Merge branch 'trs/aws-batch-overlays'

tsibley · tsibley · commit 8e258e613cd1 · 2025-03-21T11:43:42.000-07:00
diff --git a/Dockerfile b/Dockerfile
@@ -417,13 +417,16 @@ COPY --from=builder-build-platform  --chown=nextstrain:nextstrain /nextstrain /n
 COPY --from=builder-target-platform --chown=nextstrain:nextstrain /nextstrain /nextstrain
 
 # Add our entrypoints and helpers
-COPY entrypoint entrypoint-aws-batch drop-privs create-envd delete-envd /sbin/
-RUN chmod a+rx /sbin/entrypoint* /sbin/drop-privs /sbin/{create,delete}-envd
+COPY entrypoint entrypoint-aws-batch drop-privs create-envd delete-envd chdir-workdir /sbin/
+RUN chmod a+rx /sbin/entrypoint* /sbin/drop-privs /sbin/{create,delete}-envd /sbin/chdir-workdir
 
 # Make /nextstrain a global HOME, writable by any UID (like /tmp)
 RUN chmod a+rwXt /nextstrain
 ENV HOME=/nextstrain
 
+# Run the final setup as our target user for permissions reasons.
+USER nextstrain:nextstrain
+
 # No nesting of runtimes, please.  Use the ambient runtime inside this runtime.
 ENV NEXTSTRAIN_HOME=/nextstrain
 RUN nextstrain check-setup --set-default ambient \
@@ -435,6 +438,9 @@ RUN nextstrain check-setup --set-default ambient \
 WORKDIR /nextstrain/build
 RUN chown nextstrain:nextstrain /nextstrain/build
 
+# Switch back to root.  The entrypoint will drop to nextstrain:nextstrain as
+# necessary when a container starts.
+USER root
 ENTRYPOINT ["/sbin/entrypoint"]
 
 # Finally, add metadata at the end so it doesn't bust cached layers.
diff --git a/chdir-workdir b/chdir-workdir
@@ -0,0 +1,9 @@
+#!/bin/bash
+set -euo pipefail
+
+if [[ -n "${NEXTSTRAIN_WORKDIR:-}" ]]; then
+    mkdir --parents "$NEXTSTRAIN_WORKDIR"
+    cd "$NEXTSTRAIN_WORKDIR"
+fi
+
+exec "$@"
diff --git a/entrypoint b/entrypoint
@@ -23,5 +23,6 @@ else
         create-envd \
         envdir /nextstrain/env.d \
         delete-envd \
+        chdir-workdir \
         "$@"
 fi
diff --git a/entrypoint-aws-batch b/entrypoint-aws-batch
@@ -2,12 +2,24 @@
 set -euo pipefail
 
 # Show what we're running for the benefit of the logs.
-set -x
+if [[ "${NEXTSTRAIN_AWS_BATCH_VERBOSE:=1}" != 0 ]]; then
+    set -x
+fi
 
 # Download the working dir.
 case "$NEXTSTRAIN_AWS_BATCH_WORKDIR_URL" in
     s3://*.zip)
         aws s3 cp --no-progress "$NEXTSTRAIN_AWS_BATCH_WORKDIR_URL" "$PWD.zip"
+
+        for dir in /nextstrain/{augur,auspice,fauna}; do
+            relative_dir="$(realpath "$dir" --relative-to="$PWD")"/
+
+            if zipinfo -1 "$PWD.zip" "$relative_dir" &>/dev/null; then
+                echo "removing $dir because workdir ZIP contains $relative_dir overlay"
+                rm -rf "$dir"
+            fi
+        done
+
         unzip -: -o "$PWD.zip"
         ;;
     s3://*)
diff --git a/tests/aws-batch-verbose.t b/tests/aws-batch-verbose.t
@@ -0,0 +1,46 @@
+#!/usr/bin/env cram
+
+Setup.
