mlrun 1.10.0rc18__py3-none-any.whl → 1.11.0rc16__py3-none-any.whl

mlrun/run.py

@@ -17,6 +17,7 @@ import json
 import os
 import pathlib
 import socket
+import sys
 import tempfile
 import time
 import typing
@@ -117,14 +118,31 @@ def function_to_module(code="", workdir=None, secrets=None, silent=False):
         raise ValueError("nothing to run, specify command or function")
 
     command = os.path.join(workdir or "", command)
-    path = Path(command)
-    mod_name = path.name
-    if path.suffix:
-        mod_name = mod_name[: -len(path.suffix)]
+
+    source_file_path_object, working_dir_path_object = (
+        mlrun.utils.helpers.get_source_and_working_dir_paths(command)
+    )
+    if source_file_path_object.is_relative_to(working_dir_path_object):
+        mod_name = mlrun.utils.helpers.get_relative_module_name_from_path(
+            source_file_path_object, working_dir_path_object
+        )
+    elif source_file_path_object.is_relative_to(
+        pathlib.Path(tempfile.gettempdir()).resolve()
+    ):
+        mod_name = Path(command).stem
+    else:
+        raise mlrun.errors.MLRunRuntimeError(
+            f"Cannot run source file '{command}': it must be located either under the current working "
+            f"directory ('{working_dir_path_object}') or the system temporary directory ('{tempfile.gettempdir()}'). "
+            f"This is required when running with local=True."
+        )
+
     spec = imputil.spec_from_file_location(mod_name, command)
     if spec is None:
         raise OSError(f"cannot import from {command!r}")
     mod = imputil.module_from_spec(spec)
+    # add to system modules, which can be necessary when running in a MockServer (ML-10937)
+    sys.modules[mod_name] = mod
     spec.loader.exec_module(mod)
 
     return mod
@@ -141,7 +159,7 @@ def load_func_code(command="", workdir=None, secrets=None, name="name"):
         else:
             is_remote = "://" in command
             data = get_object(command, secrets)
-            runtime = yaml.load(data, Loader=yaml.FullLoader)
+            runtime = yaml.safe_load(data)
             runtime = new_function(runtime=runtime)
 
         command = runtime.spec.command or ""
@@ -222,7 +240,8 @@ def get_or_create_ctx(
     :param spec:     dictionary holding run spec
     :param with_env: look for context in environment vars, default True
     :param rundb:    path/url to the metadata and artifact database
-    :param project:  project to initiate the context in (by default `mlrun.mlconf.active_project`)
+    :param project:  project to initiate the context in (by default `mlrun.mlconf.active_project`).
+                              If not set, an active project must exist.
     :param upload_artifacts:  when using local context (not as part of a job/run), upload artifacts to the
                               system default artifact path location
     :return: execution context
@@ -271,12 +290,22 @@ def get_or_create_ctx(
     elif with_env and config:
         newspec = config
 
-    if isinstance(newspec, (RunObject, RunTemplate)):
+    if isinstance(newspec, RunObject | RunTemplate):
         newspec = newspec.to_dict()
 
     if newspec and not isinstance(newspec, dict):
         newspec = json.loads(newspec)
 
+    if (
+        not newspec.get("metadata", {}).get("project")
+        and not project
+        and not mlconf.active_project
+    ):
+        raise mlrun.errors.MLRunMissingProjectError(
+            """No active project found. Make sure to set an active project using: mlrun.get_or_create_project()
+            You can verify the active project with: mlrun.mlconf.active_project"""
+        )
+
     if not newspec:
         newspec = {}
         if upload_artifacts:
@@ -316,7 +345,7 @@ def get_or_create_ctx(
 def import_function(url="", secrets=None, db="", project=None, new_name=None):
     """Create function object from DB or local/remote YAML file
 
-    Functions can be imported from function repositories (mlrun Function Hub (formerly Marketplace) or local db),
+    Functions can be imported from function repositories (MLRun Hub) or local db),
     or be read from a remote URL (http(s), s3, git, v3io, ..) containing the function YAML
 
     special URLs::
@@ -332,7 +361,7 @@ def import_function(url="", secrets=None, db="", project=None, new_name=None):
             "https://raw.githubusercontent.com/org/repo/func.yaml"
         )
 
-    :param url: path/url to Function Hub, db or function YAML file
+    :param url: path/url to MLRun Hub, db or function YAML file
     :param secrets: optional, credentials dict for DB or URL (s3, v3io, ...)
     :param db: optional, mlrun api/db path
     :param project: optional, target project for the function
@@ -362,10 +391,13 @@ def import_function(url="", secrets=None, db="", project=None, new_name=None):
     return function
 
 
-def import_function_to_dict(url, secrets=None):
+def import_function_to_dict(
+    url: str,
+    secrets: Optional[dict] = None,
+) -> dict:
     """Load function spec from local/remote YAML file"""
     obj = get_object(url, secrets)
-    runtime = yaml.load(obj, Loader=yaml.FullLoader)
+    runtime = yaml.safe_load(obj)
     remote = "://" in url
 
     code = get_in(runtime, "spec.build.functionSourceCode")
@@ -388,20 +420,40 @@ def import_function_to_dict(url, secrets=None):
                 raise ValueError("exec path (spec.command) must be relative")
             url = url[: url.rfind("/") + 1] + code_file
             code = get_object(url, secrets)
+            code_file = _ensure_path_confined_to_base_dir(
+                base_directory=".",
+                relative_path=code_file,
+                error_message_on_escape="Path traversal detected in spec.command",
+            )
             dir = path.dirname(code_file)
             if dir:
                 makedirs(dir, exist_ok=True)
             with open(code_file, "wb") as fp:
                 fp.write(code)
         elif cmd:
-            if not path.isfile(code_file):
-                # look for the file in a relative path to the yaml
-                slash = url.rfind("/")
-                if slash >= 0 and path.isfile(url[: url.rfind("/") + 1] + code_file):
-                    raise ValueError(
-                        f"exec file spec.command={code_file} is relative, change working dir"
-                    )
+            slash_index = url.rfind("/")
+            if slash_index < 0:
+                raise ValueError(f"no file in exec path (spec.command={code_file})")
+            base_dir = os.path.normpath(url[: slash_index + 1])
+
+            # Validate and resolve the candidate path before checking existence
+            candidate_path = _ensure_path_confined_to_base_dir(
+                base_directory=base_dir,
+                relative_path=code_file,
+                error_message_on_escape=(
+                    f"exec file spec.command={code_file} is outside of allowed directory"
+                ),
+            )
+
+            # Only now it's safe to check file existence
+            if not path.isfile(candidate_path):
                 raise ValueError(f"no file in exec path (spec.command={code_file})")
+
+            # Check that the path is absolute
+            if not os.path.isabs(code_file):
+                raise ValueError(
+                    f"exec file spec.command={code_file} is relative, it must be absolute. Change working dir"
+                )
         else:
             raise ValueError("command or code not specified in function spec")
 
@@ -503,6 +555,7 @@ def new_function(
 
     # make sure function name is valid
     name = mlrun.utils.helpers.normalize_name(name)
+    mlrun.utils.helpers.validate_function_name(name)
 
     runner.metadata.name = name
     runner.metadata.project = (
@@ -542,6 +595,7 @@ def new_function(
         )
 
     runner.prepare_image_for_deploy()
+
     return runner
 
 
@@ -575,7 +629,7 @@ def code_to_function(
     code_output: Optional[str] = "",
     embed_code: bool = True,
     description: Optional[str] = "",
-    requirements: Optional[Union[str, list[str]]] = None,
+    requirements: Optional[list[str]] = None,
     categories: Optional[list[str]] = None,
     labels: Optional[dict[str, str]] = None,
     with_doc: Optional[bool] = True,
@@ -638,7 +692,7 @@ def code_to_function(
     :param description:  short function description, defaults to ''
     :param requirements: a list of python packages
     :param requirements_file: path to a python requirements file
-    :param categories:   list of categories for mlrun Function Hub, defaults to None
+    :param categories:   list of categories for MLRun Hub, defaults to None
     :param labels:       name/value pairs dict to tag the function with useful metadata, defaults to None
     :param with_doc:     indicates whether to document the function parameters, defaults to True
     :param ignored_tags: notebook cells to ignore when converting notebooks to py code (separated by ';')
@@ -681,7 +735,6 @@ def code_to_function(
         )
 
