Commit a4717523 authored by Pascal Meunier's avatar Pascal Meunier

added ionhelper support

parent b87f2471
......@@ -1623,11 +1623,7 @@ class ContainerDocker(Container):
def groups(self):
""" find last user in /etc/passwd, and get the groups"""
if self.ionhelper:
# skip over the ionhelper user to get the real session user
cmd = ['docker', 'exec', '%d.tool' % self.veid, "tail", "-n", '2', "/etc/passwd"]
else:
cmd = ['docker', 'exec', '%d.tool' % self.veid, "tail", "-n", '1', "/etc/passwd"]
cmd = ['docker', 'exec', '%d.tool' % self.veid, "tail", "-n", '1', "/etc/passwd"]
userline = subprocess.Popen(cmd, stdout=subprocess.PIPE).communicate()[0]
userparts = userline.split(':')
return make_User_account(userparts[0], self.k).groups()
......@@ -2194,23 +2190,42 @@ class ContainerDocker(Container):
# mount /apps read-only
args += ['-v', account.home_prefix + '/apps:/apps:ro']
if self.ionhelper:
# under Docker the ionhelper user already exists in the template because it was needed at the prior step
# the ionhelper account must exist for the Xauthority step, it is needed by the setup_accounts script
# this includes the sudoers rules.
# args += ['-e', 'etcpasswdionhelper=ionhelper:x:199:199::/var/ion/:/bin/false\n']
# args += ['-e', 'etcshadowionhelper=ionhelper:*:17821:0:99999:7:::\n']
args += ['-e', 'etcpasswdhelper=ionhelper:x:199:199::/var/ion/:/bin/false\n']
args += ['-e', 'etcshadowhelper=ionhelper:*:17821:0:99999:7:::\n']
# add the user to the ionhelper group
args += ['-e', "group_ionhelper=%s:x:%d:%s\n" % ('ionhelper', 199, user)]
# provide information to copy resource file
# path to copy from, path to copy to, session id
sessiondir_ionhelper = '/var/ion/data/sessions/%s' % (session_id)
args += ['-e', "sessiondir_ionhelper=" + sessiondir_ionhelper]
sessiondir_helper = '/var/ion/data/sessions/%s' % (session_id)
args += ['-e', "sessiondir_helper=" + sessiondir_helper]
# Copy resources file for helper (copy happens in setup_accounts script)
# resources file path for user is rpath_user
rpath_user = "%s/data/sessions/%s/resources" % (account.homedir, session_id)
rpath_ionhelper = "/var/ion/data/sessions/%s/resources" % (session_id)
args += ['-e', 'rpath_user=' + rpath_user]
args += ['-e', 'rpath_ionhelper=' + rpath_ionhelper]
# resources file path for helper is rpath_helper
rpath_helper = "/var/ion/data/sessions/%s/resources" % (session_id)
args += ['-e', 'rpath_helper=' + rpath_helper]
args += ['-e', 'sessionid=' + session_id]
elif 'HELPER' in self.k:
args += ['-e', 'etcpasswdhelper=%s:x:%s:%s::%s:/bin/false\n' % (self.k['HELPER'], self.k['HELPER_UID'], self.k['HELPER_GID'], self.k['HELPER_HOME'])]
args += ['-e', 'etcshadowhelper=%s:*:17821:0:99999:7:::\n' % self.k['HELPER']]
# add the user to the ionhelper group
args += ['-e', "group_%s=%s:x:%d:%s,%s\n" % (self.k['HELPER'], self.k['HELPER'], self.k['HELPER_GID'], user, self.k['HELPER'])]
# provide information to copy resource file
# path to copy from, path to copy to, session id
sessiondir_helper = "%s/data/sessions/%s" % (self.k['HELPER_HOME'], session_id)
args += ['-e', "sessiondir_helper=" + sessiondir_helper]
# Copy resources file for helper (copy happens in setup_accounts script)
# resources file path for user is rpath_user
rpath_user = "%s/data/sessions/%s/resources" % (self.k['HELPER_HOME'], session_id)
args += ['-e', 'rpath_user=' + rpath_user]
# resources file path for helper is rpath_helper
rpath_helper = "%s/data/sessions/%s/resources" % (self.k['HELPER_HOME'], session_id)
args += ['-e', 'rpath_helper=' + rpath_helper]
args += ['-e', 'sessionid=' + session_id]