+
+  $ : "${IMAGE:=localhost:5000/nextstrain/base:latest}"
+  $ (docker image inspect "$IMAGE" || docker image pull "$IMAGE") &>/dev/null
+
+A workdir URL is required and not setting one here causes the entrypoint to
+error, but that's enough for testing verbose mode.
+
+  $ export NEXTSTRAIN_AWS_BATCH_WORKDIR_URL=
+
+Verbose mode is default.
+
+  $ docker run --rm --env=NEXTSTRAIN_AWS_BATCH_WORKDIR_URL "$IMAGE" \
+  >   /sbin/entrypoint-aws-batch true
+  + case "$NEXTSTRAIN_AWS_BATCH_WORKDIR_URL" in
+  + echo 'entrypoint-aws-batch: No handler for NEXTSTRAIN_AWS_BATCH_WORKDIR_URL <>'
+  entrypoint-aws-batch: No handler for NEXTSTRAIN_AWS_BATCH_WORKDIR_URL <>
+  + exit 1
+  [1]
+
+Verbose mode is anything not zero.
+
+  $ docker run --rm --env=NEXTSTRAIN_AWS_BATCH_{WORKDIR_URL,VERBOSE=yes} "$IMAGE" \
+  >   /sbin/entrypoint-aws-batch true
+  + case "$NEXTSTRAIN_AWS_BATCH_WORKDIR_URL" in
+  + echo 'entrypoint-aws-batch: No handler for NEXTSTRAIN_AWS_BATCH_WORKDIR_URL <>'
+  entrypoint-aws-batch: No handler for NEXTSTRAIN_AWS_BATCH_WORKDIR_URL <>
+  + exit 1
+  [1]
+
+  $ docker run --rm --env=NEXTSTRAIN_AWS_BATCH_{WORKDIR_URL,VERBOSE=} "$IMAGE" \
+  >   /sbin/entrypoint-aws-batch true
+  + case "$NEXTSTRAIN_AWS_BATCH_WORKDIR_URL" in
+  + echo 'entrypoint-aws-batch: No handler for NEXTSTRAIN_AWS_BATCH_WORKDIR_URL <>'
+  entrypoint-aws-batch: No handler for NEXTSTRAIN_AWS_BATCH_WORKDIR_URL <>
+  + exit 1
+  [1]
+
+Verbose mode can be turned off.
+
+  $ docker run --rm --env=NEXTSTRAIN_AWS_BATCH_{WORKDIR_URL,VERBOSE=0} "$IMAGE" \
+  >   /sbin/entrypoint-aws-batch true
+  entrypoint-aws-batch: No handler for NEXTSTRAIN_AWS_BATCH_WORKDIR_URL <>
+  [1]
diff --git a/tests/aws-batch-workdir-url.t b/tests/aws-batch-workdir-url.t
@@ -0,0 +1,192 @@
+#!/usr/bin/env cram
+
+Setup.
+
+  $ [[ -n "$AWS_ACCESS_KEY_ID" && -n "$AWS_SECRET_ACCESS_KEY" ]] || exit 80
+
+  $ : "${IMAGE:=localhost:5000/nextstrain/base:latest}"
+  $ (docker image inspect "$IMAGE" || docker image pull "$IMAGE") &>/dev/null
+
+  $ export NEXTSTRAIN_AWS_BATCH_VERBOSE=0
+
+Workdir ZIP archive is downloaded and extracted.
