dstack 0.19.15rc1__py3-none-any.whl → 0.19.17__py3-none-any.whl

dstack/_internal/server/background/tasks/process_running_jobs.py

@@ -1,5 +1,6 @@
 import asyncio
 import re
+import uuid
 from collections.abc import Iterable
 from datetime import timedelta, timezone
 from typing import Dict, List, Optional
@@ -14,6 +15,7 @@ from dstack._internal.core.errors import GatewayError
 from dstack._internal.core.models.backends.base import BackendType
 from dstack._internal.core.models.common import NetworkMode, RegistryAuth
 from dstack._internal.core.models.configurations import DevEnvironmentConfiguration
+from dstack._internal.core.models.files import FileArchiveMapping
 from dstack._internal.core.models.instances import (
     InstanceStatus,
     RemoteConnectionInfo,
@@ -42,8 +44,10 @@ from dstack._internal.server.models import (
     ProjectModel,
     RepoModel,
     RunModel,
+    UserModel,
 )
 from dstack._internal.server.schemas.runner import GPUDevice, TaskStatus
+from dstack._internal.server.services import files as files_services
 from dstack._internal.server.services import logs as logs_services
 from dstack._internal.server.services import services
 from dstack._internal.server.services.instances import get_instance_ssh_private_keys
@@ -66,9 +70,10 @@ from dstack._internal.server.services.runner.ssh import runner_ssh_tunnel
 from dstack._internal.server.services.runs import (
     run_model_to_run,
 )
+from dstack._internal.server.services.secrets import get_project_secrets_mapping
 from dstack._internal.server.services.storage import get_default_storage
 from dstack._internal.utils import common as common_utils
-from dstack._internal.utils.interpolator import VariablesInterpolator
+from dstack._internal.utils.interpolator import InterpolatorError, VariablesInterpolator
 from dstack._internal.utils.logging import get_logger
 
 logger = get_logger(__name__)
@@ -101,7 +106,7 @@ async def _process_next_running_job():
                 )
                 .order_by(JobModel.last_processed_at.asc())
                 .limit(1)
-                .with_for_update(skip_locked=True)
+                .with_for_update(skip_locked=True, key_share=True)
             )
             job_model = res.unique().scalar()
             if job_model is None:
@@ -177,7 +182,17 @@ async def _process_running_job(session: AsyncSession, job_model: JobModel):
         common_utils.get_or_error(job_model.instance)
     )
 
-    secrets = {}  # TODO secrets
+    secrets = await get_project_secrets_mapping(session=session, project=project)
+
+    try:
+        _interpolate_secrets(secrets, job.job_spec)
+    except InterpolatorError as e:
+        logger.info("%s: terminating due to secrets interpolation error", fmt(job_model))
+        job_model.status = JobStatus.TERMINATING
+        job_model.termination_reason = JobTerminationReason.TERMINATED_BY_SERVER
+        job_model.termination_reason_message = e.args[0]
+        job_model.last_processed_at = common_utils.get_current_datetime()
+        return
 
