X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/b3e8a483835334becbef9cba2bebbcf08df47c15..3a7b90da8ac9b920d87eaf3a783b72c4bb94db14:/services/crunch-run/crunchrun_test.go

diff --git a/services/crunch-run/crunchrun_test.go b/services/crunch-run/crunchrun_test.go
index 94b713355d..c76682f1c6 100644
--- a/services/crunch-run/crunchrun_test.go
+++ b/services/crunch-run/crunchrun_test.go
@@ -45,10 +45,12 @@ func TestCrunchExec(t *testing.T) {
 var _ = Suite(&TestSuite{})
 
 type TestSuite struct {
+	client *arvados.Client
 	docker *TestDockerClient
 }
 
 func (s *TestSuite) SetUpTest(c *C) {
+	s.client = arvados.NewClientFromEnv()
 	s.docker = NewTestDockerClient()
 }
 
@@ -57,7 +59,8 @@ type ArvTestClient struct {
 	Calls   int
 	Content []arvadosclient.Dict
 	arvados.Container
-	Logs map[string]*bytes.Buffer
+	secretMounts []byte
+	Logs         map[string]*bytes.Buffer
 	sync.Mutex
 	WasSetRunning bool
 	callraw       bool
@@ -240,6 +243,12 @@ func (client *ArvTestClient) Call(method, resourceType, uuid, action string, par
 			"uuid": "`+fakeAuthUUID+`",
 			"api_token": "`+fakeAuthToken+`"
 			}`), output)
+	case method == "GET" && resourceType == "containers" && action == "secret_mounts":
+		if client.secretMounts != nil {
+			return json.Unmarshal(client.secretMounts, output)
+		} else {
+			return json.Unmarshal([]byte(`{"secret_mounts":{}}`), output)
+		}
 	default:
 		return fmt.Errorf("Not found")
 	}
@@ -348,12 +357,20 @@ call:
 	return nil
 }
 
-func (client *KeepTestClient) PutHB(hash string, buf []byte) (string, int, error) {
+func (client *KeepTestClient) PutB(buf []byte) (string, int, error) {
 	client.Content = buf
-	return fmt.Sprintf("%s+%d", hash, len(buf)), len(buf), nil
+	return fmt.Sprintf("%x+%d", md5.Sum(buf), len(buf)), len(buf), nil
+}
+
+func (client *KeepTestClient) ReadAt(string, []byte, int) (int, error) {
+	return 0, errors.New("not implemented")
+}
+
+func (client *KeepTestClient) ClearBlockCache() {
 }
 
-func (*KeepTestClient) ClearBlockCache() {
+func (client *KeepTestClient) Close() {
+	client.Content = nil
 }
 
 type FileWrapper struct {
@@ -385,6 +402,10 @@ func (fw FileWrapper) Write([]byte) (int, error) {
 	return 0, errors.New("not implemented")
 }
 
+func (fw FileWrapper) Sync() error {
+	return errors.New("not implemented")
+}
+
 func (client *KeepTestClient) ManifestFileReader(m manifest.Manifest, filename string) (arvados.File, error) {
 	if filename == hwImageId+".tar" {
 		rdr := ioutil.NopCloser(&bytes.Buffer{})
@@ -400,9 +421,12 @@ func (client *KeepTestClient) ManifestFileReader(m manifest.Manifest, filename s
 
 func (s *TestSuite) TestLoadImage(c *C) {
 	kc := &KeepTestClient{}
-	cr := NewContainerRunner(&ArvTestClient{}, kc, s.docker, "zzzzz-zzzzz-zzzzzzzzzzzzzzz")
+	defer kc.Close()
+	cr, err := NewContainerRunner(s.client, &ArvTestClient{}, kc, s.docker, "zzzzz-zzzzz-zzzzzzzzzzzzzzz")
+	c.Assert(err, IsNil)
 
-	_, err := cr.Docker.ImageRemove(nil, hwImageId, dockertypes.ImageRemoveOptions{})
+	_, err = cr.Docker.ImageRemove(nil, hwImageId, dockertypes.ImageRemoveOptions{})
+	c.Check(err, IsNil)
 
 	_, _, err = cr.Docker.ImageInspectWithRaw(nil, hwImageId)
 	c.Check(err, NotNil)
@@ -466,26 +490,24 @@ func (ArvErrorTestClient) Discovery(key string) (interface{}, error) {
 	return discoveryMap[key], nil
 }
 
-type KeepErrorTestClient struct{}
-
-func (KeepErrorTestClient) PutHB(hash string, buf []byte) (string, int, error) {
-	return "", 0, errors.New("KeepError")
+type KeepErrorTestClient struct {
+	KeepTestClient
 }
 