     """
-    filebase, _ = path.splitext(path.basename(filename))
     ignored_tags = ignored_tags or mlconf.ignored_notebook_tags
 
     def add_name(origin, name=""):
@@ -746,6 +799,7 @@ def code_to_function(
         kind=sub_kind,
         ignored_tags=ignored_tags,
     )
+
     spec["spec"]["env"].append(
         {
             "name": "MLRUN_HTTPDB__NUCLIO__EXPLICIT_ACK",
@@ -798,6 +852,7 @@ def code_to_function(
         runtime.spec.build.code_origin = code_origin
         runtime.spec.build.origin_filename = filename or (name + ".ipynb")
         update_common(runtime, spec)
+
         return runtime
 
     if kind is None or kind in ["", "Function"]:
@@ -811,6 +866,7 @@ def code_to_function(
 
     if not name:
         raise ValueError("name must be specified")
+
     h = get_in(spec, "spec.handler", "").split(":")
     runtime.handler = h[0] if len(h) <= 1 else h[1]
     runtime.metadata = get_in(spec, "spec.metadata")
@@ -1258,3 +1314,21 @@ def wait_for_runs_completion(
         runs = running
 
     return completed
+
+
+def _ensure_path_confined_to_base_dir(
+    base_directory: str,
+    relative_path: str,
+    error_message_on_escape: str,
+) -> str:
+    """
+    Join `user_supplied_relative_path` to `allowed_base_directory`, normalise the result,
+    and guarantee it stays inside `allowed_base_directory`.
+    """
+    absolute_base_directory = path.abspath(base_directory)
+    absolute_candidate_path = path.abspath(
+        path.join(absolute_base_directory, relative_path)
+    )
+    if not absolute_candidate_path.startswith(absolute_base_directory + path.sep):
+        raise ValueError(error_message_on_escape)
+    return absolute_candidate_path

mlrun/runtimes/__init__.py

@@ -26,6 +26,7 @@ __all__ = [
     "KubeResource",
     "ApplicationRuntime",
     "MpiRuntimeV1",
+    "RuntimeKinds",
 ]
 
 import typing
@@ -34,6 +35,7 @@ from mlrun.runtimes.utils import resolve_spark_operator_version
 
 from ..common.runtimes.constants import MPIJobCRDVersions
 from .base import BaseRuntime, RunError, RuntimeClassMode  # noqa
+from .constants import RuntimeKinds
 from .daskjob import DaskCluster  # noqa
 from .databricks_job.databricks_runtime import DatabricksRuntime
 from .kubejob import KubejobRuntime, KubeResource  # noqa
@@ -94,192 +96,6 @@ def new_model_server(
         )
 
