Merge pull request foundriesio#91 from doanac/fixes-we-need

Fixes we need

examples/projects/privileged-container.yml

@@ -10,6 +10,16 @@ triggers:
         privileged: true
         script: compile
 
+      - name: cap-add-drop-example
+        container: alpine
+        host-tag: amd64
+        cap-add:
+        - NET_ADMIN
+        - SYS_ADMIN
+        cap-drop:
+        - MKNOD
+        script: compile
+
 scripts:
   compile: |
     #!/bin/sh -ex

jobserv/api/__init__.py

@@ -58,8 +58,11 @@ def unexpected_error(e):
                 "error_msg": str(e),
                 "stack_trace": traceback.format_exc(),
             }
-            print(dir(bp))
             current_app.logger.exception("Unexpected error caught in BP error handler")
             return jsendify(data, 500)
 
         app.register_blueprint(bp)
+
+    @app.route("/healthz")
+    def _healthz():
+        return ""

jobserv/flask.py

@@ -9,6 +9,7 @@
 from flask.json import JSONEncoder
 from flask_migrate import Migrate
 
+import json_logging
 from werkzeug.middleware.proxy_fix import ProxyFix
 from werkzeug.routing import UnicodeConverter
 
@@ -59,6 +60,14 @@ def create_app(settings_object="jobserv.settings"):
     app.wsgi_app = ProxyFix(app.wsgi_app)
     app.config.from_object(settings_object)
 
+    # json_logging can only be initialized *once*. When running with gunicorn,
+    # this gets called a couple times.
+    if not getattr(create_app, "__logging_hack_initialized", None):
+        json_logging.init_flask(enable_json=True)
+        json_logging.init_request_instrument(app, exclude_url_patterns=["/healthz"])
+        json_logging.config_root_logger()
+        create_app.__logging_hack_initialized = True
+
     ProjectConverter.settings = settings_object
     app.url_map.converters["project"] = ProjectConverter
 

jobserv/project-schema.yml

@@ -107,6 +107,16 @@ mapping:
                   container-auth:
                     type: str
                     required: False
+                  cap-add:
+                    type: seq
+                    required: False
+                    sequence:
+                      - type: str
+                  cap-drop:
+                    type: seq
+                    required: False
+                    sequence:
+                      - type: str
                   privileged:
                     type: bool
                     required: false

jobserv/project.py

@@ -118,6 +118,8 @@ def get_run_definition(self, dbrun, run, trigger, params, secrets):
             "container": run["container"],
             "container-auth": run.get("container-auth"),
             "privileged": run.get("privileged", False),
+            "cap-add": run.get("cap-add", None),
+            "cap-drop": run.get("cap-drop", None),
             "container-user": run.get("container-user"),
             "container-entrypoint": run.get("container-entrypoint"),
             "env": {},

requirements.txt

@@ -5,22 +5,22 @@ Flask==1.1.4
 Jinja2==2.11.3
 Mako==1.2.2
 MarkupSafe==2.0.1
-PyJWT==2.4.0
-PyMySQL==1.0.2
+PyJWT==2.7.0
+PyMySQL==1.1.0
 PyYAML==5.4.1
 SQLAlchemy==1.4.23
 Werkzeug==0.16.1
-bcrypt==3.2.0
-cryptography==41.0.0
+bcrypt==4.0.1
+cryptography==41.0.1
 dataclasses==0.6
-google-cloud-storage==1.42.0
-google-crc32c==1.1.2  # indirect, 1.1.3 won't build in alpine
+google-cloud-storage==1.44.0
 # gunicorn 20.1.0 switched from os.sendfile to socket.sendfile which causes
 # a bug in our console tailing: https://github.com/benoitc/gunicorn/commit/2d40e6daceb9735d27bb91d9c32743695de8e01c
 gunicorn==20.0.4
+json-logging==1.3.0
 pykwalify==1.8.0
 python-dateutil==2.8.2
-pytz==2021.1
-requests==2.26.0
-setproctitle==1.2.2
-wheel==0.38.1
+pytz==2023.3
+requests==2.31.0
+setproctitle==1.3.2
+wheel==0.40.0

runner/jobserv_runner/handlers/simple.py

@@ -237,6 +237,16 @@ def hung_cb():
             if self.rundef.get("privileged"):
                 log.info('Running with "--privileged"')
                 cmd.append("--privileged")
+            if self.rundef.get("cap-add"):
+                adds = self.rundef.get("cap-add")
+                log.info("Running with cap-adds: %s", adds)
+                for add in adds:
+                    cmd.extend(["--cap-add", add])
+            if self.rundef.get("cap-drop"):
+                drops = self.rundef.get("cap-drop")
+                log.info("Running with cap-drops: %s", drops)
+                for drop in drops:
+                    cmd.extend(["--cap-drop", drop])
             if self.rundef.get("max-mem-bytes"):
                 maxbytes = self.rundef.get("max-mem-bytes")
                 log.info("Running with --memory=%d", maxbytes)