Commit b6809431 authored by LETORT Sebastien's avatar LETORT Sebastien

Merge django.

parents 5907a33d 979954ef
......@@ -11,3 +11,4 @@ __pycache__
.coverage
/controller/htmlcov
/.env
metrics/*.stats
image: docker:latest
variables:
DOCKER_DRIVER: overlay2
stages:
- build
- test
- cleanning
before_script:
- docker info
- docker-compose --version
- pwd
# ---------------------------
bootstrap:
tags:
- allgo
stage: build
script:
- docker info
- apk update
- apk upgrade
- apk add python python-dev py-pip build-base bash openssl python3
- pip install docker-compose
- mkdir -p /data/dev
- rm -Rf /data/dev/*
- /bin/bash bootstrap dev-mysql dev-controller dev-ssh dev-django dev-nginx dev-smtpsink dev-registry
- rm -f .env
- sudo rm -rf data/*
- ./bootstrap
django_pylint:
stage: test
# only:
# - /django/
script:
- echo $PYLINTHOME
- docker exec -i dev-django pylint3 --rcfile=.pylintrc allgo
allow_failure: true
#~ django_test:
#~ stage: test
#~ # only:
#~ # - /django/
#~ script:
#~ - docker exec -i dev-django python3 manage.py test
nettoyage:
stage: cleanning
when: always
script:
- sudo rm -rf data/*
This diff is collapsed.
......@@ -4,13 +4,14 @@ ALLGO containers
Overview
--------
A minimal deployment of allgo consists of 4 docker images:
A minimal deployment of allgo consists of 6 docker images:
- **allgo/rails**: the rails application server
- **allgo/mysql**: the mysql database server
- **allgo/redis** : the redis application server
- **allgo/django** : the django application server
- **allgo/mysql** : the mysql database server
- **allgo/controller**: the manager for user docker containers
- **allgo/ssh**: the ssh frontend (giving access to the sandboxes)
- **allgo/toolbox**: an image containing a set of commands (scp, vi, nano,
- **allgo/ssh** : the ssh frontend (giving access to the sandboxes)
- **allgo/toolbox** : an image containing a set of commands (scp, vi, nano,
less, ...) to be mounted in the user sandboxes
These images may be deployed multiple times to implement multiple independent
......@@ -27,7 +28,14 @@ There is an extra image used only in development:
- **allgo/smtpsink**: a SMTP server that catches and stores all incoming messages into a single mailbox
Each environment has its own docker network. The nginx container is connected
to all these networks to that it can connect to the rails servers.
to all these networks.
License
-------
GNU AFFERO GENERAL PUBLIC LICENSE
https://www.gnu.org/licenses/agpl-3.0.html
Conventions
......@@ -37,7 +45,7 @@ All docker images use the following conventions.
### External volumes
They data is stored in:
Their data are stored in:
- `/vol/rw` for persistent data
- `/vol/ro` for persistent data in read-only access
......@@ -77,14 +85,13 @@ It provides 8 containers:
All external volumes are stored in `/data/dev/` (the path is absolute because
it is tricky to use a relative path with the allgo/docker image).
For convenience, all containers not running as root (rails, mysql, registry)
For convenience, all containers not running as root (django, mysql, registry)
have their user overridden to the UID:GID of the developer running
docker-compose. This is managed with the `DOCKERUSER` environment variable set
[in the `.env`
file](https://docs.docker.com/compose/environment-variables/#the-env-file) by
[in the `.env` file](https://docs.docker.com/compose/environment-variables/#the-env-file) by
`prepare.sh`.
For convenience (again), there is an extra external volumes for `dev-rails`,
For convenience (again), there is an extra external volume for `dev-django`,
`dev-controller` and `dev-ssh` so that the source directory of the app is mounted
inside `/opt/` (in fact it overrides the actual application files provided by
the docker image). The purpose is to avoid rebuilding a new docker image for
......@@ -93,16 +100,15 @@ each development iteration.
### Getting started
The sources are located in two repositories:
The sources are located in one repository:
- *rails-allgo*: the rails application repository
- *allgo*: the deployment repository
To set up the development environment, run:
1. get the sources
<pre>
<pre>
git clone git@gitlab.inria.fr:allgo/allgo.git
cd allgo
</pre>
......@@ -110,19 +116,19 @@ To set up the development environment, run:
2. *(as root)* create `/data/dev` and make it owned by the developer
<pre>
sudo mkdir -p /data/dev
sudo chown USER: /data/dev
sudo chown $USER: /data/dev
</pre>
3. bootstrap the environment
<pre>
<pre>
./bootstrap
</pre>
This command will run the `/dk/init_container` in every container that
needs it, then start the container.
The first run takes a very long time because all images are built from
scratch (especially the rails image which builds ruby source).