     repo_creds_model = await get_repo_creds(session=session, repo=repo_model, user=run_model.user)
     repo_creds = repo_model_to_repo_head_with_creds(repo_model, repo_creds_model).repo_creds
@@ -214,7 +229,6 @@ async def _process_running_job(session: AsyncSession, job_model: JobModel):
                     job_model,
                     job_provisioning_data,
                     volumes,
-                    secrets,
                     job.job_spec.registry_auth,
                     public_keys,
                     ssh_user,
@@ -226,12 +240,20 @@ async def _process_running_job(session: AsyncSession, job_model: JobModel):
                     fmt(job_model),
                     job_submission.age,
                 )
+                # FIXME: downloading file archives and code here is a waste of time if
+                # the runner is not ready yet
+                file_archives = await _get_job_file_archives(
+                    session=session,
+                    archive_mappings=job.job_spec.file_archives,
+                    user=run_model.user,
+                )
                 code = await _get_job_code(
                     session=session,
                     project=project,
                     repo=repo_model,
-                    code_hash=run.run_spec.repo_code_hash,
+                    code_hash=_get_repo_code_hash(run, job),
                 )
+
                 success = await common_utils.run_async(
                     _submit_job_to_runner,
                     server_ssh_private_keys,
@@ -242,6 +264,7 @@ async def _process_running_job(session: AsyncSession, job_model: JobModel):
                     job,
                     cluster_info,
                     code,
+                    file_archives,
                     secrets,
                     repo_creds,
                     success_if_not_available=False,
@@ -269,11 +292,18 @@ async def _process_running_job(session: AsyncSession, job_model: JobModel):
             logger.debug(
                 "%s: process pulling job with shim, age=%s", fmt(job_model), job_submission.age
             )
+            # FIXME: downloading file archives and code here is a waste of time if
+            # the runner is not ready yet
+            file_archives = await _get_job_file_archives(
+                session=session,
+                archive_mappings=job.job_spec.file_archives,
+                user=run_model.user,
+            )
             code = await _get_job_code(
                 session=session,
                 project=project,
                 repo=repo_model,
-                code_hash=run.run_spec.repo_code_hash,
+                code_hash=_get_repo_code_hash(run, job),
             )
             success = await common_utils.run_async(
                 _process_pulling_with_shim,
@@ -285,6 +315,7 @@ async def _process_running_job(session: AsyncSession, job_model: JobModel):
                 job,
                 cluster_info,
                 code,
+                file_archives,
                 secrets,
                 repo_creds,
                 server_ssh_private_keys,
@@ -306,8 +337,9 @@ async def _process_running_job(session: AsyncSession, job_model: JobModel):
         else:
             if job_model.termination_reason:
                 logger.warning(
-                    "%s: failed because shim/runner returned an error, age=%s",
+                    "%s: failed due to %s, age=%s",
                     fmt(job_model),
+                    job_model.termination_reason.value,
                     job_submission.age,
                 )
                 job_model.status = JobStatus.TERMINATING
@@ -450,7 +482,6 @@ def _process_provisioning_with_shim(
     job_model: JobModel,
     job_provisioning_data: JobProvisioningData,
     volumes: List[Volume],
-    secrets: Dict[str, str],
     registry_auth: Optional[RegistryAuth],
     public_keys: List[str],
     ssh_user: str,
@@ -476,10 +507,8 @@ def _process_provisioning_with_shim(
     registry_username = ""
     registry_password = ""
     if registry_auth is not None:
-        logger.debug("%s: authenticating to the registry...", fmt(job_model))
-        interpolate = VariablesInterpolator({"secrets": secrets}).interpolate
-        registry_username = interpolate(registry_auth.username)
-        registry_password = interpolate(registry_auth.password)
+        registry_username = registry_auth.username
+        registry_password = registry_auth.password
 
     volume_mounts: List[VolumeMountPoint] = []
     instance_mounts: List[InstanceMountPoint] = []
@@ -588,6 +617,7 @@ def _process_pulling_with_shim(
     job: Job,
     cluster_info: ClusterInfo,
     code: bytes,
+    file_archives: Iterable[tuple[uuid.UUID, bytes]],
     secrets: Dict[str, str],
     repo_credentials: Optional[RemoteRepoCreds],
     server_ssh_private_keys: tuple[str, Optional[str]],
@@ -663,6 +693,7 @@ def _process_pulling_with_shim(
         job=job,
         cluster_info=cluster_info,
         code=code,
+        file_archives=file_archives,
         secrets=secrets,
         repo_credentials=repo_credentials,
         success_if_not_available=True,
@@ -826,6 +857,19 @@ def _get_cluster_info(
     return cluster_info
 
 
+def _get_repo_code_hash(run: Run, job: Job) -> Optional[str]:
+    # TODO: drop this function when supporting jobs submitted before 0.19.17 is no longer relevant.
+    if (
+        job.job_spec.repo_code_hash is None
+        and run.run_spec.repo_code_hash is not None
+        and job.job_submissions[-1].deployment_num == run.deployment_num
+    ):
+        # The job spec does not have `repo_code_hash`, because it was submitted before 0.19.17.
+        # Use `repo_code_hash` from the run.
+        return run.run_spec.repo_code_hash
+    return job.job_spec.repo_code_hash
+
+
 async def _get_job_code(
     session: AsyncSession, project: ProjectModel, repo: RepoModel, code_hash: Optional[str]
 ) -> bytes:
@@ -853,6 +897,43 @@ async def _get_job_code(
     return blob
 