-func (KeepErrorTestClient) ManifestFileReader(m manifest.Manifest, filename string) (arvados.File, error) {
+func (*KeepErrorTestClient) ManifestFileReader(manifest.Manifest, string) (arvados.File, error) {
 	return nil, errors.New("KeepError")
 }
 
-func (KeepErrorTestClient) ClearBlockCache() {
+func (*KeepErrorTestClient) PutB(buf []byte) (string, int, error) {
+	return "", 0, errors.New("KeepError")
 }
 
-type KeepReadErrorTestClient struct{}
-
-func (KeepReadErrorTestClient) PutHB(hash string, buf []byte) (string, int, error) {
-	return "", 0, nil
+type KeepReadErrorTestClient struct {
+	KeepTestClient
 }
 
-func (KeepReadErrorTestClient) ClearBlockCache() {
+func (*KeepReadErrorTestClient) ReadAt(string, []byte, int) (int, error) {
+	return 0, errors.New("KeepError")
 }
 
 type ErrorReader struct {
@@ -506,37 +528,44 @@ func (KeepReadErrorTestClient) ManifestFileReader(m manifest.Manifest, filename
 
 func (s *TestSuite) TestLoadImageArvError(c *C) {
 	// (1) Arvados error
-	cr := NewContainerRunner(ArvErrorTestClient{}, &KeepTestClient{}, nil, "zzzzz-zzzzz-zzzzzzzzzzzzzzz")
+	kc := &KeepTestClient{}
+	defer kc.Close()
+	cr, err := NewContainerRunner(s.client, ArvErrorTestClient{}, kc, nil, "zzzzz-zzzzz-zzzzzzzzzzzzzzz")
+	c.Assert(err, IsNil)
 	cr.Container.ContainerImage = hwPDH
 
-	err := cr.LoadImage()
+	err = cr.LoadImage()
 	c.Check(err.Error(), Equals, "While getting container image collection: ArvError")
 }
 
 func (s *TestSuite) TestLoadImageKeepError(c *C) {
 	// (2) Keep error
-	cr := NewContainerRunner(&ArvTestClient{}, KeepErrorTestClient{}, s.docker, "zzzzz-zzzzz-zzzzzzzzzzzzzzz")
+	cr, err := NewContainerRunner(s.client, &ArvTestClient{}, &KeepErrorTestClient{}, s.docker, "zzzzz-zzzzz-zzzzzzzzzzzzzzz")
+	c.Assert(err, IsNil)
 	cr.Container.ContainerImage = hwPDH
 
-	err := cr.LoadImage()
+	err = cr.LoadImage()
+	c.Assert(err, NotNil)
 	c.Check(err.Error(), Equals, "While creating ManifestFileReader for container image: KeepError")
 }
 
 func (s *TestSuite) TestLoadImageCollectionError(c *C) {
 	// (3) Collection doesn't contain image
-	cr := NewContainerRunner(&ArvTestClient{}, KeepErrorTestClient{}, nil, "zzzzz-zzzzz-zzzzzzzzzzzzzzz")
+	cr, err := NewContainerRunner(s.client, &ArvTestClient{}, &KeepReadErrorTestClient{}, nil, "zzzzz-zzzzz-zzzzzzzzzzzzzzz")
+	c.Assert(err, IsNil)
 	cr.Container.ContainerImage = otherPDH
 
-	err := cr.LoadImage()
+	err = cr.LoadImage()
 	c.Check(err.Error(), Equals, "First file in the container image collection does not end in .tar")
 }
 
 func (s *TestSuite) TestLoadImageKeepReadError(c *C) {
 	// (4) Collection doesn't contain image
-	cr := NewContainerRunner(&ArvTestClient{}, KeepReadErrorTestClient{}, s.docker, "zzzzz-zzzzz-zzzzzzzzzzzzzzz")
+	cr, err := NewContainerRunner(s.client, &ArvTestClient{}, &KeepReadErrorTestClient{}, s.docker, "zzzzz-zzzzz-zzzzzzzzzzzzzzz")
+	c.Assert(err, IsNil)
 	cr.Container.ContainerImage = hwPDH
 
-	err := cr.LoadImage()
+	err = cr.LoadImage()
 	c.Check(err, NotNil)
 }
 
@@ -553,14 +582,14 @@ type TestLogs struct {
 	Stderr ClosableBuffer
 }
 
-func (tl *TestLogs) NewTestLoggingWriter(logstr string) io.WriteCloser {
+func (tl *TestLogs) NewTestLoggingWriter(logstr string) (io.WriteCloser, error) {
 	if logstr == "stdout" {
-		return &tl.Stdout
+		return &tl.Stdout, nil
 	}
 	if logstr == "stderr" {
-		return &tl.Stderr
+		return &tl.Stderr, nil
 	}
-	return nil
+	return nil, errors.New("???")
 }
 
