Skip to content

Dev fixes#28

Merged
mmatthiesencsc merged 28 commits into
mainfrom
dev-fixes
Apr 1, 2026
Merged

Dev fixes#28
mmatthiesencsc merged 28 commits into
mainfrom
dev-fixes

Conversation

@Traubert
Copy link
Copy Markdown
Contributor

@Traubert Traubert commented Jan 8, 2026
edited
Loading

Various issues prevented the client commands from completing successfully. This branch at least makes things complete, though some things should still be fixed more correctly.

Many changes have stupidly been piled on this same PR, we'll review with some team and see if this is mergeable.

Traubert added 10 commits January 8, 2026 14:16
@Traubert
Fix Vault token expiration, workload selector, and socket permissions
bdf7d3c 
- Add get_vault_client() helper to refresh JWT tokens before Vault operations
  (JWT SVIDs expire after 1h, Vault tokens after 24h)
- Change workload selector from docker:image_id: to unix:uid:0
  (Docker attestor not working, all client containers run as root)
- Add chmod 777 for SPIRE agent socket after creation
  (Fixes socket permission issues preventing SVID fetching)

These changes fix the client registration failures and allow data/container/job
preparation workflows to complete successfully.
@Traubert
Update Dockerfile pinned requirements to existing packages
b6765ee
@Traubert
Add --force and --sif-host-path
ad66c7d 
Container building can somewhat confusingly fail when the sif image
already exists, or when the host /tmp ends up getting mounted to the
build container's /output. These are intended to defaultly avoid those
problems, and provide some configurability.
@Traubert
Only print apptainer build logs if verbose
8584020
@Traubert
Reinstate docker selectors for attestation
330d03f
@Traubert
Prompt for SSH password if encrypted
e81f721
@Traubert
Add real (current) digests
d156831
@Traubert
Add UID attestation to server
9cabdd5
@Traubert
Add evicting tool
f54a967
@Traubert
New digests
395a3cb
Traubert added 17 commits March 25, 2026 15:15
@Traubert
Add configmap for digest additions / changes
885fa33
@Traubert
Changes to --follow and --verbose in job_prep
2cb7e36 
Previously, "follow" meant to stream job log output, and otherwise we
persisted with the job, printing changes in its status. Now, "follow"
means the old default state, --verbose means to stream the job log,
and the default is to exit after the job has been submitted.
@Traubert
Don't needlessly print if some temp files don't exist
82c3206
@Traubert
Unify and fix log preservation on failure
64f85bc
@Traubert
pgrep -> ps
3f88ed4
@Traubert
Unify waiting for Spire agent socket
57632b8 
First wait, then check if process died, then print that we're waiting
some more. This way there's usually no concerning needless printing.
@Traubert
On failure, print agent log to job output
8f105bc
@Traubert
Fetch spire-agent if not available
5f731b8 
(Because of the need to use our own binary which may not be able to
access system's LDAP, this is why we also need to use UID attestation
instead of username)
@Traubert
Fix buffering and logging of spawn_agent.py
cfff588
@Traubert
Import Thread for the verbose logging
dbd3343
@Traubert
Wait a while for SVID fetch
f0f5d6f
@Traubert
Log on this failure too
7b2d3f4
@Traubert
Add function for expanding nodelists
7e94587
@Traubert
Fix typo
c9ea119
@Traubert
Enable UID attestation
cb35521
@Traubert
Fix data path and dir creation
7da7a0a
@Traubert
Use nodelist expansion in ship_a_key
0d00493
@Traubert Traubert changed the title WIP dev fixes Dev fixes Mar 27, 2026
mmatthiesencsc
mmatthiesencsc approved these changes Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@mmatthiesencsc mmatthiesencsc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, great steps ahead. I created #29 but that is for later to decide.

Comment thread server/app.py Outdated
Comment thread client/container_preparation/entrypoint.sh
@mmatthiesencsc
Copy link
Copy Markdown
Collaborator

mmatthiesencsc commented Apr 1, 2026

The checks fail in part because of missing LFS budget. Ignoring for now.

@mmatthiesencsc mmatthiesencsc merged commit 32a3e96 into main Apr 1, 2026
2 of 8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mmatthiesencsc mmatthiesencsc mmatthiesencsc approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Traubert @mmatthiesencsc