[ARVADOS] created: edd77406c5a428af8780ed4dffd512adcc70bc0f
Git user
git at public.curoverse.com
Fri Jan 20 22:30:42 EST 2017
at edd77406c5a428af8780ed4dffd512adcc70bc0f (commit)
commit edd77406c5a428af8780ed4dffd512adcc70bc0f
Author: radhika <radhika at curoverse.com>
Date: Fri Jan 20 19:11:30 2017 -0500
9397: raise error if there any writable mount point underneath the output_dir.
diff --git a/services/crunch-run/crunchrun.go b/services/crunch-run/crunchrun.go
index 971cb3a..0eb5939 100644
--- a/services/crunch-run/crunchrun.go
+++ b/services/crunch-run/crunchrun.go
@@ -19,6 +19,7 @@ import (
"os/signal"
"path"
"path/filepath"
+ "sort"
"strings"
"sync"
"syscall"
@@ -239,6 +240,8 @@ func (runner *ContainerRunner) ArvMountCmd(arvMountCmd []string, token string) (
return c, nil
}
+var tmpBackedOutputDir = false
+
func (runner *ContainerRunner) SetupMounts() (err error) {
runner.ArvMountPoint, err = runner.MkTempDir("", "keep")
if err != nil {
@@ -259,7 +262,14 @@ func (runner *ContainerRunner) SetupMounts() (err error) {
runner.Binds = nil
needCertMount := true
- for bind, mnt := range runner.Container.Mounts {
+ var binds []string
+ for bind, _ := range runner.Container.Mounts {
+ binds = append(binds, bind)
+ }
+ sort.Strings(binds)
+
+ for _, bind := range binds {
+ mnt := runner.Container.Mounts[bind]
if bind == "stdout" {
// Is it a "file" mount kind?
if mnt.Kind != "file" {
@@ -275,6 +285,7 @@ func (runner *ContainerRunner) SetupMounts() (err error) {
return fmt.Errorf("Stdout path does not start with OutputPath: %s, %s", mnt.Path, prefix)
}
}
+
if bind == "/etc/arvados/ca-certificates.crt" {
needCertMount = false
}
@@ -305,6 +316,8 @@ func (runner *ContainerRunner) SetupMounts() (err error) {
if mnt.Writable {
if bind == runner.Container.OutputPath {
runner.HostOutputDir = src
+ } else if strings.HasPrefix(bind, runner.Container.OutputPath+"/") {
+ return fmt.Errorf("Writable mount points are not permitted underneath the output_path: %v", bind)
}
runner.Binds = append(runner.Binds, fmt.Sprintf("%s:%s", src, bind))
} else {
@@ -327,6 +340,7 @@ func (runner *ContainerRunner) SetupMounts() (err error) {
}
runner.CleanupTempDir = append(runner.CleanupTempDir, runner.HostOutputDir)
runner.Binds = append(runner.Binds, fmt.Sprintf("%s:%s", runner.HostOutputDir, bind))
+ tmpBackedOutputDir = true
case mnt.Kind == "tmp":
runner.Binds = append(runner.Binds, bind)
diff --git a/services/crunch-run/crunchrun_test.go b/services/crunch-run/crunchrun_test.go
index b9856ac..af531f8 100644
--- a/services/crunch-run/crunchrun_test.go
+++ b/services/crunch-run/crunchrun_test.go
@@ -918,6 +918,43 @@ func (s *TestSuite) TestSetupMounts(c *C) {
cr.CleanupDirs()
checkEmpty()
}
+
+ // read-only mount points are allowed underneath output_dir mount point
+ {
+ i = 0
+ cr.Container.Mounts = make(map[string]arvados.Mount)
+ cr.Container.Mounts = map[string]arvados.Mount{
+ "/tmp": {Kind: "tmp"},
+ "/tmp/foo": {Kind: "collection"},
+ }
+ cr.OutputPath = "/tmp"
+
+ os.MkdirAll(realTemp+"/keep1/tmp0", os.ModePerm)
+
+ err := cr.SetupMounts()
+ c.Check(err, IsNil)
+ c.Check(am.Cmd, DeepEquals, []string{"--foreground", "--allow-other", "--read-write", "--file-cache", "512", "--mount-tmp", "tmp0", "--mount-by-pdh", "by_id", realTemp + "/keep1"})
+ c.Check(cr.Binds, DeepEquals, []string{realTemp + "/2:/tmp", realTemp + "/keep1/tmp0:/tmp/foo:ro"})
+ cr.CleanupDirs()
+ checkEmpty()
+ }
+
+ // writable mount points are not allowed underneath output_dir mount point
+ {
+ i = 0
+ cr.Container.Mounts = make(map[string]arvados.Mount)
+ cr.Container.Mounts = map[string]arvados.Mount{
+ "/tmp": {Kind: "tmp"},
+ "/tmp/foo": {Kind: "collection", Writable: true},
+ }
+ cr.OutputPath = "/tmp"
+
+ err := cr.SetupMounts()
+ c.Check(err, NotNil)
+ c.Check(err, ErrorMatches, `Writable mount points are not permitted underneath the output_path.*`)
+ cr.CleanupDirs()
+ checkEmpty()
+ }
}
func (s *TestSuite) TestStdout(c *C) {
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list