 func dockerLog(fd byte, msg string) []byte {
@@ -577,13 +606,16 @@ func (s *TestSuite) TestRunContainer(c *C) {
 		t.logWriter.Write(dockerLog(1, "Hello world\n"))
 		t.logWriter.Close()
 	}
-	cr := NewContainerRunner(&ArvTestClient{}, &KeepTestClient{}, s.docker, "zzzzz-zzzzz-zzzzzzzzzzzzzzz")
+	kc := &KeepTestClient{}
+	defer kc.Close()
+	cr, err := NewContainerRunner(s.client, &ArvTestClient{}, kc, s.docker, "zzzzz-zzzzz-zzzzzzzzzzzzzzz")
+	c.Assert(err, IsNil)
 
 	var logs TestLogs
 	cr.NewLogWriter = logs.NewTestLoggingWriter
 	cr.Container.ContainerImage = hwPDH
 	cr.Container.Command = []string{"./hw"}
-	err := cr.LoadImage()
+	err = cr.LoadImage()
 	c.Check(err, IsNil)
 
 	err = cr.CreateContainer()
@@ -602,14 +634,16 @@ func (s *TestSuite) TestRunContainer(c *C) {
 func (s *TestSuite) TestCommitLogs(c *C) {
 	api := &ArvTestClient{}
 	kc := &KeepTestClient{}
-	cr := NewContainerRunner(api, kc, nil, "zzzzz-zzzzz-zzzzzzzzzzzzzzz")
+	defer kc.Close()
+	cr, err := NewContainerRunner(s.client, api, kc, nil, "zzzzz-zzzzz-zzzzzzzzzzzzzzz")
+	c.Assert(err, IsNil)
 	cr.CrunchLog.Timestamper = (&TestTimestamper{}).Timestamp
 
 	cr.CrunchLog.Print("Hello world!")
 	cr.CrunchLog.Print("Goodbye")
 	cr.finalState = "Complete"
 
-	err := cr.CommitLogs()
+	err = cr.CommitLogs()
 	c.Check(err, IsNil)
 
 	c.Check(api.Calls, Equals, 2)
@@ -622,9 +656,11 @@ func (s *TestSuite) TestCommitLogs(c *C) {
 func (s *TestSuite) TestUpdateContainerRunning(c *C) {
 	api := &ArvTestClient{}
 	kc := &KeepTestClient{}
-	cr := NewContainerRunner(api, kc, nil, "zzzzz-zzzzz-zzzzzzzzzzzzzzz")
+	defer kc.Close()
+	cr, err := NewContainerRunner(s.client, api, kc, nil, "zzzzz-zzzzz-zzzzzzzzzzzzzzz")
+	c.Assert(err, IsNil)
 
-	err := cr.UpdateContainerRunning()
+	err = cr.UpdateContainerRunning()
 	c.Check(err, IsNil)
 
 	c.Check(api.Content[0]["container"].(arvadosclient.Dict)["state"], Equals, "Running")
@@ -633,7 +669,9 @@ func (s *TestSuite) TestUpdateContainerRunning(c *C) {
 func (s *TestSuite) TestUpdateContainerComplete(c *C) {
 	api := &ArvTestClient{}
 	kc := &KeepTestClient{}
-	cr := NewContainerRunner(api, kc, nil, "zzzzz-zzzzz-zzzzzzzzzzzzzzz")
+	defer kc.Close()
+	cr, err := NewContainerRunner(s.client, api, kc, nil, "zzzzz-zzzzz-zzzzzzzzzzzzzzz")
+	c.Assert(err, IsNil)
 
 	cr.LogsPDH = new(string)
 	*cr.LogsPDH = "d3a229d2fe3690c2c3e75a71a153c6a3+60"
@@ -642,7 +680,7 @@ func (s *TestSuite) TestUpdateContainerComplete(c *C) {
 	*cr.ExitCode = 42
 	cr.finalState = "Complete"
 
-	err := cr.UpdateContainerFinal()
+	err = cr.UpdateContainerFinal()
 	c.Check(err, IsNil)
 
 	c.Check(api.Content[0]["container"].(arvadosclient.Dict)["log"], Equals, *cr.LogsPDH)
@@ -653,11 +691,13 @@ func (s *TestSuite) TestUpdateContainerComplete(c *C) {
 func (s *TestSuite) TestUpdateContainerCancelled(c *C) {
 	api := &ArvTestClient{}
 	kc := &KeepTestClient{}
-	cr := NewContainerRunner(api, kc, nil, "zzzzz-zzzzz-zzzzzzzzzzzzzzz")
+	defer kc.Close()
+	cr, err := NewContainerRunner(s.client, api, kc, nil, "zzzzz-zzzzz-zzzzzzzzzzzzzzz")
+	c.Assert(err, IsNil)
 	cr.cCancelled = true
 	cr.finalState = "Cancelled"
 
