraints, Hash serialize :command, Array serialize :scheduling_parameters, Hash - serialize :secret_mounts, Hash before_validation :fill_field_defaults, :if => :new_record? before_validation :validate_runtime_constraints @@ -33,11 +37,13 @@ class ContainerRequest < ArvadosModel validates :command, :container_image, :output_path, :cwd, :presence => true validates :output_ttl, numericality: { only_integer: true, greater_than_or_equal_to: 0 } validates :priority, numericality: { only_integer: true, greater_than_or_equal_to: 0, less_than_or_equal_to: 1000 } + validate :validate_datatypes validate :validate_scheduling_parameters validate :validate_state_change validate :check_update_whitelist validate :secret_mounts_key_conflict - before_save :scrub_secret_mounts + validate :validate_runtime_token + before_save :scrub_secrets before_create :set_requesting_container_uuid before_destroy :set_priority_zero after_save :update_priority @@ -87,7 +93,7 @@ class ContainerRequest < ArvadosModel AttrsPermittedAlways = [:owner_uuid, :state, :name, :description, :properties] AttrsPermittedBeforeCommit = [:command, :container_count_max, :container_image, :cwd, :environment, :filters, :mounts, - :output_path, :priority, + :output_path, :priority, :runtime_token, :runtime_constraints, :state, :container_uuid, :use_existing, :scheduling_parameters, :secret_mounts, :output_name, :output_ttl] @@ -96,7 +102,7 @@ class ContainerRequest < ArvadosModel end def logged_attributes - super.except('secret_mounts') + super.except('secret_mounts', 'runtime_token') end def state_transitions @@ -104,30 +110,87 @@ class ContainerRequest < ArvadosModel end def skip_uuid_read_permission_check - # XXX temporary until permissions are sorted out. - %w(modified_by_client_uuid container_uuid requesting_container_uuid) + # The uuid_read_permission_check prevents users from making + # references to objects they can't view. However, in this case we + # don't want to do that check since there's a circular dependency + # where user can't view the container until the user has + # constructed the container request that references the container. + %w(container_uuid) end def finalize_if_needed - if state == Committed && Container.find_by_uuid(container_uuid).final? - reload - act_as_system_user do - leave_modified_by_user_alone do - finalize! + return if state != Committed + while true + # get container lock first, then lock current container request + # (same order as Container#handle_completed). Locking always + # reloads the Container and ContainerRequest records. + c = Container.find_by_uuid(container_uuid) + c.lock! if !c.nil? + self.lock! + + if !c.nil? && container_uuid != c.uuid + # After locking, we've noticed a race, the container_uuid is + # different than the container record we just loaded. This + # can happen if Container#handle_completed scheduled a new + # container for retry and set container_uuid while we were + # waiting on the container lock. Restart the loop and get the + # new container. + redo + end + + if !c.nil? + if state == Committed && c.final? + # The current container is + act_as_system_user do + leave_modified_by_user_alone do + finalize! + end + end end + elsif state == Committed + # Behave as if the container is cancelled + update_attributes!(state: Final) end + return true end end # Finalize the container request after the container has # finished/cancelled. def finalize! - out_coll = nil - log_coll = nil - c = Container.find_by_uuid(container_uuid) - ['output', 'log'].each do |out_type| - pdh = c.send(out_type) + container = Container.find_by_uuid(container_uuid) + if !container.nil? + update_collections(container: container) + + if container.state == Container::Complete + log_col = Collection.where(portable_data_hash: container.log).first + if log_col + # Need to save collection + completed_coll = Collection.new( + owner_uuid: self.owner_uuid, + name: "Container log for container #{container_uuid}", + properties: { + 'type' => 'log', + 'container_request' => self.uuid, + 'container_uuid' => container_uuid, + }, + portable_data_hash: log_col.portable_data_hash, + manifest_text: log_col.manifest_text) + completed_coll.save_with_unique_name! + end + end + end + update_attributes!