[arvados] updated: 2.1.0-2629-g87f3da843

git repository hosting git at public.arvados.org
Fri Jul 1 18:32:23 UTC 2022 

Summary of changes:
 lib/crunchrun/crunchrun.go                         | 26 +++++++++-------------
 lib/lsf/dispatch.go                                | 19 +++++++++++++---
 .../crunch-dispatch-slurm/crunch-dispatch-slurm.go |  9 +++++++-
 services/crunch-dispatch-slurm/script.go           | 10 +++++++--
 services/crunch-dispatch-slurm/script_test.go      |  3 ++-
 5 files changed, 44 insertions(+), 23 deletions(-)

       via  87f3da84318306184165dae50f75ac6721d89285 (commit)
       via  5e20c073d84304c3e84770bb7d89035bf1fb9626 (commit)
      from  3fae0f0626c5152a5aa6f39f0874f0190f2131db (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 87f3da84318306184165dae50f75ac6721d89285
Author: Tom Clegg <tom at curii.com>
Date:   Fri Jul 1 14:30:32 2022 -0400

    19166: Pass GatewayAuthSecret to crunch-run through lsf/slurm.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at curii.com>

diff --git a/lib/lsf/dispatch.go b/lib/lsf/dispatch.go
index 0d9324784..e2348337e 100644
--- a/lib/lsf/dispatch.go
+++ b/lib/lsf/dispatch.go
@@ -6,6 +6,8 @@ package lsf
 
 import (
 	"context"
+	"crypto/hmac"
+	"crypto/sha256"
 	"errors"
 	"fmt"
 	"math"
@@ -274,7 +276,12 @@ func (disp *dispatcher) submit(container arvados.Container, crunchRunCommand []s
 	var crArgs []string
 	crArgs = append(crArgs, crunchRunCommand...)
 	crArgs = append(crArgs, container.UUID)
-	crScript := execScript(crArgs)
+
+	h := hmac.New(sha256.New, []byte(disp.Cluster.SystemRootToken))
+	fmt.Fprint(h, container.UUID)
+	authsecret := fmt.Sprintf("%x", h.Sum(nil))
+
+	crScript := execScript(crArgs, map[string]string{"GatewayAuthSecret": authsecret})
 
 	bsubArgs, err := disp.bsubArgs(container)
 	if err != nil {
@@ -353,8 +360,14 @@ func (disp *dispatcher) checkLsfQueueForOrphans() {
 	}
 }
 
-func execScript(args []string) []byte {
-	s := "#!/bin/sh\nexec"
+func execScript(args []string, env map[string]string) []byte {
+	s := "#!/bin/sh\n"
+	for k, v := range env {
+		s += k + `='`
+		s += strings.Replace(v, `'`, `'\''`, -1)
+		s += `' `
+	}
+	s += `exec`
 	for _, w := range args {
 		s += ` '`
 		s += strings.Replace(w, `'`, `'\''`, -1)
diff --git a/services/crunch-dispatch-slurm/crunch-dispatch-slurm.go b/services/crunch-dispatch-slurm/crunch-dispatch-slurm.go
index c31d79975..c774584d6 100644
--- a/services/crunch-dispatch-slurm/crunch-dispatch-slurm.go
+++ b/services/crunch-dispatch-slurm/crunch-dispatch-slurm.go
@@ -7,6 +7,8 @@ package dispatchslurm
 
 import (
 	"context"
+	"crypto/hmac"
+	"crypto/sha256"
 	"fmt"
 	"log"
 	"math"
@@ -213,7 +215,12 @@ func (disp *Dispatcher) submit(container arvados.Container, crunchRunCommand []s
 	crArgs := append([]string(nil), crunchRunCommand...)
 	crArgs = append(crArgs, "--runtime-engine="+disp.cluster.Containers.RuntimeEngine)
 	crArgs = append(crArgs, container.UUID)
-	crScript := strings.NewReader(execScript(crArgs))
+
+	h := hmac.New(sha256.New, []byte(disp.cluster.SystemRootToken))
+	fmt.Fprint(h, container.UUID)
+	authsecret := fmt.Sprintf("%x", h.Sum(nil))
+
+	crScript := strings.NewReader(execScript(crArgs, map[string]string{"GatewayAuthSecret": authsecret}))
 
 	sbArgs, err := disp.sbatchArgs(container)
 	if err != nil {
diff --git a/services/crunch-dispatch-slurm/script.go b/services/crunch-dispatch-slurm/script.go
index fb16e593e..d0bfbc4a9 100644
--- a/services/crunch-dispatch-slurm/script.go
+++ b/services/crunch-dispatch-slurm/script.go
@@ -8,8 +8,14 @@ import (
 	"strings"
 )
 