 
+async def _get_job_file_archives(
+    session: AsyncSession,
+    archive_mappings: Iterable[FileArchiveMapping],
+    user: UserModel,
+) -> list[tuple[uuid.UUID, bytes]]:
+    archives: list[tuple[uuid.UUID, bytes]] = []
+    for archive_mapping in archive_mappings:
+        archive_id = archive_mapping.id
+        archive_blob = await _get_job_file_archive(
+            session=session, archive_id=archive_id, user=user
+        )
+        archives.append((archive_id, archive_blob))
+    return archives
+
+
+async def _get_job_file_archive(
+    session: AsyncSession, archive_id: uuid.UUID, user: UserModel
+) -> bytes:
+    archive_model = await files_services.get_archive_model(session, id=archive_id, user=user)
+    if archive_model is None:
+        return b""
+    if archive_model.blob is not None:
+        return archive_model.blob
+    storage = get_default_storage()
+    if storage is None:
+        return b""
+    blob = await common_utils.run_async(
+        storage.get_archive,
+        str(archive_model.user_id),
+        archive_model.blob_hash,
+    )
+    if blob is None:
+        logger.error("Failed to get file archive %s from storage", archive_id)
+        return b""
+    return blob
+
+
 @runner_ssh_tunnel(ports=[DSTACK_RUNNER_HTTP_PORT], retries=1)
 def _submit_job_to_runner(
     ports: Dict[int, int],
@@ -861,6 +942,7 @@ def _submit_job_to_runner(
     job: Job,
     cluster_info: ClusterInfo,
     code: bytes,
+    file_archives: Iterable[tuple[uuid.UUID, bytes]],
     secrets: Dict[str, str],
     repo_credentials: Optional[RemoteRepoCreds],
     success_if_not_available: bool,
@@ -896,10 +978,15 @@ def _submit_job_to_runner(
         run=run,
         job=job,
         cluster_info=cluster_info,
-        secrets=secrets,
+        # Do not send all the secrets since interpolation is already done by the server.
+        # TODO: Passing secrets may be necessary for filtering out secret values from logs.
+        secrets={},
         repo_credentials=repo_credentials,
         instance_env=instance_env,
     )
+    logger.debug("%s: uploading file archive(s)", fmt(job_model))
+    for archive_id, archive in file_archives:
+        runner_client.upload_archive(archive_id, archive)
     logger.debug("%s: uploading code", fmt(job_model))
     runner_client.upload_code(code)
     logger.debug("%s: starting job", fmt(job_model))
@@ -911,6 +998,16 @@ def _submit_job_to_runner(
     return True
 
 
+def _interpolate_secrets(secrets: Dict[str, str], job_spec: JobSpec):
+    interpolate = VariablesInterpolator({"secrets": secrets}).interpolate_or_error
+    job_spec.env = {k: interpolate(v) for k, v in job_spec.env.items()}
+    if job_spec.registry_auth is not None:
+        job_spec.registry_auth = RegistryAuth(
+            username=interpolate(job_spec.registry_auth.username),
+            password=interpolate(job_spec.registry_auth.password),
+        )
+
+
 def _get_instance_specific_mounts(
     backend_type: BackendType, instance_type_name: str
 ) -> List[InstanceMountPoint]:

dstack/_internal/server/background/tasks/process_runs.py

@@ -27,6 +27,7 @@ from dstack._internal.server.services.jobs import (
     group_jobs_by_replica_latest,
 )
 from dstack._internal.server.services.locking import get_locker
+from dstack._internal.server.services.prometheus.client_metrics import run_metrics
 from dstack._internal.server.services.runs import (
     fmt,
     process_terminating_run,
@@ -34,6 +35,7 @@ from dstack._internal.server.services.runs import (
     run_model_to_run,
     scale_run_replicas,
 )
+from dstack._internal.server.services.secrets import get_project_secrets_mapping
 from dstack._internal.server.services.services import update_service_desired_replica_count
 from dstack._internal.utils import common
 from dstack._internal.utils.logging import get_logger
@@ -62,7 +64,7 @@ async def _process_next_run():
                 )
                 .order_by(RunModel.last_processed_at.asc())
                 .limit(1)
-                .with_for_update(skip_locked=True)
+                .with_for_update(skip_locked=True, key_share=True)
             )
             run_model = res.scalar()
             if run_model is None:
@@ -74,7 +76,7 @@ async def _process_next_run():
                     JobModel.id.not_in(job_lockset),
                 )
                 .order_by(JobModel.id)  # take locks in order
-                .with_for_update(skip_locked=True)
+                .with_for_update(skip_locked=True, key_share=True)
             )
             job_models = res.scalars().all()
             if len(run_model.jobs) != len(job_models):
@@ -329,6 +331,24 @@ async def _process_active_run(session: AsyncSession, run_model: RunModel):
             run_model.status.name,
             new_status.name,
         )
+        if run_model.status == RunStatus.SUBMITTED and new_status == RunStatus.PROVISIONING:
+            current_time = common.get_current_datetime()
+            submit_to_provision_duration = (
+                current_time - run_model.submitted_at.replace(tzinfo=datetime.timezone.utc)
+            ).total_seconds()
+            logger.info(
+                "%s: run took %.2f seconds from submision to provisioning.",
+                fmt(run_model),
+                submit_to_provision_duration,
+            )
+            project_name = run_model.project.name
+            run_metrics.log_submit_to_provision_duration(
+                submit_to_provision_duration, project_name, run_spec.configuration.type
+            )
+
+        if new_status == RunStatus.PENDING:
+            run_metrics.increment_pending_runs(run_model.project.name, run_spec.configuration.type)
+
         run_model.status = new_status
         run_model.termination_reason = termination_reason
         # While a run goes to pending without provisioning, resubmission_attempt increases.
@@ -385,7 +405,11 @@ async def _handle_run_replicas(
         )
         return
 
-    await _update_jobs_to_new_deployment_in_place(run_model, run_spec)
+    await _update_jobs_to_new_deployment_in_place(
+        session=session,
+        run_model=run_model,
+        run_spec=run_spec,
+    )
     if _has_out_of_date_replicas(run_model):
         non_terminated_replica_count = len(
             {j.replica_num for j in run_model.jobs if not j.status.is_finished()}
@@ -425,18 +449,25 @@ async def _handle_run_replicas(
             )
 
 
-async def _update_jobs_to_new_deployment_in_place(run_model: RunModel, run_spec: RunSpec) -> None:
+async def _update_jobs_to_new_deployment_in_place(
+    session: AsyncSession, run_model: RunModel, run_spec: RunSpec
+) -> None:
     """
     Bump deployment_num for jobs that do not require redeployment.
     """
-
+    secrets = await get_project_secrets_mapping(
+        session=session,
+        project=run_model.project,
+    )
     for replica_num, job_models in group_jobs_by_replica_latest(run_model.jobs):
         if all(j.status.is_finished() for j in job_models):
             continue
         if all(j.deployment_num == run_model.deployment_num for j in job_models):
             continue
+        # FIXME: Handle getting image configuration errors or skip it.
         new_job_specs = await get_job_specs_from_run_spec(
             run_spec=run_spec,
+            secrets=secrets,
             replica_num=replica_num,
         )
         assert len(new_job_specs) == len(job_models), (

