getting basic podman to work

Author: williamstein

src/packages/project-runner/bin/start.js

@@ -4,6 +4,6 @@ const { init } = require("@cocalc/project-runner/run");
 
 (async () => {
   console.log("Starting...");
-  await init({runtime:'nsjail'});
+  await init();
   console.log("CoCalc Project Runner ready");
 })();

src/packages/project-runner/run/index.ts

@@ -14,6 +14,7 @@ export { type Configuration };
 import { init as initFilesystem } from "./filesystem";
 import getLogger from "@cocalc/backend/logger";
 import * as nsjail from "./nsjail";
+import * as podman from "./podman";
 import { init as initMounts } from "./mounts";
 
 const logger = getLogger("project-runner:run");
@@ -22,14 +23,18 @@ let client: ConatClient | null = null;
 export async function init(
   opts: { client?: ConatClient; runtime?: "nsjail" | "podman" } = {},
 ) {
-  logger.debug("init", opts.runtime);
+  const runtimeName = opts.runtime ?? "podman";
+  logger.debug("init", runtimeName);
   let runtime;
-  switch (opts.runtime) {
+  switch (runtimeName) {
     case "nsjail":
       runtime = nsjail;
       break;
+    case "podman":
+      runtime = podman;
+      break;
     default:
-      throw Error(`runtime '${opts.runtime}' not implemented`);
+      throw Error(`runtime '${runtimeName}' not implemented`);
   }
   client = opts.client ?? conat();
   initFilesystem({ client });

src/packages/project-runner/run/mounts.ts

@@ -27,19 +27,23 @@ export async function init() {
     }
     MOUNTS[type] = v;
   }
-  MOUNTS["-R"].push(`${dirname(root)}:/cocalc`);
-
-  // also if this node is install via nvm, we make exactly this
-  // version of node's install available
-  if (!process.execPath.startsWith("/usr/")) {
-    // not already in an obvious system-wide place we included above
-    // IMPORTANT: take care not to put the binary next to sensitive info!
-    MOUNTS["-R"].push(`${dirname(process.execPath)}:/cocalc/bin`);
-    nodePath = join("/cocalc/bin", basename(process.execPath));
+  const cocalcMounts = getCoCalcMounts();
+  for (const path in cocalcMounts) {
+    MOUNTS[path] = cocalcMounts[path];
   }
   logger.debug(MOUNTS);
 }
 
+export function getCoCalcMounts() {
+  nodePath = join("/cocalc/bin", basename(process.execPath));
+  // IMPORTANT: take care not to put the binary next to sensitive info due
+  // to mapping in process.execPath!
+  return {
+    [dirname(root)]: "/cocalc",
+    [dirname(process.execPath)]: "/cocalc/bin",
+  };
+}
+
 export async function getMounts() {
   await init();
   return MOUNTS;

src/packages/project-runner/run/nsjail.ts

@@ -33,7 +33,7 @@ import { once } from "@cocalc/util/async-utils";
 import { getMounts } from "./mounts";
 import { mountHome, setQuota } from "./filesystem";
 
-// for development it may be useful to just disabling using nsjail namespaces
+// for development it may be useful to just disable using nsjail namespaces
 // entirely -- change this to true to do so.
 const DISABLE_NSJAIL = false;
 
@@ -63,7 +63,7 @@ export async function start({
   let uid, gid;
   if (userInfo().uid) {
     // server running as non-root user -- single user mode
-    uid = gid = userInfo().uid;
+    ({ uid, gid } = userInfo());
   } else {
     // server is running as root -- multiuser mode
     uid = gid = DEFAULT_UID;

src/packages/project-runner/run/podman.ts

@@ -0,0 +1,156 @@
+/*
+Runner based on podman.
+*/
+
+import getLogger from "@cocalc/backend/logger";
+import { nodePath } from "./mounts";
+import { isValidUUID } from "@cocalc/util/misc";
+import { ensureConfFilesExists, setupDataPath, writeSecretToken } from "./util";
+import { getEnvironment } from "./env";
+import { mkdir } from "fs/promises";
+import { spawn } from "node:child_process";
+import { type Configuration } from "./types";
+export { type Configuration };
+import { getCoCalcMounts } from "./mounts";
+import { mountHome, setQuota } from "./filesystem";
+import { executeCode } from "@cocalc/backend/execute-code";
+
+const logger = getLogger("project-runner:podman");
+const children: { [project_id: string]: any } = {};
+
+const GRACE_PERIOD = 2000;
+
+const DEFAULT_IMAGE = "ubuntu:25.04";
+
+export async function start({
+  project_id,
+  config,
+}: {
+  project_id: string;
+  config?: Configuration;
+}) {
+  if (!isValidUUID(project_id)) {
+    throw Error("start: project_id must be valid");
+  }
+  logger.debug("start", { project_id, config: { ...config, secret: "xxx" } });
+  if (children[project_id] != null && children[project_id].exitCode == null) {
+    logger.debug("start -- already running");
+    return;
+  }
+
+  const home = await mountHome(project_id);
+  await mkdir(home, { recursive: true });
+  await ensureConfFilesExists(home);
+  const env = getEnvironment({
+    project_id,
+    env: config?.env,
+    HOME: "/home/user",
+  });
+  await setupDataPath(home);
+  if (config?.secret) {
+    await writeSecretToken(home, config.secret);
+  }
+
+  if (config?.disk) {
+    // TODO: maybe this should be done in parallel with other things
+    // to make startup time slightly faster (?) -- could also be incorporated
+    // into mount.
+    await setQuota(project_id, config.disk);
+  }
+
+  const args: string[] = ["run", "--rm", "--network=host", "--user=0:0"];
+  const cmd = "podman";
+  const script = "/cocalc/src/packages/project/bin/cocalc-project.js";
+
+  args.push("--hostname", `project-${project_id}`);
+  args.push("--name", `project-${project_id}`);
+
+  const mounts = getCoCalcMounts();
+  for (const path in mounts) {
+    args.push("-v", `${path}:${mounts[path]}:ro`);
+  }
+  args.push("-v", `${home}:${env.HOME}`);
+  for (const name in env) {
+    args.push("-e", `${name}=${env[name]}`);
+  }
+
+  args.push(config?.image ?? DEFAULT_IMAGE);
+  args.push(nodePath);
+  args.push(script, "--init", "project_init.sh");
+
+  console.log(`${cmd} ${args.join(" ")}`);
+  logger.debug(`${cmd} ${args.join(" ")}`);
+
+  const child = spawn(cmd, args);
+  children[project_id] = child;
+
+  child.stdout.on("data", (chunk: Buffer) => {
+    logger.debug(`project_id=${project_id}.stdout: `, chunk.toString());
+  });
+  child.stderr.on("data", (chunk: Buffer) => {
+    logger.debug(`project_id=${project_id}.stderr: `, chunk.toString());
+  });
+}
+
+export async function stop({ project_id }) {
+  if (!isValidUUID(project_id)) {
+    throw Error("stop: project_id must be valid");
+  }
+  logger.debug("stop", { project_id });
+  const child = children[project_id];
+  if (child != null && child.exitCode == null) {
+    try {
+      await podman([
+        "stop",
+        "-t",
+        `${GRACE_PERIOD / 1000}`,
+        `project-${project_id}`,
+      ]);
+      await podman(["rm", `project-${project_id}`]);
+    } catch {}
+    delete children[project_id];
+  }
+}
+
+async function podman(args: string[]) {
+  return await executeCode({ command: "podman", args, err_on_exit: true });
+}
+
+async function state(project_id) {
+  const { stdout } = await podman([
+    "ps",
+    "--filter",
+    `name=project-${project_id}`,
+    "--format",
+    "{{.State}}",
+  ]);
+  return stdout.trim() == "running" ? "running" : "opened";
+}
+
+export async function status({ project_id }) {
+  if (!isValidUUID(project_id)) {
+    throw Error("status: project_id must be valid");
+  }
+  logger.debug("status", { project_id });
+  // TODO
+  return { state: await state(project_id), ip: "127.0.0.1" };
+}
+
+export async function close() {
+  const v: any[] = [];
+  for (const project_id in children) {
+    logger.debug(`killing project_id=${project_id}`);
+    v.push(stop({ project_id }));
+    delete children[project_id];
+  }
+  await Promise.all(v);
+}
+
+// important because it kills all
+// the processes that were spawned
+process.once("exit", close);
+["SIGINT", "SIGTERM", "SIGQUIT"].forEach((sig) => {
+  process.once(sig, () => {
+    process.exit();
+  });
+});

src/packages/project-runner/run/types.ts

@@ -1,4 +1,6 @@
 export interface Configuration {
+  // optional Docker image
+  image?: string;
   // shared secret between project and hubs to enhance security (via defense in depth)
   secret?: string;
   // extra variables that get merged into the environment of the project.

src/packages/server/conat/project/run.ts

@@ -21,11 +21,10 @@ const logger = getLogger("server:conat:project:run");
 
 const servers: any[] = [];
 export async function init(count: number = 1) {
-  const opts = { runtime: "nsjail" as "nsjail" };
-  logger.debug("init project runner(s)", { count, opts });
+  logger.debug("init project runner(s)", { count });
   await loadConatConfiguration();
   for (let i = 0; i < count; i++) {
-    const server = await initProjectRunner(opts);
+    const server = await initProjectRunner();
     servers.push(server);
   }
 }