You have enough time for a coffee break.
The first run takes a few minutes because all images are built from
scratch.
You may have enough time for a short coffee break.
**Note** by default `bootstrap` works on all containers. It is possible
to give an explicit list of containers instead. Example:
......@@ -164,34 +170,34 @@ The official doc for docker-compose is available at: [https://docs.docker.com/co
</pre>
- hard cleanup (remove images too)
<pre>
<pre>
fig down --rmi local
</pre>
- restart a container
<pre>
fig restart dev-rails
fig restart dev-django
</pre>
- restart a container using a new docker image (if the image has been rebuilt since the last start)
<pre>
fig up dev-rails
<pre>
fig up dev-django
</pre>
- rebuild an image
<pre>
fig build dev-railf
<pre>
fig build dev-django
</pre>
- **Note:** most commands work on every container by default (eg: up down
start stop restart ...) they can be use on an individual container too:
<pre>
fig restart dev-controller dev-rails
<pre>
fig restart dev-controller dev-django
</pre>
- run a container with an arbitrary command (eg: to have access to the rails console)
<pre>
fig run --rm dev-rails bash
- run a container with an arbitrary command (eg: to have access to the django console)
<pre>
fig run --rm dev-django bash
</pre>
**Note:** containers created by `fig run` have the same parameters as
......@@ -199,10 +205,10 @@ The official doc for docker-compose is available at: [https://docs.docker.com/co
*allgo_dev-ssh_run_1*), which means that this container is not
reachable by the others (this may be an issue for example if you want
to run the mysqld server manually: `fig run dev-mysql mysqld` -> this
container won't be reachable by the ssh and rails containers)
container won't be reachable by the ssh and django containers)
- follow the output of all containers:
<pre>
<pre>
fig logs --tail=1 --follow
</pre>
......@@ -242,7 +248,7 @@ it as root**, otherwise it will be owned by root and you may have errors like:
If somehow you skipped this step, you can reset the ownership to the current user:
sudo chown USER: /data/dev
sudo chown -R USER: /data/dev/{registry,mysql,rails}
sudo chown -R USER: /data/dev/{registry,mysql,django}
If you are completely lost, you can just restart the initialisation from scratch:
......@@ -282,22 +288,21 @@ Hosts a mysql server listening on port 3306 with two databases: `allgo` and
- `ssh` has read only access to `allgo`
## rails
Hosts four daemons for running allgo:
## django
- the unicorn server (runnning the rails application)
- the sidekiq queue manager
- the redis db server
- a nginx frontend for buffering the HTTP requests/responses
Hosts three daemons for running the allgo web server:
- a nginx frontend for buffering the HTTP requests/responses and routing them
to the other daemons. It also serves static files directly
- the gunicorn server (running the django application)
- the allgo.aio server (serving the asynchronous requests)
This container is managed with supervisor, the `supervisorctl` command allows
starting/stopping the daemons individually.
### Running the rails server manually
### Running the django server manually
TODO ?
- run the `dev-rails` container and open a shell:
[comment]: # ( - run the `dev-rails` container and open a shell:
<pre>
fig up -d
docker exec -t -i dev-rails bash
......@@ -308,7 +313,7 @@ starting/stopping the daemons individually.
supervisorctl stop rails
rails server
</pre>
)
## ssh
......@@ -324,7 +329,7 @@ WEBAPP@sid.allgo.irisa.fr`). Each allgo webapp is mapped to a system user
gid = 65534 (nogroup)
gecos = webapps.name
shell = /bin/allgo-shell
</pre>
</pre>
- The ssh server is configured to accept key-based authentication only. The
list of public keys is obtained from the (using an AuthorizedKeysCommand).
......@@ -333,12 +338,12 @@ WEBAPP@sid.allgo.irisa.fr`). Each allgo webapp is mapped to a system user
- The connection to the sandbox is made though a unix socket and a set of pipes
in the filesystem.
## docker
## controller
Hosts the *docker-allgo-proxy* which manages all docker operations (run, stop,
rm, commit, pull, push, ...) on behalf of the rails container.
Hosts the *docker-controller* which manages all docker operations (run, stop,
rm, commit, pull, push, ...) on behalf of the django container.
Technically speaking this container had root privileges since it has access to
Technically speaking this container has root privileges since it has access to
the docker socket.
The proxy script enforces restrictions (according to the current environment: eg prod/qualif/dev) on:
......@@ -363,3 +368,5 @@ mailbox.
The mailbox is accessible with IMAP as user *sink* (password *sink*).
NOTE: in the development environment, django's default is to dump outgoing
e-mails to the console. Thus this container is only useful in the qualif setup.