(state: Final) + end + + def update_collections(container:, collections: ['log', 'output']) + collections.each do |out_type| + pdh = container.send(out_type) next if pdh.nil? + c = Collection.where(portable_data_hash: pdh).first + next if c.nil? + manifest = c.manifest_text + coll_name = "Container #{out_type} for request #{uuid}" trash_at = nil if out_type == 'output' @@ -138,30 +201,41 @@ class ContainerRequest < ArvadosModel trash_at = db_current_time + self.output_ttl end end - manifest = Collection.where(portable_data_hash: pdh).first.manifest_text - - coll = Collection.new(owner_uuid: owner_uuid, - manifest_text: manifest, - portable_data_hash: pdh, - name: coll_name, - trash_at: trash_at, - delete_at: trash_at, - properties: { - 'type' => out_type, - 'container_request' => uuid, - }) - coll.save_with_unique_name! - if out_type == 'output' - out_coll = coll.uuid - else - log_coll = coll.uuid + + coll_uuid = self.send(out_type + '_uuid') + coll = coll_uuid.nil? ? nil : Collection.where(uuid: coll_uuid).first + if !coll + coll = Collection.new( + owner_uuid: self.owner_uuid, + name: coll_name, + manifest_text: "", + properties: { + 'type' => out_type, + 'container_request' => uuid, + }) + end + + if out_type == "log" + # Copy the log into a merged collection + src = Arv::Collection.new(manifest) + dst = Arv::Collection.new(coll.manifest_text) + dst.cp_r("./", ".", src) + dst.cp_r("./", "log for container #{container.uuid}", src) + manifest = dst.manifest_text end + + coll.assign_attributes( + portable_data_hash: Digest::MD5.hexdigest(manifest) + '+' + manifest.bytesize.to_s, + manifest_text: manifest, + trash_at: trash_at, + delete_at: trash_at) + coll.save_with_unique_name! + self.send(out_type + '_uuid=', coll.uuid) end - update_attributes!(state: Final, output_uuid: out_coll, log_uuid: log_coll) end def self.full_text_searchable_columns - super - ["mounts", "secret_mounts", "secret_mounts_md5"] + super - ["mounts", "secret_mounts", "secret_mounts_md5", "runtime_token"] end protected @@ -171,8 +245,9 @@ class ContainerRequest < ArvadosModel self.environment ||= {} self.runtime_constraints ||= {} self.mounts ||= {} + self.secret_mounts ||= {} self.cwd ||= "." - self.container_count_max ||= Rails.configuration.container_count_max + self.container_count_max ||= Rails.configuration.Containers.MaxRetryAttempts self.scheduling_parameters ||= {} self.output_ttl ||= 0 self.priority ||= 0 @@ -186,15 +261,53 @@ class ContainerRequest < ArvadosModel return false end if state_changed? and state == Committed and container_uuid.nil? - self.container_uuid = Container.resolve(self).uuid + while true + c = Container.resolve(self) + c.lock! + if c.state == Container::Cancelled + # Lost a race, we have a lock on the container but the + # container was cancelled in a different request, restart + # the loop and resolve request to a new container. + redo + end + self.container_uuid = c.uuid + break + end end if self.container_uuid != self.container_uuid_was if self.container_count_changed? errors.add :container_count, "cannot be updated directly." return false - else - self.container_count += 1 end + + self.container_count += 1 + return if self.container_uuid_was.nil? + + old_container = Container.find_by_uuid(self.container_uuid_was) + return if old_container.nil? + + old_logs = Collection.where(portable_data_hash: old_container.log).first + return if old_logs.nil? + + log_coll = self.log_uuid.nil? ? nil : Collection.where(uuid: self.log_uuid).first + if self.log_uuid.nil? + log_coll = Collection.new( + owner_uuid: self.owner_uuid, + name: coll_name = "Container log for request #{uuid}", + manifest_text: "") + end + + # copy logs from old container into CR's log collection + src = Arv::Collection.new(old_logs.manifest_text) + dst = Arv::Collection.new(log_coll.manifest_text) + dst.cp_r("./", "log