[ARVADOS] updated: 94f5be8c86ad975ee7aa9f3df87be23fbc154dec

Tue Mar 29 13:12:46 EDT 2016

Summary of changes:
 crunch_scripts/crunchrunner         |  2 +-
 sdk/cli/bin/crunch-job              | 12 +++++++++---
 sdk/go/crunchrunner/crunchrunner.go | 24 ++++++++++++++++--------
 3 files changed, 26 insertions(+), 12 deletions(-)

       via  94f5be8c86ad975ee7aa9f3df87be23fbc154dec (commit)
       via  e9667fff4716e4990fec560f92c1e0f4a6cb686f (commit)
      from  dfc93aac9c256d6ebb868aeb6c2107821e9fd041 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 94f5be8c86ad975ee7aa9f3df87be23fbc154dec
Author: Peter Amstutz <peter.amstutz at curoverse.com>
Date:   Tue Mar 29 13:06:22 2016 -0400

    8815: Fix syntax errors.

diff --git a/sdk/cli/bin/crunch-job b/sdk/cli/bin/crunch-job
index 82e8ef7..4bd58a8 100755
--- a/sdk/cli/bin/crunch-job
+++ b/sdk/cli/bin/crunch-job
@@ -110,11 +110,12 @@ unless (defined $ENV{"CRUNCH_TMP"}) {
 }
 
 $ENV{"HOST_CRUNCHRUNNER_BIN"} ||= `which crunchrunner`;
-unless (defined($ENV{"HOST_CERTS"}) {
+unless (defined($ENV{"HOST_CERTS"})) {
   if (-f "/etc/ssl/certs/ca-certificates.crt") {
     $ENV{"HOST_CERTS"} = "/etc/ssl/certs/ca-certificates.crt";
-  } else if (-f "/etc/pki/tls/certs/ca-bundle.crt") {
+  } elsif (-f "/etc/pki/tls/certs/ca-bundle.crt") {
     $ENV{"HOST_CERTS"} = "/etc/pki/tls/certs/ca-bundle.crt";
+  }
 }
 
 # Create the tmp directory if it does not exist
diff --git a/sdk/go/crunchrunner/crunchrunner.go b/sdk/go/crunchrunner/crunchrunner.go
index de63a20..14c75af 100644
--- a/sdk/go/crunchrunner/crunchrunner.go
+++ b/sdk/go/crunchrunner/crunchrunner.go
@@ -11,7 +11,6 @@ import (
 	"os"
 	"os/exec"
 	"os/signal"
-	"path"
 	"strings"
 	"syscall"
 )

commit e9667fff4716e4990fec560f92c1e0f4a6cb686f
Author: Peter Amstutz <peter.amstutz at curoverse.com>
Date:   Tue Mar 29 12:18:15 2016 -0400

    8815: Now expect /usr/local/bin/crunchrunner.  Bind mount host certificates to
    /etc/arvados/ca-certificates.crt

diff --git a/crunch_scripts/crunchrunner b/crunch_scripts/crunchrunner
index f192c48..02b00e4 100755
--- a/crunch_scripts/crunchrunner
+++ b/crunch_scripts/crunchrunner
@@ -1,2 +1,2 @@
 #!/bin/sh
-exec /usr/lib/crunchrunner/crunchrunner
+exec /usr/local/bin/crunchrunner
diff --git a/sdk/cli/bin/crunch-job b/sdk/cli/bin/crunch-job
index 88f9d56..82e8ef7 100755
--- a/sdk/cli/bin/crunch-job
+++ b/sdk/cli/bin/crunch-job
@@ -110,7 +110,12 @@ unless (defined $ENV{"CRUNCH_TMP"}) {
 }
 
 $ENV{"HOST_CRUNCHRUNNER_BIN"} ||= `which crunchrunner`;
-$ENV{"HOST_CERTS"} ||= "/etc/ssl/certs/ca-certificates.crt";
+unless (defined($ENV{"HOST_CERTS"}) {
+  if (-f "/etc/ssl/certs/ca-certificates.crt") {
+    $ENV{"HOST_CERTS"} = "/etc/ssl/certs/ca-certificates.crt";
+  } else if (-f "/etc/pki/tls/certs/ca-bundle.crt") {
+    $ENV{"HOST_CERTS"} = "/etc/pki/tls/certs/ca-bundle.crt";
+}
 
 # Create the tmp directory if it does not exist
 if ( ! -d $ENV{"CRUNCH_TMP"} ) {
@@ -922,8 +927,8 @@ for (my $todo_ptr = 0; $todo_ptr <= $#jobstep_todo; $todo_ptr ++)
 
       # Bind mount the crunchrunner binary and host TLS certificates file into
       # the container.
-      $command .= "--volume=\Q$ENV{HOST_CRUNCHRUNNER_BIN}:/usr/lib/crunchrunner/crunchrunner\E ";
-      $command .= "--volume=\Q$ENV{HOST_CERTS}:/usr/lib/crunchrunner/ca-certificates.crt\E ";
+      $command .= "--volume=\Q$ENV{HOST_CRUNCHRUNNER_BIN}:/usr/local/bin/crunchrunner\E ";
+      $command .= "--volume=\Q$ENV{HOST_CERTS}:/etc/arvados/ca-certificates.crt\E ";
 
       while (my ($env_key, $env_val) = each %ENV)
       {
diff --git a/sdk/go/crunchrunner/crunchrunner.go b/sdk/go/crunchrunner/crunchrunner.go
index 7d09a5d..de63a20 100644
--- a/sdk/go/crunchrunner/crunchrunner.go
+++ b/sdk/go/crunchrunner/crunchrunner.go
@@ -327,14 +327,23 @@ func main() {
 		log.Fatal(err)
 	}
 
-	certpath := path.Join(path.Dir(os.Args[0]), "ca-certificates.crt")
-	certdata, err := ioutil.ReadFile(certpath)
-	if err == nil {
-		log.Printf("Using TLS certificates at %v", certpath)
-		certs := x509.NewCertPool()
-		certs.AppendCertsFromPEM(certdata)
-		api.Client.Transport.(*http.Transport).TLSClientConfig.RootCAs = certs
+	// Container may not have certificates installed, so need to look for
+	// /etc/arvados/ca-certificates.crt in addition to normal system certs.
+	var certFiles = []string{
+		"/etc/ssl/certs/ca-certificates.crt", // Debian
+		"/etc/pki/tls/certs/ca-bundle.crt",   // Red Hat
+		"/etc/arvados/ca-certificates.crt",
+	}
+
+	certs := x509.NewCertPool()
+	for _, file := range certFiles {
+		data, err := ioutil.ReadFile(file)
+		if err == nil {
+			log.Printf("Using TLS certificates at %v", file)
+			certs.AppendCertsFromPEM(data)
+		}
 	}
+	api.Client.Transport.(*http.Transport).TLSClientConfig.RootCAs = certs
 
 	jobUuid := os.Getenv("JOB_UUID")
 	taskUuid := os.Getenv("TASK_UUID")

-----------------------------------------------------------------------


hooks/post-receive
-- 