# problem passing group names as environment variables on the command line:
# dashes in group names are interpreted by docker as options!
# how to escape them?
......@@ -2223,12 +2238,19 @@ class ContainerDocker(Container):
gid = g[1]
if gid > 500:
# copy group info if gid > 500
if g in apps_groups:
if gname in apps_groups:
# support su to apps
# Add user 'apps' to groups in container, if both the user and 'apps' belong to it
args += ['-e', "group_%s=%s:x:%d:%s,%s\n" % (gname.replace('-', '_'), gname, gid, user, 'apps,ionhelper')]
# Create all the groups that user apps belongs to, and add user apps and user helper if applicable
if 'HELPER' in self.k:
args += ['-e', "group_%s=%s:x:%d:%s,%s,%s\n" % (gname.replace('-', '_'), gname, gid, user, 'apps', self.k['HELPER'])]
else:
args += ['-e', "group_%s=%s:x:%d:%s,%s,%s\n" % (gname.replace('-', '_'), gname, gid, user, 'apps', 'ionhelper')]
else:
args += ['-e', "group_%s=%s:x:%d:%s,%s\n" % (gname.replace('-', '_'), gname, gid, user, 'ionhelper')]
if 'HELPER' in self.k:
args += ['-e', "group_%s=%s:x:%d:%s,%s\n" % (gname.replace('-', '_'), gname, gid, user, self.k['HELPER'])]
else:
args += ['-e', "group_%s=%s:x:%d:%s,%s\n" % (gname.replace('-', '_'), gname, gid, user, 'ionhelper')]
for defgroup in self.k["DEFAULT_GROUPS"]:
groupinfo = grp.getgrnam(defgroup)
......@@ -2366,23 +2388,46 @@ class ContainerDocker(Container):
# Finally start the tool
args = ['/usr/bin/docker', 'exec', ]
# run this command as user (no su needed on our part, so no issues with escaping characters)
args += ['--user', user]
# set current working directory. Replaces the "cd" operation done by the OpenVZ middleware
args += ['-w', account.homedir]
# environment for tool:
# can't use account.env because it provides quotes that become part of the actual value of the variables!
#for e in account.env(session_id, timeout, params):
# args += ['-e', e]
args += ['-e', 'DISPLAY=%s:0' % self.services_container_IP]
args += ['-e', "SESSIONDIR=%s" % account.int_session_dir(session_id)]
args += ['-e', "RESULTSDIR=%s" % account.int_results_dir(session_id)]
args += ['-e', "SESSION=%s" % session_id]
args += ['-e', "LANG=en_US.UTF-8"]
args += ['-e', "LANGUAGE=en_US.UTF-8"]
args += ['-e', "LC_ALL=en_US.UTF-8"]
args += ['-e', "TIMEOUT=%s" % str(timeout)]
args += ['-e', "USER=%s" % user]
if 'HELPER' in self.k:
# expecting command like '/apps/jupyter/r16/middleware/invoke'
toolname = command.split('/')[2]
if toolname in self.k['HELPER_TOOLS']:
# run this command as user (no su needed on our part, so no issues with escaping characters)
args += ['--user', self.k['HELPER']]
# set current working directory. Replaces the "cd" operation done by the OpenVZ middleware
args += ['-w', self.k['HELPER_HOME']]
# environment for tool:
# can't use account.env because it provides quotes that become part of the actual value of the variables!
#for e in account.env(session_id, timeout, params):
# args += ['-e', e]
args += ['-e', 'DISPLAY=%s:0' % self.services_container_IP]
args += ['-e', "SESSIONDIR=%s" % sessiondir_helper]
args += ['-e', "RESULTSDIR=%s" % rpath_helper]
args += ['-e', "SESSION=%s" % session_id]
args += ['-e', "LANG=en_US.UTF-8"]
args += ['-e', "LANGUAGE=en_US.UTF-8"]
args += ['-e', "LC_ALL=en_US.UTF-8"]
args += ['-e', "TIMEOUT=%s" % str(timeout)]
args += ['-e', "USER=%s" % self.k['HELPER']]
if '--user' not in args:
# default way of invoking tools
# run this command as user (no su needed on our part, so no issues with escaping characters)
args += ['--user', user]
# set current working directory. Replaces the "cd" operation done by the OpenVZ middleware
args += ['-w', account.homedir]
# environment for tool:
# can't use account.env because it provides quotes that become part of the actual value of the variables!
#for e in account.env(session_id, timeout, params):
# args += ['-e', e]
args += ['-e', 'DISPLAY=%s:0' % self.services_container_IP]
args += ['-e', "SESSIONDIR=%s" % account.int_session_dir(session_id)]
args += ['-e', "RESULTSDIR=%s" % account.int_results_dir(session_id)]
args += ['-e', "SESSION=%s" % session_id]
args += ['-e', "LANG=en_US.UTF-8"]
args += ['-e', "LANGUAGE=en_US.UTF-8"]
args += ['-e', "LC_ALL=en_US.UTF-8"]
args += ['-e', "TIMEOUT=%s" % str(timeout)]
args += ['-e', "USER=%s" % user]
# invoke rewrites the path... Is setting it ourselves useful?
args += ['-e', "PATH=%s" % "/bin:/usr/bin:/usr/bin/X11:/sbin:/usr/sbin"]
if params:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment