[ARVADOS] updated: 0d428c09204f37f9c276c31e54bdb7acc5c80c02
git at public.curoverse.com
git at public.curoverse.com
Thu Oct 22 10:21:27 EDT 2015
Summary of changes:
sdk/cli/bin/crunch-job | 28 +++++++++++++++++++++-------
1 file changed, 21 insertions(+), 7 deletions(-)
via 0d428c09204f37f9c276c31e54bdb7acc5c80c02 (commit)
from 5fb633ee021c613d99280e8958a6598602041011 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit 0d428c09204f37f9c276c31e54bdb7acc5c80c02
Author: Peter Amstutz <peter.amstutz at curoverse.com>
Date: Thu Oct 22 10:20:36 2015 -0400
7582: Better reporting in the log about user probe behavior.
diff --git a/sdk/cli/bin/crunch-job b/sdk/cli/bin/crunch-job
index 2763c94..224ff8e 100755
--- a/sdk/cli/bin/crunch-job
+++ b/sdk/cli/bin/crunch-job
@@ -411,7 +411,7 @@ if (!defined $no_clear_tmp) {
}
# If this job requires a Docker image, install that.
-my ($docker_locator, $docker_stream, $docker_hash, $docker_limitmem, $dockeruser);
+my ($docker_locator, $docker_stream, $docker_hash, $docker_limitmem, $dockeruserarg);
if ($docker_locator = $Job->{docker_image_locator}) {
($docker_stream, $docker_hash) = find_docker_image($docker_locator);
if (!$docker_hash)
@@ -455,20 +455,34 @@ fi
# mistakes but not malice, but we intend to harden the security in the future
# so we don't want anyone getting used to their jobs running as root in their
# Docker containers.
- foreach my $try_user ("", "--user=crunch", "--user=nobody") {
+ my @tryusers = ("", "crunch", "nobody");
+ foreach my $try_user (@tryusers) {
+ my $try_user_arg;
+ if ($try_user eq "") {
+ Log(undef, "Checking if container default user is not UID 0");
+ $try_user_arg = "";
+ } else {
+ Log(undef, "Checking if user '$try_user' is not UID 0");
+ $try_user_arg = "--user=$try_user";
+ }
srun(["srun", "--nodelist=" . $node[0]],
["/bin/sh", "-ec",
- "a=`$docker_bin run --rm $try_user $docker_hash id --user 2>/dev/null` && " .
+ "a=`$docker_bin run --rm --user=$try_user $docker_hash id --user` && " .
" test \$a -ne 0"],
{fork => 1});
if ($? == 0) {
- $dockeruser = $try_user;
+ $dockeruserarg = $try_user_arg;
+ if ($try_user eq "") {
+ Log(undef, "Container will run with default user");
+ } else {
+ Log(undef, "Container will run with $dockeruserarg");
+ }
last;
}
}
- if (!$dockeruser) {
- croak("Docker image default user is 'root', and does not have a non-root 'crunch' or 'nobody' user.");
+ if (!defined $dockeruserarg) {
+ croak("Could not find a user in container that is not UID 0 (tried default user, @tryusers) or there was a problem running 'id' in the container.");
}
if ($Job->{arvados_sdk_version}) {
@@ -881,7 +895,7 @@ for (my $todo_ptr = 0; $todo_ptr <= $#jobstep_todo; $todo_ptr ++)
{
my $cidfile = "$ENV{CRUNCH_TMP}/$Jobstep->{arvados_task}->{uuid}-$Jobstep->{failures}.cid";
$command .= "crunchstat -cgroup-root=/sys/fs/cgroup -cgroup-parent=docker -cgroup-cid=$cidfile -poll=10000 ";
- $command .= "$docker_bin run --rm=true --attach=stdout --attach=stderr --attach=stdin -i \Q$dockeruser\E --cidfile=$cidfile --sig-proxy ";
+ $command .= "$docker_bin run --rm=true --attach=stdout --attach=stderr --attach=stdin -i \Q$dockeruserarg\E --cidfile=$cidfile --sig-proxy ";
# We only set memory limits if Docker lets us limit both memory and swap.
# Memory limits alone have been supported longer, but subprocesses tend
# to get SIGKILL if they exceed that without any swap limit set.
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list