[ARVADOS] created: 08e03489e053779f7bbc168677deeebd86d6249c
Git user
git at public.curoverse.com
Thu Dec 15 14:41:06 EST 2016
at 08e03489e053779f7bbc168677deeebd86d6249c (commit)
commit 08e03489e053779f7bbc168677deeebd86d6249c
Author: Peter Amstutz <peter.amstutz at curoverse.com>
Date: Thu Dec 15 14:40:58 2016 -0500
10684: crunch-run adds /etc/arvados/ca-certificates.crt to binds, updated tests.
diff --git a/services/crunch-run/crunchrun.go b/services/crunch-run/crunchrun.go
index 2e475c7..7983335 100644
--- a/services/crunch-run/crunchrun.go
+++ b/services/crunch-run/crunchrun.go
@@ -257,6 +257,7 @@ func (runner *ContainerRunner) SetupMounts() (err error) {
collectionPaths := []string{}
runner.Binds = nil
+ needCertMount := true
for bind, mnt := range runner.Container.Mounts {
if bind == "stdout" {
@@ -274,6 +275,9 @@ func (runner *ContainerRunner) SetupMounts() (err error) {
return fmt.Errorf("Stdout path does not start with OutputPath: %s, %s", mnt.Path, prefix)
}
}
+ if bind == "/etc/arvados/ca-certificates.crt" {
+ needCertMount = false
+ }
switch {
case mnt.Kind == "collection":
@@ -355,6 +359,16 @@ func (runner *ContainerRunner) SetupMounts() (err error) {
return fmt.Errorf("Output path does not correspond to a writable mount point")
}
+ if needCertMount {
+ for _, certfile := range arvadosclient.CertFiles {
+ _, err := os.Stat(certfile)
+ if err == nil {
+ runner.Binds = append(runner.Binds, fmt.Sprintf("%s:/etc/arvados/ca-certificates.crt:ro", certfile))
+ break
+ }
+ }
+ }
+
if pdhOnly {
arvMountCmd = append(arvMountCmd, "--mount-by-pdh", "by_id")
} else {
diff --git a/services/crunch-run/crunchrun_test.go b/services/crunch-run/crunchrun_test.go
index 2c71459..5b9b213 100644
--- a/services/crunch-run/crunchrun_test.go
+++ b/services/crunch-run/crunchrun_test.go
@@ -759,6 +759,14 @@ func (am *ArvMountCmdLine) ArvMountTest(c []string, token string) (*exec.Cmd, er
return nil, nil
}
+func stubCert(temp string) string {
+ path := temp + "/ca-certificates.crt"
+ crt, _ := os.Create(path)
+ crt.Close()
+ arvadosclient.CertFiles = []string{path}
+ return path
+}
+
func (s *TestSuite) TestSetupMounts(c *C) {
api := &ArvTestClient{}
kc := &KeepTestClient{}
@@ -766,9 +774,14 @@ func (s *TestSuite) TestSetupMounts(c *C) {
am := &ArvMountCmdLine{}
cr.RunArvMount = am.ArvMountTest
- realTemp, err := ioutil.TempDir("", "crunchrun_test-")
+ realTemp, err := ioutil.TempDir("", "crunchrun_test1-")
c.Assert(err, IsNil)
+ certTemp, err := ioutil.TempDir("", "crunchrun_test2-")
+ c.Assert(err, IsNil)
+ stubCertPath := stubCert(certTemp)
+
defer os.RemoveAll(realTemp)
+ defer os.RemoveAll(certTemp)
i := 0
cr.MkTempDir = func(_ string, prefix string) (string, error) {
@@ -799,7 +812,7 @@ func (s *TestSuite) TestSetupMounts(c *C) {
err := cr.SetupMounts()
c.Check(err, IsNil)
c.Check(am.Cmd, DeepEquals, []string{"--foreground", "--allow-other", "--read-write", "--mount-by-pdh", "by_id", realTemp + "/keep1"})
- c.Check(cr.Binds, DeepEquals, []string{realTemp + "/2:/tmp"})
+ c.Check(cr.Binds, DeepEquals, []string{realTemp + "/2:/tmp", stubCertPath + ":/etc/arvados/ca-certificates.crt:ro"})
cr.CleanupDirs()
checkEmpty()
}
@@ -816,7 +829,7 @@ func (s *TestSuite) TestSetupMounts(c *C) {
