fix(package): Don't remap output paths when mounting into CLP execution containers (fixes #960). (#998)

Co-authored-by: kirkrodrigues <2454684+kirkrodrigues@users.noreply.github.com>

Author: haiqi96

components/clp-package-utils/clp_package_utils/general.py

@@ -38,6 +38,7 @@
 EXTRACT_JSON_CMD = "j"
 
 # Paths
+CONTAINER_AWS_CONFIG_DIRECTORY = pathlib.Path("/") / ".aws"
 CONTAINER_CLP_HOME = pathlib.Path("/") / "opt" / "clp"
 CONTAINER_INPUT_LOGS_ROOT_DIR = pathlib.Path("/") / "mnt" / "logs"
 CLP_DEFAULT_CONFIG_FILE_RELATIVE_PATH = pathlib.Path("etc") / "clp-config.yml"
@@ -227,23 +228,20 @@ def generate_container_config(
             DockerMountType.BIND, input_logs_dir, container_clp_config.logs_input.directory, True
         )
 
-    container_clp_config.data_directory = CONTAINER_CLP_HOME / "var" / "data"
     if not is_path_already_mounted(
         clp_home, CONTAINER_CLP_HOME, clp_config.data_directory, container_clp_config.data_directory
     ):
         docker_mounts.data_dir = DockerMount(
             DockerMountType.BIND, clp_config.data_directory, container_clp_config.data_directory
         )
 
-    container_clp_config.logs_directory = CONTAINER_CLP_HOME / "var" / "log"
     if not is_path_already_mounted(
         clp_home, CONTAINER_CLP_HOME, clp_config.logs_directory, container_clp_config.logs_directory
     ):
         docker_mounts.logs_dir = DockerMount(
             DockerMountType.BIND, clp_config.logs_directory, container_clp_config.logs_directory
         )
 
-    container_clp_config.archive_output.set_directory(pathlib.Path("/") / "mnt" / "archive-output")
     if not is_path_already_mounted(
         clp_home,
         CONTAINER_CLP_HOME,
@@ -256,7 +254,6 @@ def generate_container_config(
             container_clp_config.archive_output.get_directory(),
         )
 
-    container_clp_config.stream_output.set_directory(pathlib.Path("/") / "mnt" / "stream-output")
     if not is_path_already_mounted(
         clp_home,
         CONTAINER_CLP_HOME,
@@ -271,7 +268,7 @@ def generate_container_config(
 
     # Only create the mount if the directory exists
     if clp_config.aws_config_directory is not None:
-        container_clp_config.aws_config_directory = pathlib.Path("/") / ".aws"
+        container_clp_config.aws_config_directory = CONTAINER_AWS_CONFIG_DIRECTORY
         docker_mounts.aws_config_dir = DockerMount(
             DockerMountType.BIND,
             clp_config.aws_config_directory,
@@ -369,6 +366,9 @@ def load_config_file(
     clp_config.make_config_paths_absolute(clp_home)
     clp_config.load_execution_container_name()
 
+    validate_path_for_container_mount(clp_config.data_directory)
+    validate_path_for_container_mount(clp_config.logs_directory)
+
     # Make data and logs directories node-specific
     hostname = socket.gethostname()
     clp_config.data_directory /= hostname
@@ -509,6 +509,9 @@ def validate_worker_config(clp_config: CLPConfig):
     clp_config.validate_archive_output_config()
     clp_config.validate_stream_output_config()
 
+    validate_path_for_container_mount(clp_config.archive_output.get_directory())
+    validate_path_for_container_mount(clp_config.stream_output.get_directory())
+
 
 def validate_webui_config(
     clp_config: CLPConfig, logs_dir: pathlib.Path, settings_json_path: pathlib.Path
@@ -537,3 +540,37 @@ def validate_log_viewer_webui_config(clp_config: CLPConfig, settings_json_path:
         clp_config.log_viewer_webui.host,
         clp_config.log_viewer_webui.port,
     )
+
+
+def validate_path_for_container_mount(path: pathlib.Path) -> None:
+    RESTRICTED_PREFIXES: List[pathlib.Path] = [
+        CONTAINER_AWS_CONFIG_DIRECTORY,
+        CONTAINER_CLP_HOME,
+        CONTAINER_INPUT_LOGS_ROOT_DIR,
+        pathlib.Path("/bin"),
+        pathlib.Path("/boot"),
+        pathlib.Path("/dev"),
+        pathlib.Path("/etc"),
+        pathlib.Path("/lib"),
+        pathlib.Path("/lib32"),
+        pathlib.Path("/lib64"),
+        pathlib.Path("/libx32"),
+        pathlib.Path("/proc"),
+        pathlib.Path("/root"),
+        pathlib.Path("/run"),
+        pathlib.Path("/sbin"),
+        pathlib.Path("/srv"),
+        pathlib.Path("/sys"),
+        pathlib.Path("/usr"),
+        pathlib.Path("/var"),
+    ]
+
+    if not path.is_absolute():
+        raise ValueError(f"Path: `{path}` must be absolute:")
+
+    for prefix in RESTRICTED_PREFIXES:
+        if path.is_relative_to(prefix):
+            raise ValueError(
+                f"Invalid path: `{path}` cannot be under '{prefix}' which may overlap with a path"
+                f" in the container."
+            )

components/package-template/src/etc/clp-config.yml

@@ -71,6 +71,8 @@
 #archive_output:
 #  storage:
 #    type: "fs"
+#    # NOTE: This directory must not overlap with any path used in CLP's execution container. An
+#    # error will be raised if so.
 #    directory: "var/data/archives"
 #
 #  # How much data CLP should try to compress into each archive
@@ -94,16 +96,22 @@
 #stream_output:
 #  storage:
 #    type: "fs"
+#    # NOTE: This directory must not overlap with any path used in CLP's execution container. An
+#    # error will be raised if so.
 #    directory: "var/data/streams"
 #
 #  # How large each stream file should be before being split into a new stream file
 #  target_uncompressed_size: 134217728  # 128 MB
 #
 ## Location where other data (besides archives) are stored. It will be created if
 ## it doesn't exist.
+## NOTE: This directory must not overlap with any path used in CLP's execution container. An error
+## will be raised if so.
 #data_directory: "var/data"
 #
 ## Location where logs are stored. It will be created if it doesn't exist.
+## NOTE: This directory must not overlap with any path used in CLP's execution container. An error
+## will be raised if so.
 #logs_directory: "var/log"
 #
 ## Location of the AWS tools' config files (e.g., `~/.aws`)