#!/bin/bash
CONTAINERS="dev-redis dev-mysql dev-controller dev-ssh dev-django dev-smtpsink dev-registry dev-nginx dev-jupyterhub"
CONTAINERS="dev-redis dev-mysql dev-controller dev-ssh dev-django dev-smtpsink dev-registry dev-nginx dev-toolbox dev-jupyterhub"
die()
......
......@@ -29,4 +29,7 @@ ENV ENV="" \
ALLGO_REDIS_HOST="{ENV}-redis" \
ALLGO_IMPORT_REGISTRY="cargo.irisa.fr:8003/allgo/prod/webapp"
# to prevent __pycache__generation, which is owned by root.
ENV PYTHONDONTWRITEBYTECODE 1
LABEL dk.migrate_always=1
This diff is collapsed.
......@@ -10,7 +10,9 @@ RUN apt-getq update && apt-getq install \
python-mysqldb python3-crypto gunicorn3 python3-redis python-mysqldb \
python3-crypto python3-natsort python3-aiohttp python3-aioredis supervisor \
python3-ipy python3-django-taggit python3-iso8601 python3-robot-detection \
python3-sqlparse python3-django-extensions python3-pydotplus
python3-sqlparse \
python3-django-extensions python3-pydotplus \
python3-pylint-django
COPY requirements.txt /tmp/
RUN cd /tmp && pip3 install -r requirements.txt && rm requirements.txt
......@@ -22,6 +24,7 @@ USER allgo
WORKDIR /opt/allgo
LABEL dk.migrate_always=1
ENV PYTHONUNBUFFERED 1
ENV PYLINTHOME /opt/allgo_metrics
# NOTE: we use SIGINT instead of SIGTERM because the django server does not
# catch SIGTERM (while gunicorn catches both SIGTERM & SIGINT)
......
......@@ -7,5 +7,5 @@ app_name = 'api'
urlpatterns = [
url(r'^jobs$', views.jobs, name='jobs'),
url(r'^jobs/(?P<pk>\d+)', views.APIJobView.as_view(), name='job'),
url(r'^datastore/(?P<pk>\d+)/(.*)/(.*)', views.APIDownloadView, name='download'),
url(r'^datastore/(?P<pk>\d+)/(.*)', views.APIDownloadView.as_view(), name='download'),
]
......@@ -5,6 +5,7 @@ import config.env
from django.core.validators import ValidationError
from django.http import JsonResponse
from django.shortcuts import redirect
from django.urls import reverse
from django.views.decorators.csrf import csrf_exempt
from django.views.generic import View
from main.helpers import upload_data, get_base_url, lookup_job_file, get_request_user, LoggerAdapter
......@@ -21,29 +22,21 @@ def get_link(jobid, dir, filename, request):
return '/'.join((get_base_url(request), "datastore", str(jobid), filename))
def job_response(job, request):
status = {0: 'new',
1: 'waiting',
2: 'running',
3: 'done',
4: 'archived',
5: 'deleted',
6: 'aborting'}
job_dir = job.data_dir
files = {f: get_link(job.id, job_dir, f, request) for f in os.listdir(job_dir)
if lookup_job_file(job.id, f)}
return {str(job.id): {'status': status[job.state],
'files': files
}
}
class APIJobView(JobAuthMixin, View):
def get(self, request, pk):
try:
job = Job.objects.get(id=pk)
return JsonResponse(job_response(job, request))
files = {}
for f in os.listdir(job.data_dir):
if lookup_job_file(job.id, f):
files[f] = get_link(job.id, job.data_dir, f, request)
response = {
job.id: files,
"status": job.get_state_display().lower(),
}
return JsonResponse(response)
except Job.DoesNotExist as e:
log.error("Job not found %s", str(e))
return JsonResponse({'error': 'Job not found'}, status=404)
......@@ -51,7 +44,7 @@ class APIJobView(JobAuthMixin, View):
@csrf_exempt
def jobs(request):
o_log = new LoggerAdapter(log, {'prefix': "API-jobs"})
o_log = LoggerAdapter(log, {'prefix': "API-jobs"})
o_log.info("request received")
user = get_request_user(request)
if not user:
......@@ -69,6 +62,10 @@ def jobs(request):
if not app:
return JsonResponse({'error': 'Application not found'}, status=404)
if app.get_webapp_version() is None:
log.debug('No usable versions')
return JsonResponse({'error': "This app is not yet published"}, status=404)
queue = app.job_queue
if 'job[queue]' in request.POST:
try:
......@@ -78,9 +75,11 @@ def jobs(request):
o_log.info("Job submit by user %s", user)
job = Job.objects.create(param=request.POST.get('job[param]', ''), queue=queue, webapp=app, user=user)
if app.get_webapp_version() is None:
o_log.debug('No usable versions')
return JsonResponse({'error': "This app is not yet published"}, status=404)
job.version = app.get_webapp_version().number # TODO: add version selection in the api
upload_data(request.FILES.values(), job)
......@@ -95,12 +94,17 @@ def jobs(request):
job.save()
o_log.info("request successfully submitted.")