err := cr.SetupMounts()
c.Check(err, IsNil)
c.Check(am.Cmd, DeepEquals, []string{"--foreground", "--allow-other", "--read-write", "--mount-tmp", "tmp0", "--mount-by-pdh", "by_id", realTemp + "/keep1"})
- c.Check(cr.Binds, DeepEquals, []string{realTemp + "/keep1/tmp0:/keeptmp"})
+ c.Check(cr.Binds, DeepEquals, []string{realTemp + "/keep1/tmp0:/keeptmp", stubCertPath + ":/etc/arvados/ca-certificates.crt:ro"})
cr.CleanupDirs()
checkEmpty()
}
@@ -837,7 +850,8 @@ func (s *TestSuite) TestSetupMounts(c *C) {
c.Check(am.Cmd, DeepEquals, []string{"--foreground", "--allow-other", "--read-write", "--mount-tmp", "tmp0", "--mount-by-pdh", "by_id", realTemp + "/keep1"})
sort.StringSlice(cr.Binds).Sort()
c.Check(cr.Binds, DeepEquals, []string{realTemp + "/keep1/by_id/59389a8f9ee9d399be35462a0f92541c+53:/keepinp:ro",
- realTemp + "/keep1/tmp0:/keepout"})
+ realTemp + "/keep1/tmp0:/keepout",
+ stubCertPath + ":/etc/arvados/ca-certificates.crt:ro"})
cr.CleanupDirs()
checkEmpty()
}
@@ -859,7 +873,8 @@ func (s *TestSuite) TestSetupMounts(c *C) {
c.Check(am.Cmd, DeepEquals, []string{"--foreground", "--allow-other", "--read-write", "--file-cache", "512", "--mount-tmp", "tmp0", "--mount-by-pdh", "by_id", realTemp + "/keep1"})
sort.StringSlice(cr.Binds).Sort()
c.Check(cr.Binds, DeepEquals, []string{realTemp + "/keep1/by_id/59389a8f9ee9d399be35462a0f92541c+53:/keepinp:ro",
- realTemp + "/keep1/tmp0:/keepout"})
+ realTemp + "/keep1/tmp0:/keepout",
+ stubCertPath + ":/etc/arvados/ca-certificates.crt:ro"})
cr.CleanupDirs()
checkEmpty()
}
@@ -879,7 +894,7 @@ func (s *TestSuite) TestSetupMounts(c *C) {
err := cr.SetupMounts()
c.Check(err, IsNil)
sort.StringSlice(cr.Binds).Sort()
- c.Check(cr.Binds, DeepEquals, []string{realTemp + "/2/mountdata.json:/mnt/test.json:ro"})
+ c.Check(cr.Binds, DeepEquals, []string{realTemp + "/2/mountdata.json:/mnt/test.json:ro", stubCertPath + ":/etc/arvados/ca-certificates.crt:ro"})
content, err := ioutil.ReadFile(realTemp + "/2/mountdata.json")
c.Check(err, IsNil)
c.Check(content, DeepEquals, []byte(test.out))
commit cc1dbda8f559ab43f326c77595d4af87e8ca7a33
Author: Peter Amstutz <peter.amstutz at curoverse.com>
Date: Thu Dec 15 13:51:56 2016 -0500
10684: Add Arvados-specific search path to Go SDK TLSClientConfig.
diff --git a/sdk/go/arvadosclient/arvadosclient.go b/sdk/go/arvadosclient/arvadosclient.go
index 5f24c71..be036c0 100644
--- a/sdk/go/arvadosclient/arvadosclient.go
+++ b/sdk/go/arvadosclient/arvadosclient.go
@@ -5,10 +5,12 @@ package arvadosclient
import (
"bytes"
"crypto/tls"
+ "crypto/x509"
"encoding/json"
"errors"
"fmt"
"io"
+ "io/ioutil"
"net/http"
"net/url"
"os"
@@ -103,22 +105,51 @@ type ArvadosClient struct {
Retries int
}
+var CertFiles = []string{
+ "/etc/arvados/ca-certificates.crt", // Arvados specific
+ "/etc/ssl/certs/ca-certificates.crt", // Debian
+ "/etc/pki/tls/certs/ca-bundle.crt", // Red Hat
+}
+
+// SetupRootCAs loads a set of root certificates into TLSClientConfig by
+// searching a default list of locations.
+func SetupRootCAs(tlsClientConfig *tls.Config) error {
+ // Container may not have certificates installed, so need to look for
+ // /etc/arvados/ca-certificates.crt in addition to normal system certs.