-	err := cr.UpdateContainerFinal()
+	err = cr.UpdateContainerFinal()
 	c.Check(err, IsNil)
 
 	c.Check(api.Content[0]["container"].(arvadosclient.Dict)["log"], IsNil)
@@ -672,13 +712,25 @@ func (s *TestSuite) fullRunHelper(c *C, record string, extraMounts []string, exi
 	err := json.Unmarshal([]byte(record), &rec)
 	c.Check(err, IsNil)
 
+	var sm struct {
+		SecretMounts map[string]arvados.Mount `json:"secret_mounts"`
+	}
+	err = json.Unmarshal([]byte(record), &sm)
+	c.Check(err, IsNil)
+	secretMounts, err := json.Marshal(sm)
+	c.Logf("%s %q", sm, secretMounts)
+	c.Check(err, IsNil)
+
 	s.docker.exitCode = exitCode
 	s.docker.fn = fn
 	s.docker.ImageRemove(nil, hwImageId, dockertypes.ImageRemoveOptions{})
 
 	api = &ArvTestClient{Container: rec}
 	s.docker.api = api
-	cr = NewContainerRunner(api, &KeepTestClient{}, s.docker, "zzzzz-zzzzz-zzzzzzzzzzzzzzz")
+	kc := &KeepTestClient{}
+	defer kc.Close()
+	cr, err = NewContainerRunner(s.client, api, kc, s.docker, "zzzzz-zzzzz-zzzzzzzzzzzzzzz")
+	c.Assert(err, IsNil)
 	cr.statInterval = 100 * time.Millisecond
 	am := &ArvMountCmdLine{}
 	cr.RunArvMount = am.ArvMountTest
@@ -700,6 +752,9 @@ func (s *TestSuite) fullRunHelper(c *C, record string, extraMounts []string, exi
 		}
 		return d, err
 	}
+	cr.MkArvClient = func(token string) (IArvadosClient, error) {
+		return &ArvTestClient{secretMounts: secretMounts}, nil
+	}
 
 	if extraMounts != nil && len(extraMounts) > 0 {
 		err := cr.SetupArvMountPoint("keep")
@@ -951,8 +1006,14 @@ func (s *TestSuite) testStopContainer(c *C, setup func(cr *ContainerRunner)) {
 	s.docker.ImageRemove(nil, hwImageId, dockertypes.ImageRemoveOptions{})
 
 	api := &ArvTestClient{Container: rec}
-	cr := NewContainerRunner(api, &KeepTestClient{}, s.docker, "zzzzz-zzzzz-zzzzzzzzzzzzzzz")
+	kc := &KeepTestClient{}
+	defer kc.Close()
+	cr, err := NewContainerRunner(s.client, api, kc, s.docker, "zzzzz-zzzzz-zzzzzzzzzzzzzzz")
+	c.Assert(err, IsNil)
 	cr.RunArvMount = func([]string, string) (*exec.Cmd, error) { return nil, nil }
+	cr.MkArvClient = func(token string) (IArvadosClient, error) {
+		return &ArvTestClient{}, nil
+	}
 	setup(cr)
 
 	done := make(chan error)
@@ -1018,7 +1079,9 @@ func stubCert(temp string) string {
 func (s *TestSuite) TestSetupMounts(c *C) {
 	api := &ArvTestClient{}
 	kc := &KeepTestClient{}
-	cr := NewContainerRunner(api, kc, nil, "zzzzz-zzzzz-zzzzzzzzzzzzzzz")
+	defer kc.Close()
+	cr, err := NewContainerRunner(s.client, api, kc, nil, "zzzzz-zzzzz-zzzzzzzzzzzzzzz")
+	c.Assert(err, IsNil)
 	am := &ArvMountCmdLine{}
 	cr.RunArvMount = am.ArvMountTest
 
@@ -1211,6 +1274,35 @@ func (s *TestSuite) TestSetupMounts(c *C) {
 		checkEmpty()
 	}
 