dstack/_internal/server/background/tasks/process_submitted_jobs.py

@@ -99,7 +99,7 @@ async def _process_next_submitted_job():
                     JobModel.id.not_in(lockset),
                 )
                 # Jobs are process in FIFO sorted by priority globally,
-                # thus runs from different project can "overtake" each other by using higher priorities.
+                # thus runs from different projects can "overtake" each other by using higher priorities.
                 # That's not a big problem as long as projects do not compete for the same compute resources.
                 # Jobs with lower priorities from other projects will be processed without major lag
                 # as long as new higher priority runs are not constantly submitted.
@@ -108,7 +108,13 @@ async def _process_next_submitted_job():
                 # there can be many projects and we are limited by the max DB connections.
                 .order_by(RunModel.priority.desc(), JobModel.last_processed_at.asc())
                 .limit(1)
-                .with_for_update(skip_locked=True)
+                .with_for_update(
+                    skip_locked=True,
+                    key_share=True,
+                    # Do not lock joined run, only job.
+                    # Locking run here may cause deadlock.
+                    of=JobModel,
+                )
             )
             job_model = res.scalar()
             if job_model is None:
@@ -201,7 +207,7 @@ async def _process_submitted_job(session: AsyncSession, job_model: JobModel):
             )
             .options(lazyload(InstanceModel.jobs))
             .order_by(InstanceModel.id)  # take locks in order
-            .with_for_update()
+            .with_for_update(key_share=True)
         )
         pool_instances = list(res.unique().scalars().all())
         instances_ids = sorted([i.id for i in pool_instances])
@@ -326,7 +332,7 @@ async def _process_submitted_job(session: AsyncSession, job_model: JobModel):
         .where(VolumeModel.id.in_(volumes_ids))
         .options(selectinload(VolumeModel.user))
         .order_by(VolumeModel.id)  # take locks in order
-        .with_for_update()
+        .with_for_update(key_share=True)
     )
     async with get_locker().lock_ctx(VolumeModel.__tablename__, volumes_ids):
         if len(volume_models) > 0:

dstack/_internal/server/background/tasks/process_terminating_jobs.py

@@ -45,7 +45,7 @@ async def _process_next_terminating_job():
                 )
                 .order_by(JobModel.last_processed_at.asc())
                 .limit(1)
-                .with_for_update(skip_locked=True)
+                .with_for_update(skip_locked=True, key_share=True)
             )
             job_model = res.scalar()
             if job_model is None:
@@ -58,7 +58,7 @@ async def _process_next_terminating_job():
                         InstanceModel.id.not_in(instance_lockset),
                     )
                     .options(lazyload(InstanceModel.jobs))
-                    .with_for_update(skip_locked=True)
+                    .with_for_update(skip_locked=True, key_share=True)
                 )
                 instance_model = res.scalar()
                 if instance_model is None:

dstack/_internal/server/background/tasks/process_volumes.py

@@ -33,7 +33,7 @@ async def process_submitted_volumes():
                 )
                 .order_by(VolumeModel.last_processed_at.asc())
                 .limit(1)
-                .with_for_update(skip_locked=True)
+                .with_for_update(skip_locked=True, key_share=True)
             )
             volume_model = res.scalar()
             if volume_model is None:

dstack/_internal/server/migrations/versions/5f1707c525d2_add_filearchivemodel.py

@@ -0,0 +1,39 @@
+"""Add FileArchiveModel
+
+Revision ID: 5f1707c525d2
+Revises: 35e90e1b0d3e
+Create Date: 2025-06-12 12:28:26.678380
+
+"""
+
+import sqlalchemy as sa
+import sqlalchemy_utils
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision = "5f1707c525d2"
+down_revision = "35e90e1b0d3e"
+branch_labels = None
+depends_on = None
+
+
+def upgrade() -> None:
+    op.create_table(
+        "file_archives",
+        sa.Column("id", sqlalchemy_utils.types.uuid.UUIDType(binary=False), nullable=False),
+        sa.Column("user_id", sqlalchemy_utils.types.uuid.UUIDType(binary=False), nullable=False),
+        sa.Column("blob_hash", sa.Text(), nullable=False),
+        sa.Column("blob", sa.LargeBinary(), nullable=True),
+        sa.ForeignKeyConstraint(
+            ["user_id"],
+            ["users.id"],
+            name=op.f("fk_file_archives_user_id_users"),
+            ondelete="CASCADE",
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_file_archives")),
+        sa.UniqueConstraint("user_id", "blob_hash", name="uq_file_archives_user_id_blob_hash"),
+    )
+
+
+def downgrade() -> None:
+    op.drop_table("file_archives")

dstack/_internal/server/migrations/versions/644b8a114187_add_secretmodel.py

@@ -0,0 +1,49 @@
+"""Add SecretModel
+
+Revision ID: 644b8a114187
+Revises: 5f1707c525d2
+Create Date: 2025-06-30 11:00:04.326290
+
+"""
+
+import sqlalchemy as sa
+import sqlalchemy_utils
+from alembic import op
+
+import dstack._internal.server.models
+
+# revision identifiers, used by Alembic.
+revision = "644b8a114187"
+down_revision = "5f1707c525d2"
+branch_labels = None
+depends_on = None
+
+
+def upgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.create_table(
+        "secrets",
+        sa.Column("id", sqlalchemy_utils.types.uuid.UUIDType(binary=False), nullable=False),
+        sa.Column(
+            "project_id", sqlalchemy_utils.types.uuid.UUIDType(binary=False), nullable=False
+        ),
+        sa.Column("created_at", dstack._internal.server.models.NaiveDateTime(), nullable=False),
+        sa.Column("updated_at", dstack._internal.server.models.NaiveDateTime(), nullable=False),
+        sa.Column("name", sa.String(length=200), nullable=False),
+        sa.Column("value", dstack._internal.server.models.EncryptedString(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["project_id"],
+            ["projects.id"],
+            name=op.f("fk_secrets_project_id_projects"),
+            ondelete="CASCADE",
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_secrets")),
+        sa.UniqueConstraint("project_id", "name", name="uq_secrets_project_id_name"),
+    )
+    # ### end Alembic commands ###
+
+
+def downgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_table("secrets")
+    # ### end Alembic commands ###

dstack/_internal/server/models.py

@@ -315,6 +315,21 @@ class CodeModel(BaseModel):
     blob: Mapped[Optional[bytes]] = mapped_column(LargeBinary)  # None means blob is stored on s3
 
 
+class FileArchiveModel(BaseModel):
+    __tablename__ = "file_archives"
+    __table_args__ = (
+        UniqueConstraint("user_id", "blob_hash", name="uq_file_archives_user_id_blob_hash"),
+    )
+
+    id: Mapped[uuid.UUID] = mapped_column(
+        UUIDType(binary=False), primary_key=True, default=uuid.uuid4
+    )
+    user_id: Mapped["UserModel"] = mapped_column(ForeignKey("users.id", ondelete="CASCADE"))
+    user: Mapped["UserModel"] = relationship()
+    blob_hash: Mapped[str] = mapped_column(Text)
+    blob: Mapped[Optional[bytes]] = mapped_column(LargeBinary)  # None means blob is stored on s3
+
+
 class RunModel(BaseModel):
     __tablename__ = "runs"
 
@@ -711,3 +726,21 @@ class JobPrometheusMetrics(BaseModel):
     collected_at: Mapped[datetime] = mapped_column(NaiveDateTime)
     # Raw Prometheus text response
     text: Mapped[str] = mapped_column(Text)
+
+
+class SecretModel(BaseModel):
+    __tablename__ = "secrets"
+    __table_args__ = (UniqueConstraint("project_id", "name", name="uq_secrets_project_id_name"),)
+
+    id: Mapped[uuid.UUID] = mapped_column(
+        UUIDType(binary=False), primary_key=True, default=uuid.uuid4
+    )
+
+    project_id: Mapped[uuid.UUID] = mapped_column(ForeignKey("projects.id", ondelete="CASCADE"))
+    project: Mapped["ProjectModel"] = relationship()
+
+    created_at: Mapped[datetime] = mapped_column(NaiveDateTime, default=get_current_datetime)
+    updated_at: Mapped[datetime] = mapped_column(NaiveDateTime, default=get_current_datetime)
+
+    name: Mapped[str] = mapped_column(String(200))
+    value: Mapped[DecryptedString] = mapped_column(EncryptedString())