return JsonResponse(job_response(job, request))
no_domain_url = reverse('api:job', kwargs={'pk':job.id})
response = {
"avg_time": 0, # legacy, not relevant anymore
"id" : job.id,
"url" : request.build_absolute_uri(no_domain_url),
}
return JsonResponse(response)
class APIDownloadView(JobAuthMixin, View):
def get(self, request, *args, **kwargs):
jobid = args[0]
filename = args[1]
return redirect("/datastore/%s/%s" % (jobid, filename))
log.error("datastore requests must be served by nginx (bad config!)")
return JsonResponse({'error': 'Internal Server Error'}, status=500)
......@@ -188,9 +188,12 @@ def get_base_url(request):
def get_request_user(request):
"""Return the authenticated user from the provided request
The authentication is attempted:
- first with the session cookie
- then with the token provided in the HTTP Authorization header
Depending on the request path, the authentication is attempted on:
- the token provided in the HTTP Authorization header for /api/ urls
- the session cookie for other urls
In case of /auth requests we assume that 'X-Original-URI' is the path of
the current request.
Args:
request
......@@ -198,17 +201,25 @@ def get_request_user(request):
Returns:
a User or None
"""
if request.user.is_authenticated:
return request.user
mo = re.match("Token token=(\S+)",
request.META.get('HTTP_AUTHORIZATION', ''))
if mo:
return getattr(
# FIXME: user token should have a unicity constraint
AllgoUser.objects.filter(token=mo.group(1)).first(),
"user", None)
path = request.path
if path == "/auth":
path = request.META['HTTP_X_ORIGINAL_URI']
if path.startswith("/api/"):
# authenticated by token for API requests
#
# NOTE: we must NOT authenticate by cookie because the CORS
# configuration in the nginx.conf allows all origins
mo = re.match("Token token=(\S+)",
request.META.get('HTTP_AUTHORIZATION', ''))
if mo:
return getattr(
# FIXME: user token should have a unicity constraint
AllgoUser.objects.filter(token=mo.group(1)).first(),
"user", None)
else:
# authenticated by cookie for other requests
if request.user.is_authenticated:
return request.user
def query_webapps_for_user(user):
......
......@@ -97,7 +97,11 @@ class JobAuthMixin(AllgoValidAccountMixin, UserPassesTestMixin):
if user is None:
return False
self.raise_exception = True # to return a 403
job = Job.objects.filter(pk=self.kwargs['pk']).first()
try:
job = Job.objects.get(id=self.kwargs['pk'])
except Job.DoesNotExist:
return False
return user.is_superuser or user == getattr(job, "user", ())
def handle_no_permission(self):
......
......@@ -310,6 +310,15 @@ class Webapp(TimeStampModel):
query = query.filter(number=number)
return query.order_by("-state", "-id").first()
def get_sandbox_state(self):
""""""
for i,s in self.SANDBOX_STATE_CHOICES:
if i == self.sandbox_state:
return i,s
msg = "The current state {} is not defined in the model." \
.format(self.sandbox_state)
raise ValueError(msg)
class WebappParameter(TimeStampModel):
......
......@@ -725,7 +725,7 @@ class WebappSandboxPanel(UserAccessMixin, TemplateView):
messages.success(request, "stopping sandbox %r" % webapp.name)
log.debug("new sandbox state: %r -> %r",
webapp.docker_name, webapp.sandbox_state)
webapp.docker_name, webapp.get_sandbox_state())
# NOTE: we return a 302 redirect to the same page (instead of rendering
# it directly) to force the browser to make a separate GET request.
......@@ -1510,7 +1510,7 @@ def auth(request):
return HttpResponse(status=401)
# find the relevant job
mo = re.match(r'/datastore/(\d+)/', request.META['HTTP_X_ORIGINAL_URI'])
mo = re.match(r'(?:/api/v1)?/datastore/(\d+)/', request.META['HTTP_X_ORIGINAL_URI'])
if mo:
job = Job.objects.filter(id=int(mo.group(1))).first()
if job is not None and job.user == user:
......
......@@ -79,9 +79,6 @@ Database
integrating the database constraints (that are managed by Ruby on Rails and
not the SGDB).
It has been decided to use the same database for both rails and django but with
a different naming.
At the moment the django docker container take care of the migration by calling
the migration script. The migration process consist of two files located int
`tools` folder:
......@@ -129,7 +126,7 @@ The different configuration file for the docker file such a