From bfff81820b9b8d139f4121004bd91b5ea066c001 Mon Sep 17 00:00:00 2001 From: Jennings Zhang Date: Fri, 18 Feb 2022 06:20:01 -0500 Subject: [PATCH 1/3] runAsUser configurable by env var --- README.rst | 15 +++++++++++++++ pman/config.py | 2 ++ pman/kubernetesmgr.py | 16 ++++++++++++---- 3 files changed, 29 insertions(+), 4 deletions(-) diff --git a/README.rst b/README.rst index d195413a..6483722c 100755 --- a/README.rst +++ b/README.rst @@ -174,3 +174,18 @@ Assuming the docker container ID of pman is `$pman`, you can dump this log by .. code-block:: bash $> docker exec $pman cat /tmp/debug.log + +*************************** +Special Cases In Production +*************************** + +When using NFS for kubernetes volumes, it might be necessary to +set the container user as someone with permissions to the NFS share. + +One solution is to use ``securityContext.runAsUser``. ``pman`` supports +this option via environmental variables: + +.. code-block:: env + + SECURITYCONTEXT_RUN_AS_USER=1234 + SECURITYCONTEXT_RUN_AS_GROUP=5678 diff --git a/pman/config.py b/pman/config.py index 06deeab9..30e4bbc6 100755 --- a/pman/config.py +++ b/pman/config.py @@ -41,6 +41,8 @@ def __init__(self): if self.CONTAINER_ENV == 'kubernetes': self.JOB_NAMESPACE = env('JOB_NAMESPACE', 'default') + self.SECURITYCONTEXT_RUN_AS_USER = env.int('SECURITYCONTEXT_RUN_AS_USER', None) + self.SECURITYCONTEXT_RUN_AS_GROUP = env.int('SECURITYCONTEXT_RUN_AS_GROUP', None) if self.CONTAINER_ENV == 'cromwell': self.CROMWELL_URL = env('CROMWELL_URL') diff --git a/pman/kubernetesmgr.py b/pman/kubernetesmgr.py index a2f83733..e0c35173 100755 --- a/pman/kubernetesmgr.py +++ b/pman/kubernetesmgr.py @@ -121,15 +121,23 @@ def create_job(self, image, command, name, resources_dict, mountdir=None) -> V1J k_client.V1EnvVar(name='NVIDIA_DRIVER_CAPABILITIES', value='compute,utility'), k_client.V1EnvVar(name='NVIDIA_REQUIRE_CUDA', value='cuda>=9.0')], + + security_context = { + 'allow_privilege_escalation': False, + 'capabilities': k_client.V1Capabilities(drop=['ALL']) + } + + if self.config['SECURITYCONTEXT_RUN_AS_USER']: + security_context['run_as_user'] = self.config['SECURITYCONTEXT_RUN_AS_USER'] + if self.config['SECURITYCONTEXT_RUN_AS_GROUP']: + security_context['run_as_group'] = self.config['SECURITYCONTEXT_RUN_AS_GROUP'] + container = k_client.V1Container( name=name, image=image, env=env, command=shlex.split(command), - security_context=k_client.V1SecurityContext( - allow_privilege_escalation=False, - capabilities=k_client.V1Capabilities(drop=['ALL']) - ), + security_context=k_client.V1SecurityContext(**security_context), resources=k_client.V1ResourceRequirements(limits=limits, requests=requests), volume_mounts=[k_client.V1VolumeMount(mount_path='/share', name='storebase')] From c01038477377249981d2b48a4bb4ca6bf4f3b82c Mon Sep 17 00:00:00 2001 From: Jennings Zhang Date: Fri, 18 Feb 2022 06:29:58 -0500 Subject: [PATCH 2/3] Bump Flask==1.1.4 https://serverfault.com/questions/1094062/from-itsdangerous-import-json-as-json-importerror-cannot-import-name-json-fr --- requirements/base.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements/base.txt b/requirements/base.txt index 1da458c6..51965fc8 100755 --- a/requirements/base.txt +++ b/requirements/base.txt @@ -1,4 +1,4 @@ -Flask==1.1.2 +Flask==1.1.4 Flask-RESTful==0.3.8 docker==4.4.4 openshift==0.12.0 From 192e35f9303799150af2e8cc4329243e75cfd129 Mon Sep 17 00:00:00 2001 From: Jennings Zhang Date: Fri, 18 Feb 2022 06:49:18 -0500 Subject: [PATCH 3/3] Pin markupsafe --- requirements/base.txt | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/requirements/base.txt b/requirements/base.txt index 51965fc8..9a0235f5 100755 --- a/requirements/base.txt +++ b/requirements/base.txt @@ -1,5 +1,5 @@ Flask==1.1.4 -Flask-RESTful==0.3.8 +Flask-RESTful==0.3.9 docker==4.4.4 openshift==0.12.0 kubernetes==12.0.1 @@ -9,3 +9,6 @@ environs==9.3.2 emoji==1.2.0 cromwell-tools==2.4.1 pyserde==0.6.0 + +# https://github.com/pallets/markupsafe/issues/284 +markupsafe>=1.1.1,<2.1.0