refactor project runner code to make it easier to have multiple runtimes

- but probably just use podman

Author: williamstein

src/packages/project-runner/bin/start.js

@@ -4,6 +4,6 @@ const { init } = require("@cocalc/project-runner/run");
 
 (async () => {
   console.log("Starting...");
-  await init();
+  await init({runtime:'nsjail'});
   console.log("CoCalc Project Runner ready");
 })();

src/packages/project-runner/run/filesystem.ts

@@ -0,0 +1,34 @@
+import {
+  client as createFileClient,
+  type Fileserver,
+} from "@cocalc/conat/files/file-server";
+import { type Client as ConatClient } from "@cocalc/conat/core/client";
+
+//import getLogger from "@cocalc/backend/logger";
+
+// const logger = getLogger("project-runner:filesystem");
+
+let client: ConatClient | null = null;
+export function init(opts: { client: ConatClient }) {
+  client = opts.client;
+}
+
+let fsclient: Fileserver | null = null;
+function getFsClient() {
+  if (client == null) {
+    throw Error("client not initialized");
+  }
+  fsclient ??= createFileClient({ client });
+  return fsclient;
+}
+
+export async function setQuota(project_id: string, size: number | string) {
+  const c = getFsClient();
+  await c.setQuota({ project_id, size });
+}
+
+export async function mountHome(project_id: string): Promise<string> {
+  const c = getFsClient();
+  const { path } = await c.mount({ project_id });
+  return path;
+}

src/packages/project-runner/run/index.ts

@@ -1,253 +1,41 @@
 /*
 Project run server.
 
-It may be necessary to do this to enable the user running this
-code to use nsjail:
-
-    sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=0 && sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
-
-
-See https://github.com/google/nsjail/issues/236#issuecomment-2267096267
-
-To make permanent:
-
-echo -e "kernel.apparmor_restrict_unprivileged_unconfined=0\nkernel.apparmor_restrict_unprivileged_userns=0" | sudo tee /etc/sysctl.d/99-custom.conf && sudo sysctl --system
-
----
-
 DEV -- see packages/server/conat/project/run.ts
 