+
+ certs := x509.NewCertPool()
+ for _, file := range CertFiles {
+ data, err := ioutil.ReadFile(file)
+ if err == nil {
+ certs.AppendCertsFromPEM(data)
+ tlsClientConfig.RootCAs = certs
+ return nil
+ }
+ }
+
+ return fmt.Errorf("Unable to find TLS root certificates to use, tried %v", CertFiles)
+}
+
// New returns an ArvadosClient using the given arvados.Client
// configuration. This is useful for callers who load arvados.Client
// fields from configuration files but still need to use the
// arvadosclient.ArvadosClient package.
func New(c *arvados.Client) (*ArvadosClient, error) {
- return &ArvadosClient{
+ tlsconfig := &tls.Config{InsecureSkipVerify: c.Insecure}
+ SetupRootCAs(tlsconfig)
+ ac := &ArvadosClient{
Scheme: "https",
ApiServer: c.APIHost,
ApiToken: c.AuthToken,
ApiInsecure: c.Insecure,
Client: &http.Client{Transport: &http.Transport{
- TLSClientConfig: &tls.Config{InsecureSkipVerify: c.Insecure}}},
+ TLSClientConfig: tlsconfig}},
External: false,
Retries: 2,
lastClosedIdlesAt: time.Now(),
- }, nil
+ }
+
+ return ac, nil
}
// MakeArvadosClient creates a new ArvadosClient using the standard
@@ -130,13 +161,16 @@ func MakeArvadosClient() (ac *ArvadosClient, err error) {
insecure := matchTrue.MatchString(os.Getenv("ARVADOS_API_HOST_INSECURE"))
external := matchTrue.MatchString(os.Getenv("ARVADOS_EXTERNAL_CLIENT"))
+ tlsconfig := &tls.Config{InsecureSkipVerify: insecure}
+ SetupRootCAs(tlsconfig)
+
ac = &ArvadosClient{
Scheme: "https",
ApiServer: os.Getenv("ARVADOS_API_HOST"),
ApiToken: os.Getenv("ARVADOS_API_TOKEN"),
ApiInsecure: insecure,
Client: &http.Client{Transport: &http.Transport{
- TLSClientConfig: &tls.Config{InsecureSkipVerify: insecure}}},
+ TLSClientConfig: tlsconfig}},
External: external,
Retries: 2}
diff --git a/sdk/go/crunchrunner/crunchrunner.go b/sdk/go/crunchrunner/crunchrunner.go
index 5e0e101..9369036 100644
--- a/sdk/go/crunchrunner/crunchrunner.go
+++ b/sdk/go/crunchrunner/crunchrunner.go
@@ -396,24 +396,6 @@ func main() {
log.Fatal(err)
}
- // Container may not have certificates installed, so need to look for
- // /etc/arvados/ca-certificates.crt in addition to normal system certs.
- var certFiles = []string{
- "/etc/ssl/certs/ca-certificates.crt", // Debian
- "/etc/pki/tls/certs/ca-bundle.crt", // Red Hat
- "/etc/arvados/ca-certificates.crt",
- }
-
- certs := x509.NewCertPool()
- for _, file := range certFiles {
- data, err := ioutil.ReadFile(file)
- if err == nil {
- log.Printf("Using TLS certificates at %v", file)
- certs.AppendCertsFromPEM(data)
- }
- }
- api.Client.Transport.(*http.Transport).TLSClientConfig.RootCAs = certs
-
jobUuid := os.Getenv("JOB_UUID")
taskUuid := os.Getenv("TASK_UUID")
tmpdir := os.Getenv("TASK_WORK")
diff --git a/sdk/go/keepclient/keepclient.go b/sdk/go/keepclient/keepclient.go
index 58f3ffb..b03a5fe 100644
--- a/sdk/go/keepclient/keepclient.go
+++ b/sdk/go/keepclient/keepclient.go
@@ -99,11 +99,14 @@ func New(arv *arvadosclient.ArvadosClient) *KeepClient {
}
}
+ tlsconfig := &tls.Config{InsecureSkipVerify: arv.ApiInsecure}
+ arvadosclient.SetupRootCAs(tlsconfig)
+
kc := &KeepClient{
Arvados: arv,
Want_replicas: defaultReplicationLevel,
Client: &http.Client{Transport: &http.Transport{
- TLSClientConfig: &tls.Config{InsecureSkipVerify: arv.ApiInsecure}}},
+ TLSClientConfig: tlsconfig}},
Retries: 2,
}
return kc
commit 738ecb0cd43e2ae728b04534697198d11d6bd85f
Author: Peter Amstutz <peter.amstutz at curoverse.com>
Date: Thu Dec 15 12:33:30 2016 -0500
10684: Add Arvados-specific search path to Python SDK arvados.util.ca_certs_path.
diff --git a/sdk/python/arvados/util.py b/sdk/python/arvados/util.py
index 2ac6ab9..e2692b7 100644
--- a/sdk/python/arvados/util.py
+++ b/sdk/python/arvados/util.py
@@ -383,6 +383,8 @@ def ca_certs_path(fallback=httplib2.CA_CERTS):
it returns the value of `fallback` (httplib2's CA certs by default).
"""
for ca_certs_path in [
+ # Arvados specific:
+ '/etc/arvados/ca-certificates.crt',
# Debian:
'/etc/ssl/certs/ca-certificates.crt',
# Red Hat:
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list