[ARVADOS] updated: dc3915c4eafa0e7c69278de5df659b2b4338f2d2

Thu Oct 22 10:27:12 EDT 2015

Summary of changes:
 sdk/cli/bin/crunch-job | 28 +++++++++++++++++++++-------
 1 file changed, 21 insertions(+), 7 deletions(-)

       via  dc3915c4eafa0e7c69278de5df659b2b4338f2d2 (commit)
      from  22c45aed63a8c497508b132ca62dac599e3af06f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit dc3915c4eafa0e7c69278de5df659b2b4338f2d2
Author: Peter Amstutz <peter.amstutz at curoverse.com>
Date:   Thu Oct 22 10:20:36 2015 -0400

    7582: Better reporting in the log about user probe behavior.

diff --git a/sdk/cli/bin/crunch-job b/sdk/cli/bin/crunch-job
index 2763c94..224ff8e 100755
--- a/sdk/cli/bin/crunch-job
+++ b/sdk/cli/bin/crunch-job
@@ -411,7 +411,7 @@ if (!defined $no_clear_tmp) {
 }
 
 # If this job requires a Docker image, install that.
-my ($docker_locator, $docker_stream, $docker_hash, $docker_limitmem, $dockeruser);
+my ($docker_locator, $docker_stream, $docker_hash, $docker_limitmem, $dockeruserarg);
 if ($docker_locator = $Job->{docker_image_locator}) {
   ($docker_stream, $docker_hash) = find_docker_image($docker_locator);
   if (!$docker_hash)
@@ -455,20 +455,34 @@ fi
   # mistakes but not malice, but we intend to harden the security in the future
   # so we don't want anyone getting used to their jobs running as root in their
   # Docker containers.
-  foreach my $try_user ("", "--user=crunch", "--user=nobody") {
+  my @tryusers = ("", "crunch", "nobody");
+  foreach my $try_user (@tryusers) {
+    my $try_user_arg;
+    if ($try_user eq "") {
+      Log(undef, "Checking if container default user is not UID 0");
+      $try_user_arg = "";
+    } else {
+      Log(undef, "Checking if user '$try_user' is not UID 0");
+      $try_user_arg = "--user=$try_user";
+    }
     srun(["srun", "--nodelist=" . $node[0]],
          ["/bin/sh", "-ec",
-          "a=`$docker_bin run --rm $try_user $docker_hash id --user 2>/dev/null` && " .
+          "a=`$docker_bin run --rm --user=$try_user $docker_hash id --user` && " .
           " test \$a -ne 0"],
          {fork => 1});
     if ($? == 0) {
-      $dockeruser = $try_user;
+      $dockeruserarg = $try_user_arg;
+      if ($try_user eq "") {
+        Log(undef, "Container will run with default user");
+      } else {
+        Log(undef, "Container will run with $dockeruserarg");
+      }
       last;
     }
   }
 
-  if (!$dockeruser) {
-    croak("Docker image default user is 'root', and does not have a non-root 'crunch' or 'nobody' user.");
+  if (!defined $dockeruserarg) {
+    croak("Could not find a user in container that is not UID 0 (tried default user, @tryusers) or there was a problem running 'id' in the container.");
   }
 
   if ($Job->{arvados_sdk_version}) {
@@ -881,7 +895,7 @@ for (my $todo_ptr = 0; $todo_ptr <= $#jobstep_todo; $todo_ptr ++)
     {
       my $cidfile = "$ENV{CRUNCH_TMP}/$Jobstep->{arvados_task}->{uuid}-$Jobstep->{failures}.cid";
       $command .= "crunchstat -cgroup-root=/sys/fs/cgroup -cgroup-parent=docker -cgroup-cid=$cidfile -poll=10000 ";
-      $command .= "$docker_bin run --rm=true --attach=stdout --attach=stderr --attach=stdin -i \Q$dockeruser\E --cidfile=$cidfile --sig-proxy ";
+      $command .= "$docker_bin run --rm=true --attach=stdout --attach=stderr --attach=stdin -i \Q$dockeruserarg\E --cidfile=$cidfile --sig-proxy ";
       # We only set memory limits if Docker lets us limit both memory and swap.
       # Memory limits alone have been supported longer, but subprocesses tend
       # to get SIGKILL if they exceed that without any swap limit set.

-----------------------------------------------------------------------


hooks/post-receive
-- 