 
-class RuntimeKinds:
-    remote = "remote"
-    nuclio = "nuclio"
-    dask = "dask"
-    job = "job"
-    spark = "spark"
-    remotespark = "remote-spark"
-    mpijob = "mpijob"
-    serving = "serving"
-    local = "local"
-    handler = "handler"
-    databricks = "databricks"
-    application = "application"
-
-    @staticmethod
-    def all():
-        return [
-            RuntimeKinds.remote,
-            RuntimeKinds.nuclio,
-            RuntimeKinds.serving,
-            RuntimeKinds.dask,
-            RuntimeKinds.job,
-            RuntimeKinds.spark,
-            RuntimeKinds.remotespark,
-            RuntimeKinds.mpijob,
-            RuntimeKinds.local,
-            RuntimeKinds.databricks,
-            RuntimeKinds.application,
-        ]
-
-    @staticmethod
-    def runtime_with_handlers():
-        return [
-            RuntimeKinds.dask,
-            RuntimeKinds.job,
-            RuntimeKinds.spark,
-            RuntimeKinds.remotespark,
-            RuntimeKinds.mpijob,
-            RuntimeKinds.databricks,
-        ]
-
-    @staticmethod
-    def abortable_runtimes():
-        return [
-            RuntimeKinds.job,
-            RuntimeKinds.spark,
-            RuntimeKinds.remotespark,
-            RuntimeKinds.mpijob,
-            RuntimeKinds.databricks,
-            RuntimeKinds.local,
-            RuntimeKinds.handler,
-            "",
-        ]
-
-    @staticmethod
-    def retriable_runtimes():
-        return [
-            RuntimeKinds.job,
-        ]
-
-    @staticmethod
-    def nuclio_runtimes():
-        return [
-            RuntimeKinds.remote,
-            RuntimeKinds.nuclio,
-            RuntimeKinds.serving,
-            RuntimeKinds.application,
-        ]
-
-    @staticmethod
-    def pure_nuclio_deployed_runtimes():
-        return [
-            RuntimeKinds.remote,
-            RuntimeKinds.nuclio,
-            RuntimeKinds.serving,
-        ]
-
-    @staticmethod
-    def handlerless_runtimes():
-        return [
-            RuntimeKinds.serving,
-            # Application runtime handler is internal reverse proxy
-            RuntimeKinds.application,
-        ]
-
-    @staticmethod
-    def local_runtimes():
-        return [
-            RuntimeKinds.local,
-            RuntimeKinds.handler,
-        ]
-
-    @staticmethod
-    def is_log_collectable_runtime(kind: typing.Optional[str]):
-        """
-        whether log collector can collect logs for that runtime
-        :param kind: kind name
-        :return: whether log collector can collect logs for that runtime
-        """
-        # if local run, the log collector doesn't support it as it is only supports k8s resources
-        # when runtime is local the client is responsible for logging the stdout of the run by using `log_std`
-        if RuntimeKinds.is_local_runtime(kind):
-            return False
-
-        if (
-            kind
-            not in [
-                # dask implementation is different from other runtimes, because few runs can be run against the same
-                # runtime resource, so collecting logs on that runtime resource won't be correct, the way we collect
-                # logs for dask is by using `log_std` on client side after we execute the code against the cluster,
-                # as submitting the run with the dask client will return the run stdout.
-                # For more information head to `DaskCluster._run`.
-                RuntimeKinds.dask
-            ]
-            + RuntimeKinds.nuclio_runtimes()
-        ):
-            return True
-
-        return False
-
-    @staticmethod
-    def is_local_runtime(kind):
-        # "" or None counted as local
-        if not kind or kind in RuntimeKinds.local_runtimes():
-            return True
-        return False
-
-    @staticmethod
-    def requires_absolute_artifacts_path(kind):
-        """
-        Returns True if the runtime kind requires absolute artifacts' path (i.e. is local), False otherwise.
-        """
-        if RuntimeKinds.is_local_runtime(kind):
-            return False
-
-        if kind not in [
-            # logging artifacts is done externally to the dask cluster by a client that can either run locally (in which
-            # case the path can be relative) or remotely (in which case the path must be absolute and will be passed
-            # to another run)
-            RuntimeKinds.dask
-        ]:
-            return True
-        return False
-
-    @staticmethod
-    def requires_image_name_for_execution(kind):
-        if RuntimeKinds.is_local_runtime(kind):
-            return False
-
-        # both spark and remote spark uses different mechanism for assigning images
-        return kind not in [RuntimeKinds.spark, RuntimeKinds.remotespark]
-
-    @staticmethod
-    def supports_from_notebook(kind):
-        return kind not in [RuntimeKinds.application]
-
-    @staticmethod
-    def resolve_nuclio_runtime(kind: str, sub_kind: str):
-        kind = kind.split(":")[0]
-        if kind not in RuntimeKinds.nuclio_runtimes():
-            raise ValueError(
-                f"Kind {kind} is not a nuclio runtime, available runtimes are {RuntimeKinds.nuclio_runtimes()}"
-            )
-
-        if sub_kind == serving_subkind:
-            return ServingRuntime()
-
-        if kind == RuntimeKinds.application:
-            return ApplicationRuntime()
-
-        runtime = RemoteRuntime()
-        runtime.spec.function_kind = sub_kind
-        return runtime
-
-    @staticmethod
-    def resolve_nuclio_sub_kind(kind):
-        is_nuclio = kind.startswith("nuclio")
-        sub_kind = kind[kind.find(":") + 1 :] if is_nuclio and ":" in kind else None
-        if kind == RuntimeKinds.serving:
-            is_nuclio = True
-            sub_kind = serving_subkind
-        elif kind == RuntimeKinds.application:
-            is_nuclio = True
-        return is_nuclio, sub_kind
-
-
 def get_runtime_class(kind: str):
     if kind == RuntimeKinds.mpijob:
         return MpiRuntimeV1

