X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/712c3dceaf1d08c3221798b6288e247292738fce..44c93373e97da98645d41ae8f09c6eef6788bb26:/lib/crunchrun/crunchrun.go diff --git a/lib/crunchrun/crunchrun.go b/lib/crunchrun/crunchrun.go index af0d49c80e..65f43e9644 100644 --- a/lib/crunchrun/crunchrun.go +++ b/lib/crunchrun/crunchrun.go @@ -19,6 +19,7 @@ import ( "os" "os/exec" "os/signal" + "os/user" "path" "path/filepath" "regexp" @@ -453,8 +454,8 @@ func (runner *ContainerRunner) SetupMounts() (map[string]bindmount, error) { sort.Strings(binds) for _, bind := range binds { - mnt, ok := runner.Container.Mounts[bind] - if !ok { + mnt, notSecret := runner.Container.Mounts[bind] + if !notSecret { mnt = runner.SecretMounts[bind] } if bind == "stdout" || bind == "stderr" { @@ -523,8 +524,7 @@ func (runner *ContainerRunner) SetupMounts() (map[string]bindmount, error) { } } else { src = fmt.Sprintf("%s/tmp%d", runner.ArvMountPoint, tmpcount) - arvMountCmd = append(arvMountCmd, "--mount-tmp") - arvMountCmd = append(arvMountCmd, fmt.Sprintf("tmp%d", tmpcount)) + arvMountCmd = append(arvMountCmd, "--mount-tmp", fmt.Sprintf("tmp%d", tmpcount)) tmpcount++ } if mnt.Writable { @@ -584,9 +584,32 @@ func (runner *ContainerRunner) SetupMounts() (map[string]bindmount, error) { if err != nil { return nil, fmt.Errorf("writing temp file: %v", err) } - if strings.HasPrefix(bind, runner.Container.OutputPath+"/") { + if strings.HasPrefix(bind, runner.Container.OutputPath+"/") && (notSecret || runner.Container.Mounts[runner.Container.OutputPath].Kind != "collection") { + // In most cases, if the container + // specifies a literal file inside the + // output path, we copy it into the + // output directory (either a mounted + // collection or a staging area on the + // host fs). If it's a secret, it will + // be skipped when copying output from + // staging to Keep later. copyFiles = append(copyFiles, copyFile{tmpfn, runner.HostOutputDir + bind[len(runner.Container.OutputPath):]}) } else { + // If a secret is outside OutputPath, + // we bind mount the secret file + // directly just like other mounts. We + // also use this strategy when a + // secret is inside OutputPath but + // OutputPath is a live collection, to + // avoid writing the secret to + // Keep. Attempting to remove a + // bind-mounted secret file from + // inside the container will return a + // "Device or resource busy" error + // that might not be handled well by + // the container, which is why we + // don't use this strategy when + // OutputPath is a staging directory. bindmounts[bind] = bindmount{HostPath: tmpfn, ReadOnly: true} } @@ -1453,6 +1476,7 @@ func (runner *ContainerRunner) NewArvLogWriter(name string) (io.WriteCloser, err // Run the full container lifecycle. func (runner *ContainerRunner) Run() (err error) { runner.CrunchLog.Printf("crunch-run %s started", cmd.Version.String()) + runner.CrunchLog.Printf("%s", currentUserAndGroups()) runner.CrunchLog.Printf("Executing container '%s' using %s runtime", runner.Container.UUID, runner.executor.Runtime()) hostname, hosterr := os.Hostname() @@ -2023,3 +2047,30 @@ func startLocalKeepstore(configData ConfigData, logbuf io.Writer) (*exec.Cmd, er os.Setenv("ARVADOS_KEEP_SERVICES", url) return cmd, nil } + +// return current uid, gid, groups in a format suitable for logging: +// "crunch-run process has uid=1234(arvados) gid=1234(arvados) +// groups=1234(arvados),114(fuse)" +func currentUserAndGroups() string { + u, err := user.Current() + if err != nil { + return fmt.Sprintf("error getting current user ID: %s", err) + } + s := fmt.Sprintf("crunch-run process has uid=%s(%s) gid=%s", u.Uid, u.Username, u.Gid) + if g, err := user.LookupGroupId(u.Gid); err == nil { + s += fmt.Sprintf("(%s)", g.Name) + } + s += " groups=" + if gids, err := u.GroupIds(); err == nil { + for i, gid := range gids { + if i > 0 { + s += "," + } + s += gid + if g, err := user.LookupGroupId(gid); err == nil { + s += fmt.Sprintf("(%s)", g.Name) + } + } + } + return s +}