Fix #35551: allow to use read-only root file system in ecs

Author: LEDfan

src/main/java/eu/openanalytics/containerproxy/backend/ecs/EcsBackend.java

@@ -329,7 +329,8 @@ private String getTaskDefinition(Authentication user, ContainerSpec spec, EcsSpe
             .dockerLabels(dockerLabels)
             .logConfiguration(getLogConfiguration(proxy.getSpecId()))
             .mountPoints(volumes.getSecond())
-            .secrets(getSecrets(specExtension));
+            .secrets(getSecrets(specExtension))
+            .readonlyRootFilesystem(specExtension.getEcsReadonlyRootFilesystem().getValueOrDefault(false));
 
         String credentials = specExtension.getEcsRepositoryCredentialsParameter().getValueOrDefault(defaultRepositoryCredentialsParameter);
         if (credentials != null && !credentials.isBlank()) {
@@ -375,7 +376,7 @@ private LogConfiguration getLogConfiguration(String specId) {
 
     private Pair<List<Volume>, List<MountPoint>> getVolumes(ContainerSpec spec, EcsSpecExtension specExtension) {
         List<String> volumeNames = new ArrayList<>();
-        List<Volume> efsVolumeConfigurations = new ArrayList<>();
+        List<Volume> volumeConfigurations = new ArrayList<>();
         for (EcsEfsVolume volume : specExtension.getEcsEfsVolumes()) {
             EFSVolumeConfiguration.Builder efsVolumeConfiguration = EFSVolumeConfiguration.builder();
             efsVolumeConfiguration.fileSystemId(volume.getFileSystemId().getValue());
@@ -397,10 +398,18 @@ private Pair<List<Volume>, List<MountPoint>> getVolumes(ContainerSpec spec, EcsS
                 .name(volume.getName().getValue())
                 .build();
 
-            efsVolumeConfigurations.add(finalVolume);
+            volumeConfigurations.add(finalVolume);
             volumeNames.add(volume.getName().getValue());
         }
 
+        for (String volume : specExtension.getEcsBindVolumes()) {
+            volumeConfigurations.add(Volume.builder()
+                .name(volume)
+                .build()
+            );
+            volumeNames.add(volume);
+        }
+
         List<MountPoint> mountPoints = new ArrayList<>();
         if (spec.getVolumes().isPresent()) {
             for (String volume : spec.getVolumes().getValue()) {
@@ -411,7 +420,7 @@ private Pair<List<Volume>, List<MountPoint>> getVolumes(ContainerSpec spec, EcsS
                 String name = components[0];
                 String containerPath = components[1];
                 if (!volumeNames.contains(name)) {
-                    throw new IllegalArgumentException(String.format("Invalid volume configuration: %s, no corresponding EFS volume definition found", volume));
+                    throw new IllegalArgumentException(String.format("Invalid volume configuration: %s, no corresponding (EFS or bind) volume definition found", volume));
                 }
 
                 MountPoint.Builder mountPoint = MountPoint.builder();
@@ -430,7 +439,21 @@ private Pair<List<Volume>, List<MountPoint>> getVolumes(ContainerSpec spec, EcsS
             }
         }
 
-        return Pair.of(efsVolumeConfigurations, mountPoints);
+        if (specExtension.ecsReadonlyRootFilesystem.getValueOrDefault(false)) {
+            // if filesystem is read-only, mount read-write volume on /tmp
+            volumeConfigurations.add(Volume.builder()
+                .name("tmp")
+                .build()
+            );
+
+            mountPoints.add(MountPoint.builder()
+                .sourceVolume("tmp")
+                .containerPath("/tmp")
+                .build()
+            );
+        }
+
+        return Pair.of(volumeConfigurations, mountPoints);
     }
 
     private List<Secret> getSecrets(EcsSpecExtension specExtension) {

src/main/java/eu/openanalytics/containerproxy/backend/ecs/EcsSpecExtension.java

@@ -65,6 +65,9 @@ public class EcsSpecExtension extends AbstractSpecExtension {
     @Builder.Default
     List<EcsEfsVolume> ecsEfsVolumes = new ArrayList<>();
 
+    @Builder.Default
+    List<String> ecsBindVolumes = new ArrayList<>();
+
     @Builder.Default
     List<EcsManagedSecret> ecsManagedSecrets = new ArrayList<>();
 
@@ -74,6 +77,9 @@ public class EcsSpecExtension extends AbstractSpecExtension {
     @Builder.Default
     SpelField.String ecsRepositoryCredentialsParameter = new SpelField.String();
 