+	for _, test := range []struct {
+		in  interface{}
+		out string
+	}{
+		{in: "foo", out: `foo`},
+		{in: nil, out: "error"},
+		{in: map[string]int64{"foo": 123456789123456789}, out: "error"},
+	} {
+		i = 0
+		cr.ArvMountPoint = ""
+		cr.Container.Mounts = map[string]arvados.Mount{
+			"/mnt/test.txt": {Kind: "text", Content: test.in},
+		}
+		err := cr.SetupMounts()
+		if test.out == "error" {
+			c.Check(err.Error(), Equals, "content for mount \"/mnt/test.txt\" must be a string")
+		} else {
+			c.Check(err, IsNil)
+			sort.StringSlice(cr.Binds).Sort()
+			c.Check(cr.Binds, DeepEquals, []string{realTemp + "/text2/mountdata.text:/mnt/test.txt:ro"})
+			content, err := ioutil.ReadFile(realTemp + "/text2/mountdata.text")
+			c.Check(err, IsNil)
+			c.Check(content, DeepEquals, []byte(test.out))
+		}
+		os.RemoveAll(cr.ArvMountPoint)
+		cr.CleanupDirs()
+		checkEmpty()
+	}
+
 	// Read-only mount points are allowed underneath output_dir mount point
 	{
 		i = 0
@@ -1277,13 +1369,13 @@ func (s *TestSuite) TestSetupMounts(c *C) {
 		cr.Container.Mounts = make(map[string]arvados.Mount)
 		cr.Container.Mounts = map[string]arvados.Mount{
 			"/tmp":     {Kind: "tmp"},
-			"/tmp/foo": {Kind: "json"},
+			"/tmp/foo": {Kind: "tmp"},
 		}
 		cr.OutputPath = "/tmp"
 
 		err := cr.SetupMounts()
 		c.Check(err, NotNil)
-		c.Check(err, ErrorMatches, `Only mount points of kind 'collection' are supported underneath the output_path.*`)
+		c.Check(err, ErrorMatches, `Only mount points of kind 'collection', 'text' or 'json' are supported underneath the output_path.*`)
 		os.RemoveAll(cr.ArvMountPoint)
 		cr.CleanupDirs()
 		checkEmpty()
@@ -1397,9 +1489,15 @@ func (s *TestSuite) stdoutErrorRunHelper(c *C, record string, fn func(t *TestDoc
 	s.docker.ImageRemove(nil, hwImageId, dockertypes.ImageRemoveOptions{})
 
 	api = &ArvTestClient{Container: rec}
-	cr = NewContainerRunner(api, &KeepTestClient{}, s.docker, "zzzzz-zzzzz-zzzzzzzzzzzzzzz")
+	kc := &KeepTestClient{}
+	defer kc.Close()
+	cr, err = NewContainerRunner(s.client, api, kc, s.docker, "zzzzz-zzzzz-zzzzzzzzzzzzzzz")
+	c.Assert(err, IsNil)
 	am := &ArvMountCmdLine{}
 	cr.RunArvMount = am.ArvMountTest
+	cr.MkArvClient = func(token string) (IArvadosClient, error) {
+		return &ArvTestClient{}, nil
+	}
 
 	err = cr.Run()
 	return
@@ -1436,8 +1534,8 @@ func (s *TestSuite) TestStdoutWithWrongKindCollection(c *C) {
 }
 
 func (s *TestSuite) TestFullRunWithAPI(c *C) {
+	defer os.Setenv("ARVADOS_API_HOST", os.Getenv("ARVADOS_API_HOST"))
 	os.Setenv("ARVADOS_API_HOST", "test.arvados.org")
-	defer os.Unsetenv("ARVADOS_API_HOST")
 	api, _, _ := s.fullRunHelper(c, `{
     "command": ["/bin/sh", "-c", "echo $ARVADOS_API_HOST"],
     "container_image": "d4ab34d3d4f8a72f5c4973051ae69fab+122",
@@ -1459,8 +1557,8 @@ func (s *TestSuite) TestFullRunWithAPI(c *C) {
 }
 
 func (s *TestSuite) TestFullRunSetOutput(c *C) {
+	defer os.Setenv("ARVADOS_API_HOST", os.Getenv("ARVADOS_API_HOST"))
 	os.Setenv("ARVADOS_API_HOST", "test.arvados.org")
-	defer os.Unsetenv("ARVADOS_API_HOST")
 	api, _, _ := s.fullRunHelper(c, `{
     "command": ["/bin/sh", "-c", "echo $ARVADOS_API_HOST"],
     "container_image": "d4ab34d3d4f8a72f5c4973051ae69fab+122",
@@ -1558,7 +1656,7 @@ func (s *TestSuite) TestStdoutWithMultipleMountPointsUnderOutputDir(c *C) {
 				manifest := collection["manifest_text"].(string)
 