mlrun/runtimes/base.py

@@ -16,8 +16,9 @@ import http
 import re
 import typing
 import warnings
+from collections.abc import Callable
 from os import environ
-from typing import Callable, Optional, Union
+from typing import Optional, Union
 
 import requests.exceptions
 from nuclio.build import mlrun_footer
@@ -30,6 +31,7 @@ import mlrun.common.schemas
 import mlrun.common.schemas.model_monitoring.constants as mm_constants
 import mlrun.errors
 import mlrun.launcher.factory
+import mlrun.runtimes
 import mlrun.utils.helpers
 import mlrun.utils.notifications
 import mlrun.utils.regex
@@ -142,9 +144,6 @@ class FunctionSpec(ModelObj):
     def build(self, build):
         self._build = self._verify_dict(build, "build", ImageBuilder)
 
-    def enrich_function_preemption_spec(self):
-        pass
-
     def validate_service_account(self, allowed_service_accounts):
         pass
 
@@ -280,18 +279,6 @@ class BaseRuntime(ModelObj):
             mlrun.model.Credentials.generate_access_key
         )
 
-    def generate_runtime_k8s_env(self, runobj: RunObject = None) -> list[dict]:
-        """
-        Prepares a runtime environment as it's expected by kubernetes.models.V1Container
-
-        :param runobj: Run context object (RunObject) with run metadata and status
-        :return: List of dicts with the structure {"name": "var_name", "value": "var_value"}
-        """
-        return [
-            {"name": k, "value": v}
-            for k, v in self._generate_runtime_env(runobj).items()
-        ]
-
     def run(
         self,
         runspec: Optional[
@@ -379,7 +366,12 @@ class BaseRuntime(ModelObj):
                              This ensures latest code changes are executed. This argument must be used in
                              conjunction with the local=True argument.
         :param output_path:    Default artifact output path.
-        :param retry:          Retry configuration for the run, can be a dict or an instance of mlrun.model.Retry.
+        :param retry:          Retry configuration for the run, can be a dict or an instance of
+                               :py:class:`~mlrun.model.Retry`.
+                               The `count` field in the `Retry` object specifies the number of retry attempts.
+                               If `count=0`, the run will not be retried.
+                               The `backoff` field specifies the retry backoff strategy between retry attempts.
+                               If not provided, the default backoff delay is 30 seconds.
         :return: Run context object (RunObject) with run metadata, results and status
         """
         if artifact_path or out_path:
@@ -391,6 +383,7 @@ class BaseRuntime(ModelObj):
                 FutureWarning,
             )
         output_path = output_path or out_path or artifact_path
+
         launcher = mlrun.launcher.factory.LauncherFactory().create_launcher(
             self._is_remote, local=local, **launcher_kwargs
         )
@@ -438,30 +431,86 @@ class BaseRuntime(ModelObj):
         if task:
             return task.to_dict()
 
-    def _generate_runtime_env(self, runobj: RunObject = None) -> dict:
+    def _generate_runtime_env(self, runobj: RunObject = None):
         """
-        Prepares all available environment variables for usage on a runtime
-        Data will be extracted from several sources and most of them are not guaranteed to be available
+        Prepares all available environment variables for usage on a runtime.
 
