Sanitizing the docker user in calls to exec_run()

henricasanova · henricasanova · commit 9d08a21c2d65 · 2026-02-01T12:02:20.000-10:00
diff --git a/tests/test_helpers.py b/tests/test_helpers.py
@@ -50,39 +50,23 @@ def _install_WfCommons_on_container(container):
     tar_data = _make_tarfile_of_wfcommons()
     container.put_archive(target_path, tar_data)
     # Cleanup files that came from the host
-    exit_code, output = container.exec_run("/bin/rm -rf /tmp/WfCommons/build/", user="root", stdout=True, stderr=True)
-    exit_code, output = container.exec_run("/bin/rm -rf /tmp/WfCommons/*.egg-info/", user="root", stdout=True, stderr=True)
+    exit_code, output = container.exec_run("sudo chown -R wfcommons:wfcommons /tmp/WfCommons", user="wfcommons", stdout=True, stderr=True)
+    exit_code, output = container.exec_run("/bin/rm -rf /tmp/WfCommons/build/", user="wfcommons", stdout=True, stderr=True)
+    exit_code, output = container.exec_run("/bin/rm -rf /tmp/WfCommons/*.egg-info/", user="wfcommons", stdout=True, stderr=True)
     # Clean up and force a rebuild of cpu-benchmark (because it may be compiled for the wrong architecture)
-    exit_code, output = container.exec_run("/bin/rm -rf /tmp/WfCommons/bin/cpu-benchmark.o", user="root", stdout=True,
+    exit_code, output = container.exec_run("/bin/rm -rf /tmp/WfCommons/bin/cpu-benchmark.o", user="wfcommons", stdout=True,
                                            stderr=True)
-    exit_code, output = container.exec_run("/bin/rm -rf /tmp/WfCommons/bin/cpu-benchmark", user="root", stdout=True,
+    exit_code, output = container.exec_run("/bin/rm -rf /tmp/WfCommons/bin/cpu-benchmark", user="wfcommons", stdout=True,
                                            stderr=True)
 
     # Install WfCommons on the container (to install wfbench and cpu-benchmark really)
-    exit_code, output = container.exec_run("python3 -m pip install . --break-system-packages",
-                                           user="root",
+    exit_code, output = container.exec_run("sudo python3 -m pip install . --break-system-packages",
+                                           user="wfcommons",
                                            workdir="/tmp/WfCommons", stdout=True, stderr=True)
     if exit_code != 0:
         print(output.decode())
         raise RuntimeError("Failed to pip install WfCommons on the container")
 
-    # Copy the ~/.local directory to /home/wfcommons/, because the path
-    # is /home/wfcommons (because this current Docker user may be unknown a priori)
-    # This is hack, and requires that the /home/wfcommons directory be world-read-write-exec,
-    # but who cares, these are containers!
-
-    # exit_code, output = container.exec_run(
-    #     ["sh", "-c", "whoami"],
-    #     stdout=True, stderr=True)
-    # print(f"WHOAMI: {output.decode()}")
-    # exit_code, output = container.exec_run(
-    #     ["sh", "-c", "ls /home/wfcommons/.local"],
-    #     stdout=True, stderr=True)
-    # print(f"LS /home/wfcommons/.local : {output.decode()}")
-    # exit_code, output = container.exec_run(
-    #     ["sh", "-c", "cp -r /.local /home/wfcommons/"],
-    #     stdout=True, stderr=True)
-
 
 def _start_docker_container(backend, mounted_dir, working_dir, bin_dir, command=None):
     if command is None:
@@ -105,6 +89,7 @@ def _start_docker_container(backend, mounted_dir, working_dir, bin_dir, command=
         command=command,
         volumes={mounted_dir: {'bind': mounted_dir, 'mode': 'rw'}},
         working_dir=working_dir,
+        user="wfcommons",
         tty=True,
         detach=True
     )
@@ -116,19 +101,22 @@ def _start_docker_container(backend, mounted_dir, working_dir, bin_dir, command=
     if bin_dir:
         sys.stderr.write(f"[{backend}] Copying wfbench and cpu-benchmark...\n")
         exit_code, output = container.exec_run(["sh", "-c", "sudo cp -f `which wfbench` " + bin_dir],
+                                               user="wfcommons",
                                                stdout=True, stderr=True)
         if exit_code != 0:
             raise RuntimeError("Failed to copy wfbench script to the bin directory")
 
         exit_code, output = container.exec_run(["sh", "-c", "sudo cp -f `which cpu-benchmark` " + bin_dir],
+                                               user="wfcommons",
                                                stdout=True, stderr=True)
         if exit_code != 0:
             raise RuntimeError("Failed to copy cpu-benchmark executable to the bin directory")
     else:
         sys.stderr.write(f"[{backend}] Not Copying wfbench and cpu-benchmark...\n")
 
