Commit d27d6499 authored by BAIRE Anthony's avatar BAIRE Anthony
Browse files

change the job work directory: /tmp -> /work

Previous code put the job files into /tmp and used this directory
as the current directory for running the job, which is disturbing
because we do not have a standard place where to put temporary files.

It is essential to change this now because since jobs are no longer
run as the root user, it is no longer possible to create arbitrary tmp
directories during the job.

BTW app developers should consider that the job execution dir is
parent e688e0d3
......@@ -1069,11 +1069,12 @@ class JobManager(Manager):
assert info.version == "sandbox"
image = tmp_img = info.client.commit(ctrl.gen_sandbox_name(webapp), repo, info.version)["Id"]
# TODO use another workdir
ctrl.check_host_path("isdir", job_path)
hc = ctrl.sandbox.create_host_config(
binds = {job_path: {"bind": "/tmp"}},
# mount the job data dir at an arbitrary location
# (/work). This is better that using /tmp because it
# keeps /tmp available for storing temporary files
binds = {job_path: {"bind": "/work"}},
# disable all capabilities (for security reason)
cap_drop = ["all"],
# disable network access (for security reason)
......@@ -1101,7 +1102,8 @@ class JobManager(Manager):
# /var/lib/docker with the 'nosuid' flag on nodes that
# run jobs
user = ctrl.job_user,
working_dir = "/tmp",
# run the job in job data dir
working_dir = "/work",
# NOTE: the command line is a little complex, but this is
# to ensure that (TODO write tests for this):
# - no output is lost (we go though a pipe in case the
......@@ -1128,7 +1130,7 @@ class JobManager(Manager):
trap "sighnd TERM ABORT" TERM
trap "sighnd ALRM TIMEOUT" ALRM
mkfifo "$fifo" 2>&1 | tee -a allgo.log || exit $?
exec cat <"$fifo" | tee -a allgo.log &
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment