Substra · SdgJlbl · Jun 14, 2024 · Jun 14, 2024
@@ -15,6 +15,7 @@
 from django.conf import settings
 
 from orchestrator import get_orchestrator_client
+from substrapp import docker_registry
 from substrapp.compute_tasks import compute_task as task_utils
 from substrapp.compute_tasks import errors as compute_task_errors
 from substrapp.compute_tasks import image_builder
@@ -29,8 +30,6 @@
 from substrapp.compute_tasks.environment import get_environment
 from substrapp.compute_tasks.volumes import get_volumes
 from substrapp.compute_tasks.volumes import get_worker_subtuple_pvc_name
-from substrapp.docker_registry import get_container_image_name
-from substrapp.docker_registry import get_entrypoint
 from substrapp.exceptions import OrganizationError
 from substrapp.exceptions import OrganizationHttpError
 from substrapp.exceptions import PodReadinessTimeoutError
@@ -76,13 +75,13 @@ def execute_compute_task(ctx: Context) -> None:
     pod_name = compute_pod.name
 
     env = get_environment(ctx)
-    image = get_container_image_name(container_image_tag)
+    image = docker_registry.get_container_image_name(container_image_tag)
 
     k8s_client = _get_k8s_client()
 
     if _is_pod_creation_needed(compute_pod.label_selector, client=k8s_client):
         # save entrypoint to DB
-        entrypoint = get_entrypoint(container_image_tag)
+        entrypoint = docker_registry.get_entrypoint(container_image_tag)
 
         ImageEntrypoint.objects.get_or_create(
             archive_checksum=ctx.function.archive_address.checksum, entrypoint_json=entrypoint

@@ -79,10 +79,7 @@ def get_request_docker_api(
     if response.status_code != requests.status_codes.codes.ok:
         if response.status_code == 412:
             raise RegistryPreconditionFailedException(
-                f"The image requested at path {path} did not pass the "
-                "security checks; please contact an Harbor administrator "
-                "to ensure that the image was scanned, "
-                "and get more information about the CVE.",
+                f"The image located at {path} is either not scanned yet or not passing the vulnerability checks.",
                 response=response,
             )
         raise ImageNotFoundError(f"Error when querying docker-registry, status code: {response.status_code}")

@@ -20,7 +20,7 @@
 from django.conf import settings
 
 import orchestrator
-from substrapp.compute_tasks.compute_pod import delete_compute_plan_pods
+from substrapp.compute_tasks import compute_pod
 from substrapp.models import FailedAssetKind
 from substrapp.task_routing import WORKER_QUEUE
 from substrapp.tasks.tasks_asset_failure_report import store_asset_failure_report
@@ -74,7 +74,7 @@ def on_success(self, retval: dict[str, Any], task_id: str, args: tuple, kwargs:
     def on_retry(self, exc: Exception, task_id: str, args: tuple, kwargs: dict[str, Any], einfo: ExceptionInfo) -> None:
         _, task = self.split_args(args)
         # delete compute pod to reset hardware resources
-        delete_compute_plan_pods(task.compute_plan_key)
+        compute_pod.delete_compute_plan_pods(task.compute_plan_key)
         logger.info(
             "Retrying task",
             celery_task_id=task_id,

@@ -27,6 +27,7 @@
 
 import orchestrator
 from backend.celery import app
+from substrapp import docker_registry
 from substrapp.clients import organization as organization_client
 from substrapp.compute_tasks import compute_task as task_utils
 from substrapp.compute_tasks import errors as compute_task_errors
@@ -120,6 +121,14 @@ def compute_task(self: ComputeTask, channel_name: str, serialized_task: str, com
     except (task_utils.ComputePlanNonRunnableError, task_utils.TaskNonRunnableStatusError) as exception:
         logger.exception(exception)
         raise celery.exceptions.Ignore
+    except docker_registry.RegistryPreconditionFailedException as exception:
+        logger.exception(exception)
+        raise compute_task_errors.CeleryRetryError(
+            f"The image associated with the task {task.key} did not pass the "
+            "security checks; please contact an Harbor administrator "
+            "to ensure that the image was scanned, "
+            "and get more information about the CVE."
+        ) from exception
     except compute_task_errors.CeleryNoRetryError as exception:
         logger.exception(exception)
         raise

@@ -9,7 +9,10 @@
 import orchestrator
 import orchestrator.client as orc_client
 import orchestrator.mock as orc_mock
+from substrapp import docker_registry
 from substrapp.compute_tasks import compute_task as task_utils
+from substrapp.compute_tasks.errors import CeleryRetryError
+from substrapp.tasks import compute_task
 
 RUNNABLE_TASK_STATUSES = task_utils._RUNNABLE_TASK_STATUSES
 NON_RUNNABLE_TASK_STATUSES = [
@@ -122,3 +125,23 @@ def test_start_task_if_not_started(client: mock.Mock, status, should_update: boo
 
     if should_update:
         client.update_task_status.assert_called_once()
+
+
+def test_compute_task_412_repackaged(mocker, celery_app, celery_worker):
+    mocker.patch(
+        "substrapp.docker_registry.get_request_docker_api",
+        side_effect=docker_registry.RegistryPreconditionFailedException,
+    )
+    mocker.patch("substrapp.compute_tasks.compute_pod.delete_compute_plan_pods")
+    task = orc_mock.ComputeTaskFactory()
+    with pytest.raises(CeleryRetryError) as exception:
+        r = compute_task.apply(
+            args=(
+                "channel-name",
+                task.model_dump_json(),
+                task.compute_plan_key,
+            ),
+            retries=1,
+        )
+        r.get()
+        assert "please contact an Harbor administrator" in str(exception)