     # Change file permissions
-    exit_code, output = container.exec_run(["sh", "-c", "sudo chown -R wfcommons:wfcommons "],
+    exit_code, output = container.exec_run(["sh", "-c", "sudo chown -R wfcommons:wfcommons ."],
+                                           user="wfcommons",
                                            stdout=True, stderr=True)
 
 
diff --git a/tests/translators_loggers/test_translators_loggers.py b/tests/translators_loggers/test_translators_loggers.py
@@ -65,6 +65,7 @@ def _additional_setup_taskvine(container):
     # Create the poncho package
     exit_code, output = container.exec_run(cmd=["bash", "-c",
                                                 "source ~/conda/etc/profile.d/conda.sh && conda activate && poncho_package_create taskvine_poncho.json taskvine_poncho.tar.gz"],
+                                           user="wfcommons",
                                            stdout=True, stderr=True)
     if exit_code != 0:
         raise Exception("Failed to setup TaskVine: cannot create poncho package")
@@ -79,25 +80,27 @@ def _additional_setup_pegasus(container):
     # Start Condor
     exit_code, output = container.exec_run(cmd=["bash", "-c",
                                                 "bash /home/wfcommons/start_condor.sh"],
+                                           user="wfcommons",
                                            stdout=True, stderr=True)
     if exit_code != 0:
         raise Exception("Failed to setup Pegasus: cannot start HTCondor")
     # Run pegasus script
     exit_code, output = container.exec_run(cmd=["bash", "-c",
                                                 "python3 ./pegasus_workflow.py"],
+                                           user="wfcommons",
                                            stdout=True, stderr=True)
     if exit_code != 0:
         raise Exception("Failed to setup Pegasus: error while running the pegasus_workflow.py script")
 
 def _additional_setup_swiftt(container):
     # Start a redis server in the background
     exit_code, output = container.exec_run(
-        cmd=["bash", "-c", "redis-server"], detach=True, stdout=True, stderr=True)
+        cmd=["bash", "-c", "redis-server"], user="wfcommons", detach=True, stdout=True, stderr=True)
     # Note that exit_code will always be None because of detach=True.
 
     # Check that the redis-server is up
     exit_code, output = container.exec_run(
-        cmd=["bash", "-c", "redis-cli ping"], stdout=True, stderr=True)
+        cmd=["bash", "-c", "redis-cli ping"], user="wfcommons", stdout=True, stderr=True)
     if output.decode().strip() != 'PONG':
         raise Exception("Failed to start redis-server...")
 
@@ -120,24 +123,24 @@ def _additional_setup_swiftt(container):
 #############################################################################
 
 def run_workflow_dask(container, num_tasks, str_dirpath):
-    exit_code, output = container.exec_run("python ./dask_workflow.py", stdout=True, stderr=True)
+    exit_code, output = container.exec_run("python ./dask_workflow.py", user="wfcommons", stdout=True, stderr=True)
     # Check sanity
     assert (exit_code == 0)
     assert (output.decode().count("completed!")  == num_tasks)
     # TODO: Look at the (I think) generated run.json file on the container?
 
 def run_workflow_parsl(container, num_tasks, str_dirpath):
-    exit_code, output = container.exec_run("python ./parsl_workflow.py", stdout=True, stderr=True)
-    ignored, output = container.exec_run(f"cat {str_dirpath}/runinfo/000/parsl.log", stdout=True, stderr=True)
+    exit_code, output = container.exec_run("python ./parsl_workflow.py", user="wfcommons", stdout=True, stderr=True)
+    ignored, output = container.exec_run(f"cat {str_dirpath}/runinfo/000/parsl.log", user="wfcommons", stdout=True, stderr=True)
     # Check sanity
     assert (exit_code == 0)
     assert ("completed" in output.decode())
     assert (output.decode().count("_complete_task") == num_tasks)
 
 def run_workflow_nextflow(container, num_tasks, str_dirpath):
     # Run the workflow!
-    exit_code, output = container.exec_run(f"nextflow run ./workflow.nf --pwd .", stdout=True, stderr=True)
-    ignored, task_exit_codes = container.exec_run("find . -name .exitcode -exec cat {} \;", stdout=True, stderr=True)
+    exit_code, output = container.exec_run(f"nextflow run ./workflow.nf --pwd .", user="wfcommons", stdout=True, stderr=True)
+    ignored, task_exit_codes = container.exec_run("find . -name .exitcode -exec cat {} \;", user="wfcommons", stdout=True, stderr=True)
     # Check sanity
     assert (exit_code == 0)
     assert (task_exit_codes.decode() == num_tasks * "0")
@@ -146,29 +149,30 @@ def run_workflow_airflow(container, num_tasks, str_dirpath):
     # Run the workflow! (use a specific working directory)
     # TODO: Remove the hardcoded Blast-Benchmark as it's ugly
     exit_code, output = container.exec_run(cmd=["sh", "-c", "cd /home/wfcommons/ && sudo /bin/bash /run_a_workflow.sh Blast-Benchmark"],
-                                           stdout=True,
-                                           stderr=True)
+                                           user="wfcommons", stdout=True, stderr=True)
     # Check sanity
     assert (exit_code == 0)
     assert (output.decode().count("completed") == num_tasks * 2)
 
 def run_workflow_bash(container, num_tasks, str_dirpath):
     # Run the workflow!
-    exit_code, output = container.exec_run(cmd="/bin/bash ./run_workflow.sh", stdout=True, stderr=True)
+    exit_code, output = container.exec_run(cmd="/bin/bash ./run_workflow.sh", user="wfcommons", stdout=True, stderr=True)
     # Check sanity
     assert (exit_code == 0)
     assert (output.decode().count("completed") == num_tasks)
 
 def run_workflow_taskvine(container, num_tasks, str_dirpath):
     # Run the workflow!
-    exit_code, output = container.exec_run(cmd=["bash", "-c", "source ~/conda/etc/profile.d/conda.sh && conda activate && python3 ./taskvine_workflow.py"], stdout=True, stderr=True)
+    exit_code, output = container.exec_run(cmd=["bash", "-c", "source ~/conda/etc/profile.d/conda.sh && conda activate && python3 ./taskvine_workflow.py"],
+                                           user="wfcommons", stdout=True, stderr=True)
     # Check sanity
     assert (exit_code == 0)
     assert (output.decode().count("completed") == num_tasks)
 
 def run_workflow_makeflow(container, num_tasks, str_dirpath):
     # Run the workflow (with full logging)
-    exit_code, output = container.exec_run(cmd=["bash", "-c", "source ~/conda/etc/profile.d/conda.sh && conda activate && makeflow --log-verbose  --monitor=./monitor_data/ ./workflow.makeflow"], stdout=True, stderr=True)
+    exit_code, output = container.exec_run(cmd=["bash", "-c", "source ~/conda/etc/profile.d/conda.sh && conda activate && makeflow --log-verbose  --monitor=./monitor_data/ ./workflow.makeflow"],
+                                           user="wfcommons", stdout=True, stderr=True)
     # Check sanity
     assert (exit_code == 0)
     num_completed_jobs = len(re.findall(r'job \d+ completed', output.decode()))
@@ -177,7 +181,8 @@ def run_workflow_makeflow(container, num_tasks, str_dirpath):
 def run_workflow_cwl(container, num_tasks, str_dirpath):
     # Run the workflow!
     # Note that the input file is hardcoded and Blast-specific
-    exit_code, output = container.exec_run(cmd="cwltool ./main.cwl --split_fasta_00000001_input ./data/workflow_infile_0001 ", stdout=True, stderr=True)
+    exit_code, output = container.exec_run(cmd="cwltool ./main.cwl --split_fasta_00000001_input ./data/workflow_infile_0001 ",
+                                           user="wfcommons", stdout=True, stderr=True)
     # Check sanity
     assert (exit_code == 0)
     # this below is ugly (the 3 is for "workflow", "compile_output_files" and "compile_log_files",
@@ -186,14 +191,16 @@ def run_workflow_cwl(container, num_tasks, str_dirpath):
 
 def run_workflow_pegasus(container, num_tasks, str_dirpath):
     # Run the workflow!
-    exit_code, output = container.exec_run(cmd="bash /home/wfcommons/run_workflow.sh", stdout=True, stderr=True)
+    exit_code, output = container.exec_run(cmd="bash /home/wfcommons/run_workflow.sh",
+                                           user="wfcommons", stdout=True, stderr=True)
     # Check sanity
     assert(exit_code == 0)
     assert("success" in output.decode())
 
 def run_workflow_swiftt(container, num_tasks, str_dirpath):
     # Run the workflow!
-    exit_code, output = container.exec_run(cmd="swift-t workflow.swift", stdout=True, stderr=True)
+    exit_code, output = container.exec_run(cmd="swift-t workflow.swift",
+                                           user="wfcommons", stdout=True, stderr=True)
     # sys.stderr.write(output.decode())
     # Check sanity
     assert(exit_code == 0)
