X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/10c1e7359286edd6562c52304e9706449a9ee53f..bad73626c4208fb95ac8e3d9503fc4482f936cb3:/services/api/app/models/container_request.rb diff --git a/services/api/app/models/container_request.rb b/services/api/app/models/container_request.rb index 470388a7c7..f603d4dd79 100644 --- a/services/api/app/models/container_request.rb +++ b/services/api/app/models/container_request.rb @@ -3,6 +3,7 @@ # SPDX-License-Identifier: AGPL-3.0 require 'whitelist_update' +require 'arvados/collection' class ContainerRequest < ArvadosModel include ArvadosModelUpdates @@ -18,27 +19,34 @@ class ContainerRequest < ArvadosModel primary_key: :uuid, } - serialize :properties, Hash + # Posgresql JSONB columns should NOT be declared as serialized, Rails 5 + # already know how to properly treat them. + attribute :properties, :jsonbHash, default: {} + attribute :secret_mounts, :jsonbHash, default: {} + attribute :output_storage_classes, :jsonbArray, default: Rails.configuration.DefaultStorageClasses + serialize :environment, Hash serialize :mounts, Hash serialize :runtime_constraints, Hash serialize :command, Array serialize :scheduling_parameters, Hash - serialize :secret_mounts, Hash + after_find :fill_container_defaults_after_find before_validation :fill_field_defaults, :if => :new_record? - before_validation :validate_runtime_constraints + before_validation :fill_container_defaults before_validation :set_default_preemptible_scheduling_parameter before_validation :set_container validates :command, :container_image, :output_path, :cwd, :presence => true validates :output_ttl, numericality: { only_integer: true, greater_than_or_equal_to: 0 } validates :priority, numericality: { only_integer: true, greater_than_or_equal_to: 0, less_than_or_equal_to: 1000 } validate :validate_datatypes + validate :validate_runtime_constraints validate :validate_scheduling_parameters validate :validate_state_change validate :check_update_whitelist validate :secret_mounts_key_conflict - before_save :scrub_secret_mounts + validate :validate_runtime_token + before_save :scrub_secrets before_create :set_requesting_container_uuid before_destroy :set_priority_zero after_save :update_priority @@ -69,6 +77,7 @@ class ContainerRequest < ArvadosModel t.add :scheduling_parameters t.add :state t.add :use_existing + t.add :output_storage_classes end # Supported states for a container request @@ -88,16 +97,17 @@ class ContainerRequest < ArvadosModel AttrsPermittedAlways = [:owner_uuid, :state, :name, :description, :properties] AttrsPermittedBeforeCommit = [:command, :container_count_max, :container_image, :cwd, :environment, :filters, :mounts, - :output_path, :priority, + :output_path, :priority, :runtime_token, :runtime_constraints, :state, :container_uuid, :use_existing, - :scheduling_parameters, :secret_mounts, :output_name, :output_ttl] + :scheduling_parameters, :secret_mounts, :output_name, :output_ttl, + :output_storage_classes] def self.limit_index_columns_read ["mounts"] end def logged_attributes - super.except('secret_mounts') + super.except('secret_mounts', 'runtime_token') end def state_transitions @@ -105,64 +115,135 @@ class ContainerRequest < ArvadosModel end def skip_uuid_read_permission_check - # XXX temporary until permissions are sorted out. - %w(modified_by_client_uuid container_uuid requesting_container_uuid) + # The uuid_read_permission_check prevents users from making + # references to objects they can't view. However, in this case we + # don't want to do that check since there's a circular dependency + # where user can't view the container until the user has + # constructed the container request that references the container. + %w(container_uuid) end def finalize_if_needed - if state == Committed && Container.find_by_uuid(container_uuid).final? - reload - act_as_system_user do - leave_modified_by_user_alone do - finalize! + return if state != Committed + while true + # get container lock first, then lock current container request + # (same order as Container#handle_completed). Locking always + # reloads the Container and ContainerRequest records. + c = Container.find_by_uuid(container_uuid) + c.lock! if !c.nil? + self.lock! + + if !c.nil? && container_uuid != c.uuid + # After locking, we've noticed a race, the container_uuid is + # different than the container record we just loaded. This + # can happen if Container#handle_completed scheduled a new + # container for retry and set container_uuid while we were + # waiting on the container lock. Restart the loop and get the + # new container. + redo + end + + if !c.nil? + if state == Committed && c.final? + # The current container is + act_as_system_user do + leave_modified_by_user_alone do + finalize! + end + end end + elsif state == Committed + # Behave as if the container is cancelled + update_attributes!