[arvados] created: 2.6.0-192-g4d095628f

git repository hosting git at public.arvados.org
Tue May 23 17:56:25 UTC 2023 

        at  4d095628f05fae2d2609b91dc12d0f44434b8aa2 (commit)


commit 4d095628f05fae2d2609b91dc12d0f44434b8aa2
Author: Tom Clegg <tom at curii.com>
Date:   Tue May 23 13:56:06 2023 -0400

    20522: Load dispatch key from file if configured as file:///...
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at curii.com>

diff --git a/lib/cloud/cloudtest/cmd.go b/lib/cloud/cloudtest/cmd.go
index 0ec79e117..95fb2b50c 100644
--- a/lib/cloud/cloudtest/cmd.go
+++ b/lib/cloud/cloudtest/cmd.go
@@ -18,7 +18,6 @@ import (
 	"git.arvados.org/arvados.git/lib/dispatchcloud"
 	"git.arvados.org/arvados.git/sdk/go/arvados"
 	"git.arvados.org/arvados.git/sdk/go/ctxlog"
-	"golang.org/x/crypto/ssh"
 )
 
 var Command command
@@ -65,9 +64,9 @@ func (command) RunCommand(prog string, args []string, stdin io.Reader, stdout, s
 	if err != nil {
 		return 1
 	}
-	key, err := ssh.ParsePrivateKey([]byte(cluster.Containers.DispatchPrivateKey))
+	key, err := config.LoadSSHKey(cluster.Containers.DispatchPrivateKey)
 	if err != nil {
-		err = fmt.Errorf("error parsing configured Containers.DispatchPrivateKey: %s", err)
+		err = fmt.Errorf("error loading Containers.DispatchPrivateKey: %s", err)
 		return 1
 	}
 	driver, ok := dispatchcloud.Drivers[cluster.Containers.CloudVMs.Driver]
diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index 8203a94de..197d3c37b 100644
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -1051,6 +1051,10 @@ Clusters:
       # cloud dispatcher for executing containers on worker VMs.
       # Begins with "-----BEGIN RSA PRIVATE KEY-----\n"
       # and ends with "\n-----END RSA PRIVATE KEY-----\n".
+      #
+      # Use "file:///absolute/path/to/key" to load the key from a
+      # separate file instead of embedding it in the configuration
+      # file.
       DispatchPrivateKey: ""
 
       # Maximum time to wait for workers to come up before abandoning
diff --git a/lib/config/load.go b/lib/config/load.go
index 9269ddf27..d504f7796 100644
--- a/lib/config/load.go
+++ b/lib/config/load.go
@@ -26,6 +26,7 @@ import (
 	"github.com/imdario/mergo"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/sirupsen/logrus"
+	"golang.org/x/crypto/ssh"
 	"golang.org/x/sys/unix"
 )
 
@@ -690,3 +691,17 @@ func (ldr *Loader) RegisterMetrics(reg *prometheus.Registry) {
 	vec.WithLabelValues(hash).Set(float64(ldr.loadTimestamp.UnixNano()) / 1e9)
 	reg.MustRegister(vec)
 }
+
+// Load an SSH private key from the given confvalue, which is either
+// the literal key or an absolute path to a file containing the key.
+func LoadSSHKey(confvalue string) (ssh.Signer, error) {
+	if fnm := strings.TrimPrefix(confvalue, "file://"); fnm != confvalue && strings.HasPrefix(fnm, "/") {
+		keydata, err := os.ReadFile(fnm)
+		if err != nil {
+			return nil, err
+		}
+		return ssh.ParsePrivateKey(keydata)
+	} else {
+		return ssh.ParsePrivateKey([]byte(confvalue))
+	}
+}
diff --git a/lib/config/load_test.go b/lib/config/load_test.go
index a19400c19..9a0417908 100644
--- a/lib/config/load_test.go
+++ b/lib/config/load_test.go
@@ -912,3 +912,10 @@ func (s *LoadSuite) TestGetFilesystemSize(c *check.C) {
 	c.Check(err, check.IsNil)
 	c.Logf("getFilesystemSize(%q) == %v", path, size)
 }
+
+func (s *LoadSuite) TestLoadSSHKey(c *check.C) {
+	cwd, err := os.Getwd()
+	c.Assert(err, check.IsNil)
+	_, err = LoadSSHKey("file://" + cwd + "/../dispatchcloud/test/sshkey_dispatch")
+	c.Check(err, check.IsNil)
+}
diff --git a/lib/dispatchcloud/dispatcher.go b/lib/dispatchcloud/dispatcher.go
index 06a558d5f..217ee3950 100644
--- a/lib/dispatchcloud/dispatcher.go
+++ b/lib/dispatchcloud/dispatcher.go
@@ -15,6 +15,7 @@ import (
 	"time"
 
 	"git.arvados.org/arvados.git/lib/cloud"
+	"git.arvados.org/arvados.git/lib/config"
 	"git.arvados.org/arvados.git/lib/controller/dblock"
 	"git.arvados.org/arvados.git/lib/ctrlctx"
 	"git.arvados.org/arvados.git/lib/dispatchcloud/container"
@@ -137,7 +138,7 @@ func (disp *dispatcher) initialize() {
 	disp.stop = make(chan struct{}, 1)
 	disp.stopped = make(chan struct{})
 
-	if key, err := ssh.ParsePrivateKey([]byte(disp.Cluster.Containers.DispatchPrivateKey)); err != nil {
+	if key, err := config.LoadSSHKey(disp.Cluster.Containers.DispatchPrivateKey); err != nil {
 		disp.logger.Fatalf("error parsing configured Containers.DispatchPrivateKey: %s", err)
 	} else {
 		disp.sshKey = key
diff --git a/lib/dispatchcloud/worker/pool.go b/lib/dispatchcloud/worker/pool.go
index 4bf969358..1cb02b3cf 100644
--- a/lib/dispatchcloud/worker/pool.go
+++ b/lib/dispatchcloud/worker/pool.go
@@ -906,6 +906,9 @@ func (wp *Pool) Instances() []InstanceView {
 // KillInstance destroys a cloud VM instance. It returns an error if
 // the given instance does not exist.
 func (wp *Pool) KillInstance(id cloud.InstanceID, reason string) error {
+	wp.setupOnce.Do(wp.setup)
+	wp.mtx.Lock()
+	defer wp.mtx.Unlock()
 	wkr, ok := wp.workers[id]
 	if !ok {
 		return errors.New("instance not found")

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list