 */
 
 import { type Client as ConatClient } from "@cocalc/conat/core/client";
 import { conat } from "@cocalc/backend/conat";
 import { server as projectRunnerServer } from "@cocalc/conat/project/runner/run";
-import { isValidUUID } from "@cocalc/util/misc";
 import { reuseInFlight } from "@cocalc/util/reuse-in-flight";
-import getLogger from "@cocalc/backend/logger";
-import { root } from "@cocalc/backend/data";
-import { basename, dirname, join } from "node:path";
-import { userInfo } from "node:os";
-import { ensureConfFilesExists, setupDataPath, writeSecretToken } from "./util";
-import { getEnvironment } from "./env";
-import { mkdir } from "fs/promises";
-import { exists } from "@cocalc/backend/misc/async-utils-node";
-import { spawn } from "node:child_process";
 import { type Configuration } from "./types";
 export { type Configuration };
-import { limits } from "./limits";
-import {
-  client as createFileClient,
-  type Fileserver,
-} from "@cocalc/conat/files/file-server";
-import { nsjail } from "@cocalc/backend/sandbox/install";
-import { once } from "@cocalc/util/async-utils";
-
-// for development it may be useful to just disabling using nsjail namespaces
-// entirely -- change this to true to do so.
-const DISABLE_NSJAIL = false;
-
-const DEFAULT_UID = 2001;
-
-// how long from SIGTERM until SIGKILL
-const GRACE_PERIOD = 3000;
-
-const logger = getLogger("project-runner");
-
-const children: { [project_id: string]: any } = {};
-
-const MOUNTS = {
-  "-R": ["/etc", "/var", "/bin", "/lib", "/usr", "/lib64", "/run"],
-  "-B": ["/dev"],
-};
-
-let nodePath = process.execPath;
-async function initMounts() {
-  for (const type in MOUNTS) {
-    const v: string[] = [];
-    for (const path of MOUNTS[type]) {
-      if (await exists(path)) {
-        v.push(path);
-      }
-    }
-    MOUNTS[type] = v;
-  }
-  MOUNTS["-R"].push(`${dirname(root)}:/cocalc`);
-
-  // also if this node is install via nvm, we make exactly this
-  // version of node's install available
-  if (!process.execPath.startsWith("/usr/")) {
-    // not already in an obvious system-wide place we included above
-    // IMPORTANT: take care not to put the binary next to sensitive info!
-    MOUNTS["-R"].push(`${dirname(process.execPath)}:/cocalc/bin`);
-    nodePath = join("/cocalc/bin", basename(process.execPath));
-  }
-}
-
-let fsclient: Fileserver | null = null;
-function getFsClient() {
-  if (client == null) {
-    throw Error("not initialized");
-  }
-  fsclient ??= createFileClient({ client });
-  return fsclient;
-}
-
-async function setQuota(project_id: string, size: number | string) {
-  const c = getFsClient();
-  await c.setQuota({ project_id, size });
-}
-
-async function mountHome(project_id: string): Promise<string> {
-  const c = getFsClient();
-  const { path } = await c.mount({ project_id });
-  return path;
-}
-
-async function start({
-  project_id,
-  config,
-}: {
-  project_id: string;
-  config?: Configuration;
-}) {
-  if (!isValidUUID(project_id)) {
-    throw Error("start: project_id must be valid");
-  }
-  logger.debug("start", { project_id, config: { ...config, secret: "xxx" } });
-  if (children[project_id] != null && children[project_id].exitCode == null) {
-    logger.debug("start -- already running");
-    return;
-  }
-  let uid, gid;
-  if (userInfo().uid) {
-    // server running as non-root user -- single user mode
-    uid = gid = userInfo().uid;
-  } else {
-    // server is running as root -- multiuser mode
-    uid = gid = DEFAULT_UID;
-  }
-
-  const home = await mountHome(project_id);
-  await mkdir(home, { recursive: true });
-  await ensureConfFilesExists(home);
-  const env = getEnvironment({
-    project_id,
-    env: config?.env,
-    HOME: home,
-  });
-  await setupDataPath(home);
-  if (config?.secret) {
-    await writeSecretToken(home, config.secret);
-  }
-
-  if (config?.disk) {
-    // TODO: maybe this should be done in parallel with other things
-    // to make startup time slightly faster (?) -- could also be incorporated
-    // into mount.
-    await setQuota(project_id, config.disk);
-  }
-
-  let script: string,
-    cmd: string,
-    args: string[] = [];
-  if (DISABLE_NSJAIL) {
-    // DANGEROUS: no safety at all here!
-    // This may be useful in some environments, especially for debugging.
-    cmd = process.execPath;
-    script = join(root, "packages/project/bin/cocalc-project.js");
-  } else {
-    script = "/cocalc/src/packages/project/bin/cocalc-project.js";
-    args.push(
-      "-q", // not too verbose
-      "-Mo", // run a command once
-      "--disable_clone_newnet", // [ ] TODO: for now we have the full host network
-      "--keep_env", // this just keeps env
-      "--keep_caps", // [ ] TODO: maybe NOT needed!
-      "--skip_setsid", // evidently needed for terminal signals (e.g., ctrl+z); dangerous.  [ ] TODO -- really needed?
-    );
-
-    args.push("--hostname", `project-${env.COCALC_PROJECT_ID}`);
-
-    if (uid != null && gid != null) {
-      args.push("-u", `${uid}`, "-g", `${gid}`);
-    }
-
-    for (const type in MOUNTS) {
-      for (const path of MOUNTS[type]) {
-        args.push(type, path);
-      }
-    }
-    // need a /tmp directory
-    args.push("-m", "none:/tmp:tmpfs:size=500000000");
-
-    args.push("-B", `${home}:${env.HOME}`);
-    args.push(...limits(config));
-    args.push("--");
-    args.push(nodePath);
-    cmd = nsjail;
-  }
-
-  args.push(script, "--init", "project_init.sh");
-
-  //logEnv(env);
-  // console.log(`${cmd} ${args.join(" ")}`);
-  logger.debug(`${cmd} ${args.join(" ")}`);
-  const child = spawn(cmd, args, {
-    env,
-    uid,
-    gid: uid,
-  });
-  children[project_id] = child;
-
-  child.stdout.on("data", (chunk: Buffer) => {
-    logger.debug(`project_id=${project_id}.stdout: `, chunk.toString());
-  });
-  child.stderr.on("data", (chunk: Buffer) => {
-    logger.debug(`project_id=${project_id}.stderr: `, chunk.toString());
-  });
-}
+import { init as initFilesystem } from "./filesystem";
+import getLogger from "@cocalc/backend/logger";
+import * as nsjail from "./nsjail";
+import { init as initMounts } from "./mounts";
 