-func execScript(args []string) string {
-	s := "#!/bin/sh\nexec"
+func execScript(args []string, env map[string]string) string {
+	s := "#!/bin/sh\n"
+	for k, v := range env {
+		s += k + `='`
+		s += strings.Replace(v, `'`, `'\''`, -1)
+		s += `' `
+	}
+	s += `exec`
 	for _, w := range args {
 		s += ` '`
 		s += strings.Replace(w, `'`, `'\''`, -1)
diff --git a/services/crunch-dispatch-slurm/script_test.go b/services/crunch-dispatch-slurm/script_test.go
index 00d70190d..bba9a0575 100644
--- a/services/crunch-dispatch-slurm/script_test.go
+++ b/services/crunch-dispatch-slurm/script_test.go
@@ -23,6 +23,7 @@ func (s *ScriptSuite) TestExecScript(c *C) {
 		{[]string{`foo"`, "'waz 'qux\n"}, `exec 'foo"' ''\''waz '\''qux` + "\n" + `'`},
 	} {
 		c.Logf("%+v -> %+v", test.args, test.script)
-		c.Check(execScript(test.args), Equals, "#!/bin/sh\n"+test.script+"\n")
+		c.Check(execScript(test.args, nil), Equals, "#!/bin/sh\n"+test.script+"\n")
 	}
+	c.Check(execScript([]string{"sh", "-c", "echo $foo"}, map[string]string{"foo": "b'ar"}), Equals, "#!/bin/sh\nfoo='b'\\''ar' exec 'sh' '-c' 'echo $foo'\n")
 }

commit 5e20c073d84304c3e84770bb7d89035bf1fb9626
Author: Tom Clegg <tom at curii.com>
Date:   Fri Jul 1 14:10:38 2022 -0400

    19166: Don't set up a reverse tunnel if we won't be advertising it.
    
    Avoids wasting long-lived connections between crunch-run and
    controller.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at curii.com>

diff --git a/lib/crunchrun/crunchrun.go b/lib/crunchrun/crunchrun.go
index df3abe630..ff02257f2 100644
--- a/lib/crunchrun/crunchrun.go
+++ b/lib/crunchrun/crunchrun.go
@@ -1905,32 +1905,26 @@ func (command) RunCommand(prog string, args []string, stdin io.Reader, stdout, s
 		// not safe to run a gateway service without an auth
 		// secret
 		cr.CrunchLog.Printf("Not starting a gateway server (GatewayAuthSecret was not provided by dispatcher)")
-	} else if gwListen := os.Getenv("GatewayAddress"); gwListen == "" {
-		// dispatcher did not tell us which external IP
-		// address to advertise --> no gateway service
-		cr.CrunchLog.Printf("Not starting a gateway server (GatewayAddress was not provided by dispatcher)")
 	} else {
+		gwListen := os.Getenv("GatewayAddress")
 		cr.gateway = Gateway{
 			Address:       gwListen,
 			AuthSecret:    gwAuthSecret,
 			ContainerUUID: containerUUID,
 			Target:        cr.executor,
 			Log:           cr.CrunchLog,
-			ArvadosClient: cr.dispatcherClient,
-			UpdateTunnelURL: func(url string) {
-				if gwListen != "" {
-					// prefer connecting directly
-					return
-				}
-				// direct connection won't work, so we
-				// use the gateway_address field to
-				// indicate the internalURL of the
-				// controller process that has the
-				// current tunnel connection.
+		}
+		if gwListen == "" {
+			// Direct connection won't work, so we use the
+			// gateway_address field to indicate the
+			// internalURL of the controller process that
+			// has the current tunnel connection.
+			cr.gateway.ArvadosClient = cr.dispatcherClient
+			cr.gateway.UpdateTunnelURL = func(url string) {
 				cr.gateway.Address = "tunnel " + url
 				cr.DispatcherArvClient.Update("containers", containerUUID,
 					arvadosclient.Dict{"container": arvadosclient.Dict{"gateway_address": cr.gateway.Address}}, nil)
-			},
+			}
 		}
 		err = cr.gateway.Start()
 		if err != nil {

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list