dstack/_internal/server/routers/files.py

@@ -0,0 +1,67 @@
+from typing import Annotated
+
+from fastapi import APIRouter, Depends, Request, UploadFile
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from dstack._internal.core.errors import ResourceNotExistsError, ServerClientError
+from dstack._internal.core.models.files import FileArchive
+from dstack._internal.server.db import get_session
+from dstack._internal.server.models import UserModel
+from dstack._internal.server.schemas.files import GetFileArchiveByHashRequest
+from dstack._internal.server.security.permissions import Authenticated
+from dstack._internal.server.services import files
+from dstack._internal.server.settings import SERVER_CODE_UPLOAD_LIMIT
+from dstack._internal.server.utils.routers import (
+    get_base_api_additional_responses,
+    get_request_size,
+)
+from dstack._internal.utils.common import sizeof_fmt
+
+router = APIRouter(
+    prefix="/api/files",
+    tags=["files"],
+    responses=get_base_api_additional_responses(),
+)
+
+
+@router.post("/get_archive_by_hash")
+async def get_archive_by_hash(
+    body: GetFileArchiveByHashRequest,
+    session: Annotated[AsyncSession, Depends(get_session)],
+    user: Annotated[UserModel, Depends(Authenticated())],
+) -> FileArchive:
+    archive = await files.get_archive_by_hash(
+        session=session,
+        user=user,
+        hash=body.hash,
+    )
+    if archive is None:
+        raise ResourceNotExistsError()
+    return archive
+
+
+@router.post("/upload_archive")
+async def upload_archive(
+    request: Request,
+    file: UploadFile,
+    session: Annotated[AsyncSession, Depends(get_session)],
+    user: Annotated[UserModel, Depends(Authenticated())],
+) -> FileArchive:
+    request_size = get_request_size(request)
+    if SERVER_CODE_UPLOAD_LIMIT > 0 and request_size > SERVER_CODE_UPLOAD_LIMIT:
+        diff_size_fmt = sizeof_fmt(request_size)
+        limit_fmt = sizeof_fmt(SERVER_CODE_UPLOAD_LIMIT)
+        if diff_size_fmt == limit_fmt:
+            diff_size_fmt = f"{request_size}B"
+            limit_fmt = f"{SERVER_CODE_UPLOAD_LIMIT}B"
+        raise ServerClientError(
+            f"Archive size is {diff_size_fmt}, which exceeds the limit of {limit_fmt}."
+            " Use .gitignore/.dstackignore to exclude large files."
+            " This limit can be modified by setting the DSTACK_SERVER_CODE_UPLOAD_LIMIT environment variable."
+        )
+    archive = await files.upload_archive(
+        session=session,
+        user=user,
+        file=file,
+    )
+    return archive

dstack/_internal/server/routers/gateways.py

@@ -9,7 +9,10 @@ import dstack._internal.server.services.gateways as gateways
 from dstack._internal.core.errors import ResourceNotExistsError
 from dstack._internal.server.db import get_session
 from dstack._internal.server.models import ProjectModel, UserModel
-from dstack._internal.server.security.permissions import ProjectAdmin, ProjectMember
+from dstack._internal.server.security.permissions import (
+    ProjectAdmin,
+    ProjectMemberOrPublicAccess,
+)
 from dstack._internal.server.utils.routers import get_base_api_additional_responses
 
 router = APIRouter(
@@ -22,7 +25,7 @@ router = APIRouter(
 @router.post("/list")
 async def list_gateways(
     session: AsyncSession = Depends(get_session),
-    user_project: Tuple[UserModel, ProjectModel] = Depends(ProjectMember()),
+    user_project: Tuple[UserModel, ProjectModel] = Depends(ProjectMemberOrPublicAccess()),
 ) -> List[models.Gateway]:
     _, project = user_project
     return await gateways.list_project_gateways(session=session, project=project)
@@ -32,7 +35,7 @@ async def list_gateways(
 async def get_gateway(
     body: schemas.GetGatewayRequest,
     session: AsyncSession = Depends(get_session),
-    user_project: Tuple[UserModel, ProjectModel] = Depends(ProjectMember()),
+    user_project: Tuple[UserModel, ProjectModel] = Depends(ProjectMemberOrPublicAccess()),
 ) -> models.Gateway:
     _, project = user_project
     gateway = await gateways.get_gateway_by_name(session=session, project=project, name=body.name)