(state: Final) end + return true end end # Finalize the container request after the container has # finished/cancelled. def finalize! - out_coll = nil - log_coll = nil - c = Container.find_by_uuid(container_uuid) - ['output', 'log'].each do |out_type| - pdh = c.send(out_type) + container = Container.find_by_uuid(container_uuid) + if !container.nil? + update_collections(container: container) + + if container.state == Container::Complete + log_col = Collection.where(portable_data_hash: container.log).first + if log_col + # Need to save collection + completed_coll = Collection.new( + owner_uuid: self.owner_uuid, + name: "Container log for container #{container_uuid}", + properties: { + 'type' => 'log', + 'container_request' => self.uuid, + 'container_uuid' => container_uuid, + }, + portable_data_hash: log_col.portable_data_hash, + manifest_text: log_col.manifest_text, + storage_classes_desired: self.output_storage_classes + ) + completed_coll.save_with_unique_name! + end + end + end + update_attributes!(state: Final) + end + + def update_collections(container:, collections: ['log', 'output']) + collections.each do |out_type| + pdh = container.send(out_type) next if pdh.nil? + c = Collection.where(portable_data_hash: pdh).first + next if c.nil? + manifest = c.manifest_text + coll_name = "Container #{out_type} for request #{uuid}" trash_at = nil if out_type == 'output' - if self.output_name + if self.output_name and self.output_name != "" coll_name = self.output_name end if self.output_ttl > 0 trash_at = db_current_time + self.output_ttl end end - manifest = Collection.where(portable_data_hash: pdh).first.manifest_text - - coll = Collection.new(owner_uuid: owner_uuid, - manifest_text: manifest, - portable_data_hash: pdh, - name: coll_name, - trash_at: trash_at, - delete_at: trash_at, - properties: { - 'type' => out_type, - 'container_request' => uuid, - }) - coll.save_with_unique_name! - if out_type == 'output' - out_coll = coll.uuid - else - log_coll = coll.uuid + + coll_uuid = self.send(out_type + '_uuid') + coll = coll_uuid.nil? ? nil : Collection.where(uuid: coll_uuid).first + if !coll + coll = Collection.new( + owner_uuid: self.owner_uuid, + name: coll_name, + manifest_text: "", + storage_classes_desired: self.output_storage_classes, + properties: { + 'type' => out_type, + 'container_request' => uuid, + }) + end + + if out_type == "log" + # Copy the log into a merged collection + src = Arv::Collection.new(manifest) + dst = Arv::Collection.new(coll.manifest_text) + dst.cp_r("./", ".", src) + dst.cp_r("./", "log for container #{container.uuid}", src) + manifest = dst.manifest_text end + + coll.assign_attributes( + portable_data_hash: Digest::MD5.hexdigest(manifest) + '+' + manifest.bytesize.to_s, + manifest_text: manifest, + trash_at: trash_at, + delete_at: trash_at) + coll.save_with_unique_name! + self.send(out_type + '_uuid=', coll.uuid) end - update_attributes!(state: Final, output_uuid: out_coll, log_uuid: log_coll) end def self.full_text_searchable_columns - super - ["mounts", "secret_mounts", "secret_mounts_md5"] + super - ["mounts", "secret_mounts", "secret_mounts_md5", "runtime_token", "output_storage_classes"] end protected @@ -172,8 +253,9 @@ class ContainerRequest < ArvadosModel self.environment ||= {} self.runtime_constraints ||= {} self.mounts ||= {} + self.secret_mounts ||= {} self.cwd ||= "." - self.container_count_max ||= Rails.configuration.container_count_max + self.container_count_max ||= Rails.configuration.Containers.MaxRetryAttempts self.scheduling_parameters ||= {} self.output_ttl ||= 0 self.priority ||= 0 @@ -187,41 +269,69 @@ class ContainerRequest < ArvadosModel return false end if state_changed? and state == Committed and container_uuid.nil? - self.container_uuid = Container.resolve(self).uuid + while true + c = Container.resolve(self) + c.lock! + if c.state == Container::Cancelled + # Lost a race, we have a lock on the container but the + # container was cancelled in a different request, restart + # the loop and resolve request to a new container. + redo + end + self.container_uuid = c.uuid + break + end end if self.container_uuid != self.container_uuid_was if self.container_count_changed? errors.add :container_count, "cannot be updated directly." return false - else - self.container_count += 1 end + + self.container_count += 1 + return if self.container_uuid_was.nil? + + old_container = Container.find_by_uuid(self.container_uuid_was) + return if old_container.nil? + + old_logs = Collection.where(portable_data_hash: old_container.log).first + return if old_logs.nil? + + log_coll = self.log_uuid.nil? ? nil : Collection.where(uuid: self.log_uuid).first + if self.log_uuid.nil? + log_coll = Collection.new( + owner_uuid: self.owner_uuid, + name: coll_name = "Container log for request #{uuid}", + manifest_text: "", + storage_classes_desired: self.output_storage_classes) + end + + # copy logs from old container into CR's log collection + src = Arv::Collection.new(old_logs.manifest_text) + dst = Arv::Collection.new(log_coll.manifest_text) + dst.cp_r("./", "log for container #{old_container.uuid}", src) + manifest = dst.manifest_text + + log_coll.assign_attributes( + portable_data_hash: Digest::MD5.hexdigest(manifest) + '+' + manifest.bytesize.to_s, + manifest_text: manifest) + log_coll.save_with_unique_name! + self.log_uuid = log_coll.uuid end end def set_default_preemptible_scheduling_parameter - c = get_requesting_container() - if self.state == Committed - # If preemptible instances (eg: AWS Spot Instances) are allowed, - # ask them on child containers by default. - if Rails.configuration.preemptible_instances and !c.nil? and - self.scheduling_parameters['preemptible'].nil? - self.scheduling_parameters['preemptible'] = true - end + if Rails.configuration.Containers.UsePreemptibleInstances && state == Committed && get_requesting_container() + self.scheduling_parameters['preemptible'] = true end end def validate_runtime_constraints case self.state when Committed - [['vcpus', true], - ['ram', true], - ['keep_cache_ram', false]].each do |k, required| - if !required && !runtime_constraints.include?(k) - next - end + ['vcpus', 'ram'].each do |k| v = runtime_constraints[k] - unless (v.is_a?(Integer) && v > 0) + if !v.is_a?(Integer) || v <= 0 errors.add(:runtime_constraints, "[#{k}]=#{v.inspect} must be a positive integer") end @@ -274,7 +384,7 @@ class ContainerRequest < ArvadosModel scheduling_parameters['partitions'].size) errors.add :scheduling_parameters, "partitions must be an array of strings" end - if !Rails.configuration.preemptible_instances and scheduling_parameters['preemptible'] + if !Rails.configuration.Containers.UsePreemptibleInstances and scheduling_parameters['preemptible'] errors.add :scheduling_parameters, "preemptible instances are not allowed" end if scheduling_parameters.include? 'max_run_time' and @@ -291,6 +401,20 @@ class ContainerRequest < ArvadosModel if self.new_record? || self.state_was == Uncommitted # Allow create-and-commit in a single operation. permitted.push(*AttrsPermittedBeforeCommit) + elsif mounts_changed? && mounts_was.keys == mounts.keys + # Ignore the updated mounts if the only changes are default/zero + # values as added by controller, see 17774 + only_defaults = true + mounts.each do |path, mount| + (mount.to_a - mounts_was[path].to_a).each do |k, v| + if !["", false, nil].index(v) + only_defaults = false + end + end + end + if only_defaults + clear_attribute_change("mounts") + end end case self.state @@ -312,6 +436,10 @@ class ContainerRequest < ArvadosModel permitted.push :container_count end + if current_user.andand.is_admin + permitted.push :log_uuid + end + when Final if self.state_was == Committed # "Cancel" means setting priority=0, state=Committed @@ -336,17 +464,30 @@ class ContainerRequest < ArvadosModel end end - def scrub_secret_mounts + def validate_runtime_token + if !self.runtime_token.nil? && self.runtime_token_changed? + if !runtime_token[0..2] == "v2/" + errors.add :runtime_token, "not a v2 token" + return + end + if ApiClientAuthorization.validate(token: runtime_token).nil? + errors.add :runtime_token, "failed validation" + end + end + end + + def scrub_secrets if self.state == Final self.secret_mounts = {} + self.runtime_token = nil end end def update_priority - return unless state_changed? || priority_changed? || container_uuid_changed? + return unless saved_change_to_state? || saved_change_to_priority? || saved_change_to_container_uuid? act_as_system_user do Container. - where('uuid in (?)', [self.container_uuid_was, self.container_uuid].compact). + where('uuid in (?)', [container_uuid_before_last_save, self.container_uuid].compact). map(&:update_priority!) end end @@ -361,19 +502,12 @@ class ContainerRequest < ArvadosModel self.requesting_container_uuid = c.uuid # Determine the priority of container request for the requesting # container. - self.priority = ContainerRequest. - where('container_uuid=? and priority>0', self.requesting_container_uuid). - map do |cr| - cr.priority - end.max || 0 + self.priority = ContainerRequest.where(container_uuid: self.requesting_container_uuid).maximum("priority") || 0 end end def get_requesting_container return self.requesting_container_uuid if !self.requesting_container_uuid.nil? - return if !current_api_client_authorization - if (c = Container.where('auth_uuid=?', current_api_client_authorization.uuid).select([:uuid, :priority]).first) - return c - end + Container.for_current_token end end