-async function stop({ project_id }) {
-  if (!isValidUUID(project_id)) {
-    throw Error("stop: project_id must be valid");
-  }
-  logger.debug("stop", { project_id });
-  const child = children[project_id];
-  if (child != null && child.exitCode == null) {
-    const exit = once(child, "exit", GRACE_PERIOD);
-    child.kill("SIGTERM");
-    try {
-      await exit;
-    } catch {
-      const exit2 = once(child, "exit");
-      child.kill("SIGKILL");
-      await exit2;
-    }
-    delete children[project_id];
-  }
-}
-
-async function status({ project_id }) {
-  if (!isValidUUID(project_id)) {
-    throw Error("status: project_id must be valid");
-  }
-  logger.debug("status", { project_id });
-  let state;
-  if (children[project_id] == null || children[project_id].exitCode) {
-    state = "opened";
-  } else {
-    state = "running";
-  }
-  // [ ] TODO: ip -- need to figure out the networking story for running projects
-  // The following will only work on a single machine with global network address space
-  return { state, ip: "127.0.0.1" };
-}
+const logger = getLogger("project-runner:run");
 
 let client: ConatClient | null = null;
-export async function init(opts: { client?: ConatClient } = {}) {
+export async function init(
+  opts: { client?: ConatClient; runtime?: "nsjail" | "podman" } = {},
+) {
+  logger.debug("init", opts.runtime);
+  let runtime;
+  switch (opts.runtime) {
+    case "nsjail":
+      runtime = nsjail;
+      break;
+    default:
+      throw Error(`runtime '${opts.runtime}' not implemented`);
+  }
   client = opts.client ?? conat();
+  initFilesystem({ client });
   await initMounts();
+
+  const { start, stop, status } = runtime;
   return await projectRunnerServer({
     client,
     start: reuseInFlight(start),
@@ -256,27 +44,6 @@ export async function init(opts: { client?: ConatClient } = {}) {
   });
 }
 
-export function killAllProjects() {
-  for (const project_id in children) {
-    logger.debug(`killing project_id=${project_id}`);
-    children[project_id]?.kill("SIGKILL");
-    delete children[project_id];
-  }
+export function close() {
+  nsjail.close();
 }
-
-// important to killAllProjects, because it kills all
-// the processes that were spawned
-process.once("exit", killAllProjects);
-["SIGINT", "SIGTERM", "SIGQUIT"].forEach((sig) => {
-  process.once(sig, () => {
-    process.exit();
-  });
-});
-
-// function logEnv(env) {
-//   let s = "export ";
-//   for (const key in env) {
-//     s += `${key}="${env[key]}" `;
-//   }
-//   console.log(s);
-// }

src/packages/project-runner/run/mounts.ts

@@ -0,0 +1,46 @@
+import getLogger from "@cocalc/backend/logger";
+import { basename, dirname, join } from "node:path";
+import { root } from "@cocalc/backend/data";
+import { exists } from "@cocalc/backend/misc/async-utils-node";
+
+const logger = getLogger("project-runner:mounts");
+
+const MOUNTS = {
+  "-R": ["/etc", "/var", "/bin", "/lib", "/usr", "/lib64", "/run"],
+  "-B": ["/dev"],
+};
+
+export let nodePath = process.execPath;
+let initialized = false;
+export async function init() {
+  if (initialized) {
+    return;
+  }
+  logger.debug("init");
+  initialized = true;
+  for (const type in MOUNTS) {
+    const v: string[] = [];
+    for (const path of MOUNTS[type]) {
+      if (await exists(path)) {
+        v.push(path);
+      }
+    }
+    MOUNTS[type] = v;
+  }
+  MOUNTS["-R"].push(`${dirname(root)}:/cocalc`);
+
+  // also if this node is install via nvm, we make exactly this
+  // version of node's install available
+  if (!process.execPath.startsWith("/usr/")) {
+    // not already in an obvious system-wide place we included above
+    // IMPORTANT: take care not to put the binary next to sensitive info!
+    MOUNTS["-R"].push(`${dirname(process.execPath)}:/cocalc/bin`);
+    nodePath = join("/cocalc/bin", basename(process.execPath));
+  }
+  logger.debug(MOUNTS);
+}
+
+export async function getMounts() {
+  await init();
+  return MOUNTS;
+}