 				c.Check(manifest, Equals, `./a/b 307372fa8fd5c146b22ae7a45b49bc31+6 0:6:c.out
-./foo 3e426d509afffb85e06c4c96a7c15e91+27+Aa124ac75e5168396c73c0abcdefgh11234567890@569fa8c3 9:18:bar 9:18:sub1file2
+./foo 3e426d509afffb85e06c4c96a7c15e91+27+Aa124ac75e5168396c73c0abcdefgh11234567890@569fa8c3 3e426d509afffb85e06c4c96a7c15e91+27+Aa124ac75e5168396cabcdefghij6419876543234@569fa8c4 9:18:bar 36:18:sub1file2
 ./foo/baz 3e426d509afffb85e06c4c96a7c15e91+27+Aa124ac75e5168396c73c0bcdefghijk544332211@569fa8c5 9:18:sub2file2
 ./foo/sub1 3e426d509afffb85e06c4c96a7c15e91+27+Aa124ac75e5168396cabcdefghij6419876543234@569fa8c4 0:9:file1_in_subdir1.txt 9:18:file2_in_subdir1.txt
 ./foo/sub1/subdir2 3e426d509afffb85e06c4c96a7c15e91+27+Aa124ac75e5168396c73c0bcdefghijk544332211@569fa8c5 0:9:file1_in_subdir2.txt 9:18:file2_in_subdir2.txt
@@ -1576,7 +1674,7 @@ func (s *TestSuite) TestStdoutWithMountPointsUnderOutputDirDenormalizedManifest(
 		"environment": {"FROBIZ": "bilbo"},
 		"mounts": {
         "/tmp": {"kind": "tmp"},
-        "/tmp/foo/bar": {"kind": "collection", "portable_data_hash": "b0def87f80dd594d4675809e83bd4f15+367/subdir1/file2_in_subdir1.txt"},
+        "/tmp/foo/bar": {"kind": "collection", "portable_data_hash": "b0def87f80dd594d4675809e83bd4f15+367", "path": "/subdir1/file2_in_subdir1.txt"},
         "stdout": {"kind": "file", "path": "/tmp/a/b/c.out"}
     },
 		"output_path": "/tmp",
@@ -1609,52 +1707,6 @@ func (s *TestSuite) TestStdoutWithMountPointsUnderOutputDirDenormalizedManifest(
 	}
 }
 
-func (s *TestSuite) TestOutputSymlinkToInput(c *C) {
-	helperRecord := `{
-		"command": ["/bin/sh", "-c", "echo $FROBIZ"],
-		"container_image": "d4ab34d3d4f8a72f5c4973051ae69fab+122",
-		"cwd": "/bin",
-		"environment": {"FROBIZ": "bilbo"},
-		"mounts": {
-        "/tmp": {"kind": "tmp"},
-        "/keep/foo/sub1file2": {"kind": "collection", "portable_data_hash": "a0def87f80dd594d4675809e83bd4f15+367", "path": "/subdir1/file2_in_subdir1.txt"},
-        "/keep/foo2": {"kind": "collection", "portable_data_hash": "a0def87f80dd594d4675809e83bd4f15+367"}
-    },
-		"output_path": "/tmp",
-		"priority": 1,
-		"runtime_constraints": {}
-	}`
-
-	extraMounts := []string{
-		"a0def87f80dd594d4675809e83bd4f15+367/subdir1/file2_in_subdir1.txt",
-	}
-
-	api, _, _ := s.fullRunHelper(c, helperRecord, extraMounts, 0, func(t *TestDockerClient) {
-		os.Symlink("/keep/foo/sub1file2", t.realTemp+"/tmp2/baz")
-		os.Symlink("/keep/foo2/subdir1/file2_in_subdir1.txt", t.realTemp+"/tmp2/baz2")
-		os.Symlink("/keep/foo2/subdir1", t.realTemp+"/tmp2/baz3")
-		os.Mkdir(t.realTemp+"/tmp2/baz4", 0700)
-		os.Symlink("/keep/foo2/subdir1/file2_in_subdir1.txt", t.realTemp+"/tmp2/baz4/baz5")
-		t.logWriter.Close()
-	})
-
-	c.Check(api.CalledWith("container.exit_code", 0), NotNil)
-	c.Check(api.CalledWith("container.state", "Complete"), NotNil)
-	for _, v := range api.Content {
-		if v["collection"] != nil {
-			collection := v["collection"].(arvadosclient.Dict)
-			if strings.Index(collection["name"].(string), "output") == 0 {
-				manifest := collection["manifest_text"].(string)
-				c.Check(manifest, Equals, `. 3e426d509afffb85e06c4c96a7c15e91+27+Aa124ac75e5168396cabcdefghij6419876543234@569fa8c4 9:18:baz 9:18:baz2
-./baz3 3e426d509afffb85e06c4c96a7c15e91+27+Aa124ac75e5168396cabcdefghij6419876543234@569fa8c4 0:9:file1_in_subdir1.txt 9:18:file2_in_subdir1.txt
-./baz3/subdir2 3e426d509afffb85e06c4c96a7c15e91+27+Aa124ac75e5168396c73c0bcdefghijk544332211@569fa8c5 0:9:file1_in_subdir2.txt 9:18:file2_in_subdir2.txt
-./baz4 3e426d509afffb85e06c4c96a7c15e91+27+Aa124ac75e5168396cabcdefghij6419876543234@569fa8c4 9:18:baz5
-`)
-			}
-		}
-	}
-}
-
 func (s *TestSuite) TestOutputError(c *C) {
 	helperRecord := `{
 		"command": ["/bin/sh", "-c", "echo $FROBIZ"],
@@ -1679,59 +1731,6 @@ func (s *TestSuite) TestOutputError(c *C) {
 	c.Check(api.CalledWith("container.state", "Cancelled"), NotNil)
 }
 