for container #{old_container.uuid}", src) + manifest = dst.manifest_text + + log_coll.assign_attributes( + portable_data_hash: Digest::MD5.hexdigest(manifest) + '+' + manifest.bytesize.to_s, + manifest_text: manifest) + log_coll.save_with_unique_name! + self.log_uuid = log_coll.uuid end end @@ -203,7 +316,7 @@ class ContainerRequest < ArvadosModel if self.state == Committed # If preemptible instances (eg: AWS Spot Instances) are allowed, # ask them on child containers by default. - if Rails.configuration.preemptible_instances and !c.nil? and + if Rails.configuration.Containers.UsePreemptibleInstances and !c.nil? and self.scheduling_parameters['preemptible'].nil? self.scheduling_parameters['preemptible'] = true end @@ -228,6 +341,43 @@ class ContainerRequest < ArvadosModel end end + def validate_datatypes + command.each do |c| + if !c.is_a? String + errors.add(:command, "must be an array of strings but has entry #{c.class}") + end + end + environment.each do |k,v| + if !k.is_a?(String) || !v.is_a?(String) + errors.add(:environment, "must be an map of String to String but has entry #{k.class} to #{v.class}") + end + end + [:mounts, :secret_mounts].each do |m| + self[m].each do |k, v| + if !k.is_a?(String) || !v.is_a?(Hash) + errors.add(m, "must be an map of String to Hash but is has entry #{k.class} to #{v.class}") + end + if v["kind"].nil? + errors.add(m, "each item must have a 'kind' field") + end + [[String, ["kind", "portable_data_hash", "uuid", "device_type", + "path", "commit", "repository_name", "git_url"]], + [Integer, ["capacity"]]].each do |t, fields| + fields.each do |f| + if !v[f].nil? && !v[f].is_a?(t) + errors.add(m, "#{k}: #{f} must be a #{t} but is #{v[f].class}") + end + end + end + ["writable", "exclude_from_output"].each do |f| + if !v[f].nil? && !v[f].is_a?(TrueClass) && !v[f].is_a?(FalseClass) + errors.add(m, "#{k}: #{f} must be a #{t} but is #{v[f].class}") + end + end + end + end + end + def validate_scheduling_parameters if self.state == Committed if scheduling_parameters.include? 'partitions' and @@ -236,7 +386,7 @@ class ContainerRequest < ArvadosModel scheduling_parameters['partitions'].size) errors.add :scheduling_parameters, "partitions must be an array of strings" end - if !Rails.configuration.preemptible_instances and scheduling_parameters['preemptible'] + if !Rails.configuration.Containers.UsePreemptibleInstances and scheduling_parameters['preemptible'] errors.add :scheduling_parameters, "preemptible instances are not allowed" end if scheduling_parameters.include? 'max_run_time' and @@ -274,6 +424,10 @@ class ContainerRequest < ArvadosModel permitted.push :container_count end + if current_user.andand.is_admin + permitted.push :log_uuid + end + when Final if self.state_was == Committed # "Cancel" means setting priority=0, state=Committed @@ -298,9 +452,22 @@ class ContainerRequest < ArvadosModel end end - def scrub_secret_mounts + def validate_runtime_token + if !self.runtime_token.nil? && self.runtime_token_changed? + if !runtime_token[0..2] == "v2/" + errors.add :runtime_token, "not a v2 token" + return + end + if ApiClientAuthorization.validate(token: runtime_token).nil? + errors.add :runtime_token, "failed validation" + end + end + end + + def scrub_secrets if self.state == Final self.secret_mounts = {} + self.runtime_token = nil end end @@ -321,15 +488,14 @@ class ContainerRequest < ArvadosModel c = get_requesting_container() if !c.nil? self.requesting_container_uuid = c.uuid - self.priority = c.priority>0 ? 1 : 0 + # Determine the priority of container request for the requesting + # container. + self.priority = ContainerRequest.where(container_uuid: self.requesting_container_uuid).maximum("priority") || 0 end end def get_requesting_container return self.requesting_container_uuid if !self.requesting_container_uuid.nil? - return if !current_api_client_authorization - if (c = Container.where('auth_uuid=?', current_api_client_authorization.uuid).select([:uuid, :priority]).first) - return c - end + Container.for_current_token end end