+    @Builder.Default
+    SpelField.Boolean ecsReadonlyRootFilesystem = new SpelField.Boolean();
+
     @Override
     public ISpecExtension firstResolve(SpecExpressionResolver resolver, SpecExpressionContext context) {
         return toBuilder()
@@ -82,10 +88,12 @@ public ISpecExtension firstResolve(SpecExpressionResolver resolver, SpecExpressi
             .ecsCpuArchitecture(ecsCpuArchitecture.resolve(resolver, context))
             .ecsOperationSystemFamily(ecsOperationSystemFamily.resolve(resolver, context))
             .ecsEphemeralStorageSize(ecsEphemeralStorageSize.resolve(resolver, context))
-            .ecsEfsVolumes(ecsEfsVolumes.stream().map(p -> p.resolve(resolver, context)).collect(Collectors.toList()))
-            .ecsManagedSecrets(ecsManagedSecrets.stream().map(p -> p.resolve(resolver, context)).collect(Collectors.toList()))
+            .ecsEfsVolumes(ecsEfsVolumes.stream().map(p -> p.resolve(resolver, context)).toList())
+            .ecsBindVolumes(ecsBindVolumes.stream().map(v -> resolver.evaluateToString( v, context)).toList())
+            .ecsManagedSecrets(ecsManagedSecrets.stream().map(p -> p.resolve(resolver, context)).toList())
             .ecsEnableExecuteCommand(ecsEnableExecuteCommand.resolve(resolver, context))
             .ecsRepositoryCredentialsParameter(ecsRepositoryCredentialsParameter.resolve(resolver, context))
+            .ecsReadonlyRootFilesystem(ecsReadonlyRootFilesystem.resolve(resolver, context))
             .build();
     }
 

src/test/java/eu/openanalytics/containerproxy/test/proxy/TestIntegrationOnEcs.java

@@ -66,7 +66,6 @@ private EcsClient getEcsClient() {
         return ecsClient;
     }
 
-
     @Test
     public void launchProxy() {
         Assumptions.assumeTrue(checkAwsCredentials(), "Skipping ECS tests");
@@ -168,6 +167,37 @@ public void launchProxyWithRoles() {
         }
     }
 
+    @Test
+    public void launchProxyWithReadonlyFilesystem() {
+        Assumptions.assumeTrue(checkAwsCredentials(), "Skipping ECS tests");
+        try (ContainerSetup containerSetup = new ContainerSetup("ecs")) {
+            try (ShinyProxyInstance inst = new ShinyProxyInstance("application-test-ecs.yml", Map.of(), true)) {
+                inst.enableCleanup();
+                // launch a proxy on ECS
+                String id = inst.client.startProxy("01_hello_ro");
+                Proxy proxy = inst.proxyService.getProxy(id);
+                inst.client.testProxyReachable(id);
+
+                Task task = getTask(proxy);
+
+                Assertions.assertEquals(21, task.ephemeralStorage().sizeInGiB());
+
+                TaskDefinition taskDefinition = getTaskDefinition(task);
+                ContainerDefinition containerDefinition = taskDefinition.containerDefinitions().getFirst();
+
+                // read only filesystem
+                Assertions.assertTrue(containerDefinition.readonlyRootFilesystem());
+                Assertions.assertEquals(5, containerDefinition.mountPoints().size());
+                Assertions.assertEquals(5, taskDefinition.volumes().size());
+
+                inst.client.stopProxy(id);
+
+                taskDefinition = getTaskDefinition(task);
+                Assertions.assertNotNull(taskDefinition.deregisteredAt());
+            }
+        }
+    }
+
     @Test
     public void testInvalidConfig1() {
         TestHelperException ex = Assertions.assertThrows(TestHelperException.class, () -> new ShinyProxyInstance("application-test-ecs-invalid-1.yml"));

src/test/resources/application-test-ecs.yml

@@ -50,3 +50,23 @@ proxy:
           port-mapping:
             - name: default
               port: 3838
+    - id: 01_hello_ro
+      ecs-readonly-root-filesystem: true
+      ecsBindVolumes:
+        - tmp2
+        - tmp3
+        - tmp4
+        - tmp5
+      container-specs:
+        - image: "openanalytics/shinyproxy-integration-test-app"
+          cmd: [ "R", "-e", "shinyproxy::run_01_hello()" ]
+          cpu-request: 1024
+          memory-request: 2048
+          volumes:
+            - "tmp2:/var/lib/nginx/tmp"
+            - "tmp3:/var/lib/nginx/logs"
+            - "tmp4:/var/log/nginx/logs"
+            - "tmp5:/run/nginx/"
+          port-mapping:
+            - name: default
+              port: 3838