-func (s *TestSuite) TestOutputSymlinkToOutput(c *C) {
-	helperRecord := `{
-		"command": ["/bin/sh", "-c", "echo $FROBIZ"],
-		"container_image": "d4ab34d3d4f8a72f5c4973051ae69fab+122",
-		"cwd": "/bin",
-		"environment": {"FROBIZ": "bilbo"},
-		"mounts": {
-        "/tmp": {"kind": "tmp"}
-    },
-		"output_path": "/tmp",
-		"priority": 1,
-		"runtime_constraints": {}
-	}`
-
-	extraMounts := []string{}
-
-	api, _, _ := s.fullRunHelper(c, helperRecord, extraMounts, 0, func(t *TestDockerClient) {
-		rf, _ := os.Create(t.realTemp + "/tmp2/realfile")
-		rf.Write([]byte("foo"))
-		rf.Close()
-
-		os.Mkdir(t.realTemp+"/tmp2/realdir", 0700)
-		rf, _ = os.Create(t.realTemp + "/tmp2/realdir/subfile")
-		rf.Write([]byte("bar"))
-		rf.Close()
-
-		os.Symlink("/tmp/realfile", t.realTemp+"/tmp2/file1")
-		os.Symlink("realfile", t.realTemp+"/tmp2/file2")
-		os.Symlink("/tmp/file1", t.realTemp+"/tmp2/file3")
-		os.Symlink("file2", t.realTemp+"/tmp2/file4")
-		os.Symlink("realdir", t.realTemp+"/tmp2/dir1")
-		os.Symlink("/tmp/realdir", t.realTemp+"/tmp2/dir2")
-		t.logWriter.Close()
-	})
-
-	c.Check(api.CalledWith("container.exit_code", 0), NotNil)
-	c.Check(api.CalledWith("container.state", "Complete"), NotNil)
-	for _, v := range api.Content {
-		if v["collection"] != nil {
-			collection := v["collection"].(arvadosclient.Dict)
-			if strings.Index(collection["name"].(string), "output") == 0 {
-				manifest := collection["manifest_text"].(string)
-				c.Check(manifest, Equals,
-					`. 7a2c86e102dcc231bd232aad99686dfa+15 0:3:file1 3:3:file2 6:3:file3 9:3:file4 12:3:realfile
-./dir1 37b51d194a7513e45b56f6524f2d51f2+3 0:3:subfile
-./dir2 37b51d194a7513e45b56f6524f2d51f2+3 0:3:subfile
-./realdir 37b51d194a7513e45b56f6524f2d51f2+3 0:3:subfile
-`)
-			}
-		}
-	}
-}
-
 func (s *TestSuite) TestStdinCollectionMountPoint(c *C) {
 	helperRecord := `{
 		"command": ["/bin/sh", "-c", "echo $FROBIZ"],
@@ -1833,7 +1832,10 @@ func (s *TestSuite) TestStderrMount(c *C) {
 }
 
 func (s *TestSuite) TestNumberRoundTrip(c *C) {
-	cr := NewContainerRunner(&ArvTestClient{callraw: true}, &KeepTestClient{}, nil, "zzzzz-zzzzz-zzzzzzzzzzzzzzz")
+	kc := &KeepTestClient{}
+	defer kc.Close()
+	cr, err := NewContainerRunner(s.client, &ArvTestClient{callraw: true}, kc, nil, "zzzzz-zzzzz-zzzzzzzzzzzzzzz")
+	c.Assert(err, IsNil)
 	cr.fetchContainerRecord()
 
 	jsondata, err := json.Marshal(cr.Container.Mounts["/json"].Content)
@@ -1842,54 +1844,6 @@ func (s *TestSuite) TestNumberRoundTrip(c *C) {
 	c.Check(string(jsondata), Equals, `{"number":123456789123456789}`)
 }
 