+
+  $ export NEXTSTRAIN_AWS_BATCH_WORKDIR_URL="s3://nextstrain-tmp/$(python3 -c 'import uuid; print(uuid.uuid4())').zip"
+
+  $ aws s3 cp --quiet "$TESTDIR/data/workdir-without-overlays.zip" "$NEXTSTRAIN_AWS_BATCH_WORKDIR_URL"
+
+  $ docker run --rm --env=NEXTSTRAIN_AWS_BATCH_{WORKDIR_URL,VERBOSE} --env=AWS_{ACCESS_KEY_ID,SECRET_ACCESS_KEY,SESSION_TOKEN} "$IMAGE" \
+  >   /sbin/entrypoint-aws-batch bash -euo pipefail -xc 'ls -l'
+  download: s3://nextstrain-tmp/*.zip to ../build.zip (glob)
+  Archive:  /nextstrain/build.zip
+   extracting: reticulating            
+   extracting: splines                 
+  + ls -l
+  total 0
+  -rw-rw-r-- 1 nextstrain nextstrain 0 Mar 10 21:46 reticulating
+  -rw-rw-r-- 1 nextstrain nextstrain 0 Mar 10 21:46 splines
+  upload: ../build.zip to s3://nextstrain-tmp/*.zip (glob)
+
+/nextstrain/{augur,auspice} are removed when the workdir ZIP contains overlays.
+
+  $ export NEXTSTRAIN_AWS_BATCH_WORKDIR_URL="s3://nextstrain-tmp/$(python3 -c 'import uuid; print(uuid.uuid4())').zip"
+
+  $ aws s3 cp --quiet "$TESTDIR/data/workdir-with-augur-auspice-overlays.zip" "$NEXTSTRAIN_AWS_BATCH_WORKDIR_URL"
+
+  $ docker run --rm --env=NEXTSTRAIN_AWS_BATCH_{WORKDIR_URL,VERBOSE} --env=AWS_{ACCESS_KEY_ID,SECRET_ACCESS_KEY,SESSION_TOKEN} "$IMAGE" \
+  >   /sbin/entrypoint-aws-batch bash -euo pipefail -xc 'ls -lR . ../augur ../auspice'
+  download: s3://nextstrain-tmp/*.zip to ../build.zip (glob)
+  removing /nextstrain/augur because workdir ZIP contains ../augur/ overlay
+  removing /nextstrain/auspice because workdir ZIP contains ../auspice/ overlay
+  Archive:  /nextstrain/build.zip
+   extracting: reticulating            
+   extracting: splines                 
+     creating: ../augur/
+     creating: ../augur/a/
+     creating: ../augur/a/b/
+     creating: ../augur/a/b/c/
+   extracting: ../augur/a/b/c/world.txt  
+   extracting: ../augur/a/b/c/hello.txt  
+     creating: ../augur/augur/
+   extracting: ../augur/augur/__init__.py  
+   extracting: ../augur/README.md      
+     creating: ../auspice/
+  + ls -lR . ../augur ../auspice
+  .:
+  total 0
+  -rw-rw-r-- 1 nextstrain nextstrain 0 Mar 10 21:46 reticulating
+  -rw-rw-r-- 1 nextstrain nextstrain 0 Mar 10 21:46 splines
+  
+  ../augur:
+  total 12
+  -rw-rw-r-- 1 nextstrain nextstrain   22 Mar 10 21:45 README.md
+  drwxrwxr-x 3 nextstrain nextstrain 4096 Mar 10 21:32 a
+  drwxrwxr-x 2 nextstrain nextstrain 4096 Mar 10 21:46 augur
+  
+  ../augur/a:
+  total 4
+  drwxrwxr-x 3 nextstrain nextstrain 4096 Mar 10 21:32 b
+  
+  ../augur/a/b:
+  total 4
+  drwxrwxr-x 2 nextstrain nextstrain 4096 Mar 10 21:33 c
+  
+  ../augur/a/b/c:
+  total 8
+  -rw-rw-r-- 1 nextstrain nextstrain 6 Mar 10 21:32 hello.txt
+  -rw-rw-r-- 1 nextstrain nextstrain 6 Mar 10 21:32 world.txt
+  
+  ../augur/augur:
+  total 4
+  -rw-rw-r-- 1 nextstrain nextstrain 34 Mar 10 21:46 __init__.py
+  
+  ../auspice:
+  total 0
+  upload: ../build.zip to s3://nextstrain-tmp/*.zip (glob)
+
+…even when the workdir is not /nextstrain/build, e.g. when it's a sibling.
+
+  $ docker run --rm --env=NEXTSTRAIN_WORKDIR=/nextstrain/abc --env=NEXTSTRAIN_AWS_BATCH_{WORKDIR_URL,VERBOSE} --env=AWS_{ACCESS_KEY_ID,SECRET_ACCESS_KEY,SESSION_TOKEN} "$IMAGE" \
+  >   /sbin/entrypoint-aws-batch bash -euo pipefail -xc 'ls -lR . ../augur ../auspice'
+  download: s3://nextstrain-tmp/*.zip to ../abc.zip (glob)
+  removing /nextstrain/augur because workdir ZIP contains ../augur/ overlay
+  removing /nextstrain/auspice because workdir ZIP contains ../auspice/ overlay
+  Archive:  /nextstrain/abc.zip
+   extracting: reticulating            
+   extracting: splines                 
+     creating: ../augur/
+     creating: ../augur/a/
+     creating: ../augur/a/b/
+     creating: ../augur/a/b/c/
+   extracting: ../augur/a/b/c/world.txt  
+   extracting: ../augur/a/b/c/hello.txt  
+     creating: ../augur/augur/
+   extracting: ../augur/augur/__init__.py  
+   extracting: ../augur/README.md      
+     creating: ../auspice/
+  + ls -lR . ../augur ../auspice
+  .:
+  total 0
+  -rw-rw-r-- 1 nextstrain nextstrain 0 Mar 10 21:46 reticulating
+  -rw-rw-r-- 1 nextstrain nextstrain 0 Mar 10 21:46 splines
+  
+  ../augur:
+  total 12
+  -rw-rw-r-- 1 nextstrain nextstrain   22 Mar 10 21:45 README.md
+  drwxrwxr-x 3 nextstrain nextstrain 4096 Mar 10 21:32 a
+  drwxrwxr-x 2 nextstrain nextstrain 4096 Mar 10 21:46 augur
+  
+  ../augur/a:
+  total 4
+  drwxrwxr-x 3 nextstrain nextstrain 4096 Mar 10 21:32 b
+  
+  ../augur/a/b:
+  total 4
+  drwxrwxr-x 2 nextstrain nextstrain 4096 Mar 10 21:33 c
+  
+  ../augur/a/b/c:
+  total 8
+  -rw-rw-r-- 1 nextstrain nextstrain 6 Mar 10 21:32 hello.txt
+  -rw-rw-r-- 1 nextstrain nextstrain 6 Mar 10 21:32 world.txt
+  
+  ../augur/augur:
+  total 4
+  -rw-rw-r-- 1 nextstrain nextstrain 34 Mar 10 21:46 __init__.py
+  
+  ../auspice:
+  total 0
+  upload: ../abc.zip to s3://nextstrain-tmp/*.zip (glob)
+
+…but not when the workdir is somewhere completely different.
+
+  $ docker run --rm --env=NEXTSTRAIN_WORKDIR=/nextstrain/x/y/z --env=NEXTSTRAIN_AWS_BATCH_{WORKDIR_URL,VERBOSE} --env=AWS_{ACCESS_KEY_ID,SECRET_ACCESS_KEY,SESSION_TOKEN} "$IMAGE" \
+  >   /sbin/entrypoint-aws-batch bash -euo pipefail -xc 'ls -lR . ../augur ../auspice; realpath ../augur ../auspice'
+  download: s3://nextstrain-tmp/*.zip to ../z.zip (glob)
+  Archive:  /nextstrain/x/y/z.zip
+   extracting: reticulating            
+   extracting: splines                 
+     creating: ../augur/
+     creating: ../augur/a/
+     creating: ../augur/a/b/
+     creating: ../augur/a/b/c/
+   extracting: ../augur/a/b/c/world.txt  
+   extracting: ../augur/a/b/c/hello.txt  
+     creating: ../augur/augur/
+   extracting: ../augur/augur/__init__.py  
