Project

General

Profile

Actions

Idea #8815

closed

[Crunch] crunch-job bind mounts crunchrunner & host certs file at well known location inside container

Added by Peter Amstutz over 8 years ago. Updated over 8 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
-
Target version:
Start date:
03/29/2016
Due date:
Story points:
0.5

Description

In order to run arbitrary containers, we need crunchrunner (a compiled Go program) and a TLS certificates file available inside the container. Currently arvados-cwl-runner provides this by assuming a collection with a specific PDH is available on the system. This is brittle, as crunchrunner is an infrastructure that should be managed as part of installation and upgrade.

Solution:

- Create arvados-crunchrunner package which is automatically installed on compute & shell nodes
- crunch-job bind mounts crunchrunner & host system TLS certs file at a well known location
- crunchrunner crunch script uses well know location to run crunchrunner instead of running from collection
- remove code from arvados-cwl-runner for handling crunchrunner collection


Subtasks 1 (0 open1 closed)

Task #8818: Review 8815-crunchrunner-everywhereResolvedWard Vandewege03/29/2016Actions

Related issues

Related to Arvados - Idea #8654: [CWL] Incorporate cwl-runner into arvados/jobsResolvedPeter Amstutz03/07/2016Actions
Related to Arvados - Feature #8731: Update arv-box to use arvados/build/* instead of arvados-dev/jenkins/*Resolved03/16/2016Actions
Related to Arvados - Bug #8828: [Crunch] be more resilient when crunchrunner is not available; also don't test for crunchrunner on api serverResolvedPeter Amstutz03/31/2016Actions
Actions #1

Updated by Peter Amstutz over 8 years ago

  • Description updated (diff)
Actions #2

Updated by Peter Amstutz over 8 years ago

  • Target version set to 2016-03-30 sprint
Actions #3

Updated by Peter Amstutz over 8 years ago

  • Status changed from New to In Progress
  • Story points set to 0.5
Actions #4

Updated by Peter Amstutz over 8 years ago

  • Assigned To set to Peter Amstutz
Actions #5

Updated by Ward Vandewege over 8 years ago

Review comments on dfc93aac9c256d6ebb868aeb6c2107821e9fd041:

  • crunchrunner when installed from packages will live in /usr/bin/crunchrunner
  • as for the question of the ca-certificates file, let's do this:

- the Arvados-specific ca-certificates file will live in /etc/arvados/ca-certificates.crt
- If that file exists, crunch-runner should add it to the list of system certificates (if any) and then connect to the API server. Maybe this logic should end up in the Go SDK?
- we'll do the same for the Python and Ruby SDKs later, as separate stories. In Workbench, we already do something similar but just with the list of system certificates.
- the default behavior for crunch-job should be to load the host certificates file in the container at /etc/arvados/ca-certificates.crt, so that crunch-runner can do its job even when the container doesn't have any certificates installed, and so that there is no special site configuration required in the common case, while allowing for a local setup to override this behavior by means of custom docker options

Other than that, 8815-crunchrunner-everywhere looks good to me, thanks!

Actions #6

Updated by Peter Amstutz over 8 years ago

Ward Vandewege wrote:

Review comments on dfc93aac9c256d6ebb868aeb6c2107821e9fd041:

  • crunchrunner when installed from packages will live in /usr/bin/crunchrunner

Now bind mounts crunchrunner to /usr/local/bin/crunchrunner inside the container. crunch-job uses `which` to find crunchrunner on the PATH.

  • as for the question of the ca-certificates file, let's do this:

- the Arvados-specific ca-certificates file will live in /etc/arvados/ca-certificates.crt
- If that file exists, crunch-runner should add it to the list of system certificates (if any) and then connect to the API server. Maybe this logic should end up in the Go SDK?
- we'll do the same for the Python and Ruby SDKs later, as separate stories. In Workbench, we already do something similar but just with the list of system certificates.
- the default behavior for crunch-job should be to load the host certificates file in the container at /etc/arvados/ca-certificates.crt, so that crunch-runner can do its job even when the container doesn't have any certificates installed, and so that there is no special site configuration required in the common case, while allowing for a local setup to override this behavior by means of custom docker options

So crunchrunner now loads both the system certificates inside the container (/etc/ssl/certs/ca-certificates.crt) and also /etc/arvados/ca-certificates.crt.

Actions #7

Updated by Ward Vandewege over 8 years ago

Reviewing at 94f5be8c86ad975ee7aa9f3df87be23fbc154dec: looks great, please merge. Thank you!

Actions #8

Updated by Peter Amstutz over 8 years ago

  • Status changed from In Progress to Resolved

Applied in changeset arvados|commit:a7d819f660840767df3e393a30a775f445db266e.

Actions

Also available in: Atom PDF