-func (s *TestSuite) TestEvalSymlinks(c *C) {
-	cr := NewContainerRunner(&ArvTestClient{callraw: true}, &KeepTestClient{}, nil, "zzzzz-zzzzz-zzzzzzzzzzzzzzz")
-
-	realTemp, err := ioutil.TempDir("", "crunchrun_test-")
-	c.Assert(err, IsNil)
-	defer os.RemoveAll(realTemp)
-
-	cr.HostOutputDir = realTemp
-
-	// Absolute path outside output dir
-	os.Symlink("/etc/passwd", realTemp+"/p1")
-
-	// Relative outside output dir
-	os.Symlink("../zip", realTemp+"/p2")
-
-	// Circular references
-	os.Symlink("p4", realTemp+"/p3")
-	os.Symlink("p5", realTemp+"/p4")
-	os.Symlink("p3", realTemp+"/p5")
-
-	// Target doesn't exist
-	os.Symlink("p99", realTemp+"/p6")
-
-	for _, v := range []string{"p1", "p2", "p3", "p4", "p5"} {
-		info, err := os.Lstat(realTemp + "/" + v)
-		_, _, _, err = cr.derefOutputSymlink(realTemp+"/"+v, info)
-		c.Assert(err, NotNil)
-	}
-}
-
-func (s *TestSuite) TestEvalSymlinkDir(c *C) {
-	cr := NewContainerRunner(&ArvTestClient{callraw: true}, &KeepTestClient{}, nil, "zzzzz-zzzzz-zzzzzzzzzzzzzzz")
-
-	realTemp, err := ioutil.TempDir("", "crunchrun_test-")
-	c.Assert(err, IsNil)
-	defer os.RemoveAll(realTemp)
-
-	cr.HostOutputDir = realTemp
-
-	// Absolute path outside output dir
-	os.Symlink(".", realTemp+"/loop")
-
-	v := "loop"
-	info, err := os.Lstat(realTemp + "/" + v)
-	_, err = cr.UploadOutputFile(realTemp+"/"+v, info, err, []string{}, nil, "", "", 0)
-	c.Assert(err, NotNil)
-}
-
 func (s *TestSuite) TestFullBrokenDocker1(c *C) {
 	tf, err := ioutil.TempFile("", "brokenNodeHook-")
 	c.Assert(err, IsNil)
@@ -2035,3 +1989,61 @@ func (s *TestSuite) TestBadCommand3(c *C) {
 	c.Check(api.CalledWith("container.state", "Cancelled"), NotNil)
 	c.Check(api.Logs["crunch-run"].String(), Matches, "(?ms).*Possible causes:.*is missing.*")
 }
+
+func (s *TestSuite) TestSecretTextMountPoint(c *C) {
+	// under normal mounts, gets captured in output, oops
+	helperRecord := `{
+		"command": ["true"],
+		"container_image": "d4ab34d3d4f8a72f5c4973051ae69fab+122",
+		"cwd": "/bin",
+		"mounts": {
+                    "/tmp": {"kind": "tmp"},
+                    "/tmp/secret.conf": {"kind": "text", "content": "mypassword"}
+                },
+                "secret_mounts": {
+                },
+		"output_path": "/tmp",
+		"priority": 1,
+		"runtime_constraints": {}
+	}`
+
+	api, _, _ := s.fullRunHelper(c, helperRecord, nil, 0, func(t *TestDockerClient) {
+		content, err := ioutil.ReadFile(t.realTemp + "/tmp2/secret.conf")
+		c.Check(err, IsNil)
+		c.Check(content, DeepEquals, []byte("mypassword"))
+		t.logWriter.Close()
+	})
+
+	c.Check(api.CalledWith("container.exit_code", 0), NotNil)
+	c.Check(api.CalledWith("container.state", "Complete"), NotNil)
+	c.Check(api.CalledWith("collection.manifest_text", ". 34819d7beeabb9260a5c854bc85b3e44+10 0:10:secret.conf\n"), NotNil)
+	c.Check(api.CalledWith("collection.manifest_text", ""), IsNil)
+
+	// under secret mounts, not captured in output
+	helperRecord = `{
+		"command": ["true"],
+		"container_image": "d4ab34d3d4f8a72f5c4973051ae69fab+122",
+		"cwd": "/bin",
+		"mounts": {
+                    "/tmp": {"kind": "tmp"}
+                },
+                "secret_mounts": {
+                    "/tmp/secret.conf": {"kind": "text", "content": "mypassword"}
+                },
+		"output_path": "/tmp",
+		"priority": 1,
+		"runtime_constraints": {}
+	}`
+
+	api, _, _ = s.fullRunHelper(c, helperRecord, nil, 0, func(t *TestDockerClient) {
+		content, err := ioutil.ReadFile(t.realTemp + "/tmp2/secret.conf")
+		c.Check(err, IsNil)
+		c.Check(content, DeepEquals, []byte("mypassword"))
+		t.logWriter.Close()
+	})
+
+	c.Check(api.CalledWith("container.exit_code", 0), NotNil)
+	c.Check(api.CalledWith("container.state", "Complete"), NotNil)
+	c.Check(api.CalledWith("collection.manifest_text", ". 34819d7beeabb9260a5c854bc85b3e44+10 0:10:secret.conf\n"), IsNil)
+	c.Check(api.CalledWith("collection.manifest_text", ""), NotNil)
+}