-        :param runobj: Run context object (RunObject) with run metadata and status
-        :return: Dictionary with all the variables that could be parsed
+        :param runobj: Optional run context object (RunObject) with run metadata and status
+        :return: Tuple of (runtime_env, external_source_env) where:
+                 - runtime_env: Dict of {env_name: value} for standard env vars
+                 - external_source_env: Dict of {env_name: value_from} for env vars with external sources
         """
+        active_project = self.metadata.project or config.active_project
         runtime_env = {
-            "MLRUN_ACTIVE_PROJECT": self.metadata.project or config.active_project
+            mlrun_constants.MLRUN_ACTIVE_PROJECT: active_project,
+            # TODO: Remove this in 1.12.0 as MLRUN_DEFAULT_PROJECT is deprecated and should not be injected anymore
+            "MLRUN_DEFAULT_PROJECT": active_project,
         }
+
+        # Set auth session only for nuclio runtimes that have an access key
+        if (
+            self.kind in mlrun.runtimes.RuntimeKinds.nuclio_runtimes()
+            and self.metadata.credentials.access_key
+        ):
+            runtime_env[
+                mlrun.common.runtimes.constants.FunctionEnvironmentVariables.auth_session
+            ] = self.metadata.credentials.access_key
+
         if runobj:
             runtime_env["MLRUN_EXEC_CONFIG"] = runobj.to_json(
                 exclude_notifications_params=True
             )
             if runobj.metadata.project:
-                runtime_env["MLRUN_ACTIVE_PROJECT"] = runobj.metadata.project
+                runtime_env[mlrun_constants.MLRUN_ACTIVE_PROJECT] = (
+                    runobj.metadata.project
+                )
             if runobj.spec.verbose:
                 runtime_env["MLRUN_LOG_LEVEL"] = "DEBUG"
         if config.httpdb.api_url:
             runtime_env["MLRUN_DBPATH"] = config.httpdb.api_url
         if self.metadata.namespace or config.namespace:
             runtime_env["MLRUN_NAMESPACE"] = self.metadata.namespace or config.namespace
-        return runtime_env
+
+        external_source_env = self._generate_external_source_runtime_envs()
+
+        return runtime_env, external_source_env
+
+    def _generate_external_source_runtime_envs(self):
+        """
+        Returns non-static env vars to be added to the runtime pod/container.
+
+        :return: Dict of {env_name: value_from} for env vars with external sources (e.g., fieldRef)
+        """
+        return {
+            "MLRUN_RUNTIME_KIND": {
+                "fieldRef": {
+                    "apiVersion": "v1",
+                    "fieldPath": f"metadata.labels['{mlrun_constants.MLRunInternalLabels.mlrun_class}']",
+                }
+            },
+        }
+
+    def _generate_k8s_runtime_env(self, runobj: RunObject = None):
+        """
+        Generates runtime environment variables in Kubernetes format.
+
+        :param runobj: Optional run context object (RunObject) with run metadata and status
+        :return: List of env var dicts in K8s format:
+                 - Standard envs: [{"name": key, "value": value}, ...]
+                 - External source envs: [{"name": key, "valueFrom": value_from}, ...]
+        """
+        runtime_env, external_source_env = self._generate_runtime_env(runobj)
+
+        # Convert standard env vars to K8s format
+        k8s_env = [{"name": k, "value": v} for k, v in runtime_env.items()]
+
+        # Convert external source env vars to K8s format
+        k8s_external_env = [
+            {"name": k, "valueFrom": v} for k, v in external_source_env.items()
+        ]
+
+        k8s_env.extend(k8s_external_env)
+        return k8s_env
 
     @staticmethod
     def _handle_submit_job_http_error(error: requests.HTTPError):
@@ -939,5 +988,34 @@ class BaseRuntime(ModelObj):
                             line += f", default={p['default']}"
                         print("    " + line)
 
+    def remove_auth_secret_volumes(self):
+        secret_name_prefix = (
+            mlrun.mlconf.secret_stores.kubernetes.auth_secret_name.format(
+                hashed_access_key=""
+            )
+        )
+        volumes = self.spec.volumes or []
+        mounts = self.spec.volume_mounts or []
+
+        volumes_to_remove = set()
+
+        # Identify volumes to remove
+        for vol in volumes:
+            secret_name = mlrun.utils.get_in(vol, "secret.secretName", "")
+
+            # Pattern of auth secret volumes
+            if secret_name.startswith(secret_name_prefix):
+                volumes_to_remove.add(vol["name"])
+
+        # Filter out only the matched volumes
+        self.spec.volumes = [
+            volume for volume in volumes if volume["name"] not in volumes_to_remove
+        ]
+
+        # Filter out matching mounts
+        self.spec.volume_mounts = [
+            mount for mount in mounts if mount["name"] not in volumes_to_remove
+        ]
+
     def skip_image_enrichment(self):
         return False