[ARVADOS] created: 7c2c435b46103bc2688312714d62747fabbbf28e

[git at public.curoverse.com]

        at  7c2c435b46103bc2688312714d62747fabbbf28e (commit)


commit 7c2c435b46103bc2688312714d62747fabbbf28e
Author: Peter Amstutz <peter.amstutz at curoverse.com>
Date:   Mon Oct 19 11:24:47 2015 -0400

    7582: Add "no_provision" option to skip perl bootstrap script & Arvado SDK
    injection and just run crunch script directly.  Also fix portability and
    security hole by using uid of the external user instead of "crunch" user (which
    is not guaranteed to be inside the container and/or could be aliased to root
    user.)

diff --git a/sdk/cli/bin/crunch-job b/sdk/cli/bin/crunch-job
index 5539012..3b899af 100755
--- a/sdk/cli/bin/crunch-job
+++ b/sdk/cli/bin/crunch-job
@@ -859,7 +859,7 @@ for (my $todo_ptr = 0; $todo_ptr <= $#jobstep_todo; $todo_ptr ++)
     {
       my $cidfile = "$ENV{CRUNCH_TMP}/$Jobstep->{arvados_task}->{uuid}-$Jobstep->{failures}.cid";
       $command .= "crunchstat -cgroup-root=/sys/fs/cgroup -cgroup-parent=docker -cgroup-cid=$cidfile -poll=10000 ";
-      $command .= "$docker_bin run --rm=true --attach=stdout --attach=stderr --attach=stdin -i --user=crunch --cidfile=$cidfile --sig-proxy ";
+      $command .= "$docker_bin run --rm=true --attach=stdout --attach=stderr --attach=stdin -i --user=\$(id --user) --cidfile=$cidfile --sig-proxy ";
       # We only set memory limits if Docker lets us limit both memory and swap.
       # Memory limits alone have been supported longer, but subprocesses tend
       # to get SIGKILL if they exceed that without any swap limit set.
@@ -918,7 +918,12 @@ for (my $todo_ptr = 0; $todo_ptr <= $#jobstep_todo; $todo_ptr ++)
       $command .= "--env=\QHOME=$ENV{HOME}\E ";
       $command .= "\Q$docker_hash\E ";
       $command .= "stdbuf --output=0 --error=0 ";
-      $command .= "perl - $ENV{CRUNCH_SRC}/crunch_scripts/" . $Job->{"script"};
+
+      if ($Job->{'runtime_constraints'}->{'no_provision'}) {
+        $command .= "$ENV{CRUNCH_SRC}/crunch_scripts/" . $Job->{"script"};
+      } else {
+        $command .= "perl - $ENV{CRUNCH_SRC}/crunch_scripts/" . $Job->{"script"};
+      }
     } else {
       # Non-docker run
       $command .= "crunchstat -cgroup-root=/sys/fs/cgroup -poll=10000 ";
@@ -927,7 +932,12 @@ for (my $todo_ptr = 0; $todo_ptr <= $#jobstep_todo; $todo_ptr ++)
     }
 
     my @execargs = ('bash', '-c', $command);
-    srun (\@srunargs, \@execargs, undef, $build_script);
+
+    if ($Job->{'runtime_constraints'}->{'no_provision'}) {
+      srun (\@srunargs, \@execargs, undef);
+    } else {
+      srun (\@srunargs, \@execargs, undef, $build_script);
+    }
     # exec() failed, we assume nothing happened.
     die "srun() failed on build script\n";
   }

-----------------------------------------------------------------------


hooks/post-receive
--