+   extracting: ../augur/README.md      
+     creating: ../auspice/
+  + ls -lR . ../augur ../auspice
+  .:
+  total 0
+  -rw-rw-r-- 1 nextstrain nextstrain 0 Mar 10 21:46 reticulating
+  -rw-rw-r-- 1 nextstrain nextstrain 0 Mar 10 21:46 splines
+  
+  ../augur:
+  total 12
+  -rw-rw-r-- 1 nextstrain nextstrain   22 Mar 10 21:45 README.md
+  drwxrwxr-x 3 nextstrain nextstrain 4096 Mar 10 21:32 a
+  drwxrwxr-x 2 nextstrain nextstrain 4096 Mar 10 21:46 augur
+  
+  ../augur/a:
+  total 4
+  drwxrwxr-x 3 nextstrain nextstrain 4096 Mar 10 21:32 b
+  
+  ../augur/a/b:
+  total 4
+  drwxrwxr-x 2 nextstrain nextstrain 4096 Mar 10 21:33 c
+  
+  ../augur/a/b/c:
+  total 8
+  -rw-rw-r-- 1 nextstrain nextstrain 6 Mar 10 21:32 hello.txt
+  -rw-rw-r-- 1 nextstrain nextstrain 6 Mar 10 21:32 world.txt
+  
+  ../augur/augur:
+  total 4
+  -rw-rw-r-- 1 nextstrain nextstrain 34 Mar 10 21:46 __init__.py
+  
+  ../auspice:
+  total 0
+  + realpath ../augur ../auspice
+  /nextstrain/x/y/augur
+  /nextstrain/x/y/auspice
+  upload: ../z.zip to s3://nextstrain-tmp/*.zip (glob)
diff --git a/tests/data/workdir-with-augur-auspice-overlays.zip b/tests/data/workdir-with-augur-auspice-overlays.zip
diff --git a/tests/data/workdir-without-overlays.zip b/tests/data/workdir-without-overlays.zip
diff --git a/tests/workdir.t b/tests/workdir.t
@@ -0,0 +1,38 @@
+#!/usr/bin/env cram
+
+Setup.
+
+  $ : "${IMAGE:=localhost:5000/nextstrain/base:latest}"
+  $ (docker image inspect "$IMAGE" || docker image pull "$IMAGE") &>/dev/null
+
+NEXTSTRAIN_WORKDIR changes initial working directory.
+
+  $ docker run --rm --env=NEXTSTRAIN_WORKDIR=/nextstrain/augur "$IMAGE" \
+  >   bash -eu -c 'echo "$PWD"'
+  /nextstrain/augur
+
+  $ docker run --rm --env=NEXTSTRAIN_WORKDIR=/nextstrain/augur -u 1234:5678 "$IMAGE" \
+  >   bash -eu -c 'echo "$PWD"'
+  /nextstrain/augur
+
+Missing directories are created, like with the `--workdir` option of `docker run`.
+
+  $ docker run --rm --env=NEXTSTRAIN_WORKDIR=/nextstrain/a/b/c "$IMAGE" \
+  >   bash -eu -c 'ls -ld "$PWD"'
+  drwxr-xr-x * nextstrain nextstrain * /nextstrain/a/b/c (glob)
+
+  $ docker run --rm --env=NEXTSTRAIN_WORKDIR=/nextstrain/a/b/c -u 1234:5678 "$IMAGE" \
+  >   bash -eu -c 'ls -ld "$PWD"'
+  drwxr-xr-x * 1234 5678 * /nextstrain/a/b/c (glob)
+
+…but permissions still apply, as the `mkdir` happens after drop-privs.
+
+  $ docker run --rm --env=NEXTSTRAIN_WORKDIR=/nope "$IMAGE" \
+  >   bash -eu -c 'echo "$PWD"'
+  mkdir: cannot create directory ‘/nope’: Permission denied
+  [1]
+
+  $ docker run --rm --env=NEXTSTRAIN_WORKDIR=/nope -u 1234:5678 "$IMAGE" \
+  >   bash -eu -c 'echo "$PWD"'
+  mkdir: cannot create directory ‘/nope’: Permission denied
+  [1]
