Fix SAS startup issues, WB CLI, and environment variables (#410)

* Get SAS running

* WB CLI and AoU env variables

* cleanup

Author: pantherman594

src/aou-sas/.devcontainer.json

@@ -5,19 +5,7 @@
   "runServices": ["app", "wondershaper"],
   "shutdownAction": "none",
   "workspaceFolder": "/workspace",
-  "postCreateCommand": [
-    "./startupscript/post-startup.sh",
-    "aou",
-    "/data",
-    "${templateOption:cloud}",
-    "${templateOption:login}"
-  ],
-  "postStartCommand": [
-    "./startupscript/remount-on-restart.sh",
-    "aou",
-    "/data",
-    "${templateOption:cloud}",
-    "${templateOption:login}"
-  ],
+  "postCreateCommand": "./startupscript/post-startup.sh aou /data '${templateOption:cloud}' '${templateOption:login}' && ./setup-sas-env.sh aou /data",
+  "postStartCommand": "./startupscript/remount-on-restart.sh aou /data '${templateOption:cloud}' '${templateOption:login}' && ./setup-sas-env.sh aou /data",
   "remoteUser": "root"
 }

src/aou-sas/Dockerfile

@@ -6,42 +6,23 @@ USER root
 # This must be in the Dockerfile because it references a build context (load-envs).
 COPY --from=load-envs /dist/load-env /dist/load-env.sh /opt/sas/aou/
 
-###############################################################################
-# Package-manager compatibility
-# Workbench startup scripts (post-startup.sh, resource-mount.sh) expect
-# apt-get / apt.  These shims delegate to yum on this RHEL-based SAS image.
-###############################################################################
-RUN printf '#!/bin/bash\ncase "$1" in\n  update) exec yum makecache -y ;;\n  install) shift; exec yum install -y --allowerasing "$@" ;;\n  *) exec yum "$@" ;;\nesac\n' > /usr/local/bin/apt-get && \
-    chmod +x /usr/local/bin/apt-get && \
-    cp /usr/local/bin/apt-get /usr/local/bin/apt && \
-    chmod +x /usr/local/bin/apt
-
 ###############################################################################
 # Disable SAS-internal repos (unreachable outside SAS network) and enable
-# public UBI + EPEL repos so packages like jq, fuse, git can be resolved.
+# public UBI repos so packages like jq, fuse, git can be resolved.
 ###############################################################################
 RUN dnf config-manager --set-disabled \
         crackles-epel-everything \
         sas-rhel-9-baseos sas-rhel-9-appstream sas-rhel-9-codeready \
         sas-ubi-9-baseos sas-ubi-9-appstream sas-ubi-9-codeready-builder && \
     dnf config-manager --set-enabled \
-        ubi-9-baseos-rpms ubi-9-appstream-rpms ubi-9-codeready-builder-rpms && \
-    rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \
-    yum clean all
+        ubi-9-baseos-rpms ubi-9-appstream-rpms ubi-9-codeready-builder-rpms
 
 ###############################################################################
 # System packages required by Workbench startup scripts
 ###############################################################################
-RUN yum install -y --allowerasing curl fuse fuse-libs wget sudo git \
+RUN dnf install -y --allowerasing curl fuse fuse-libs wget sudo git \
         java-17-openjdk-headless && \
-    yum clean all
-
-###############################################################################
-# gcsfuse — GCS bucket mounting
-###############################################################################
-RUN printf '[gcsfuse]\nname=gcsfuse (packages.cloud.google.com)\nbaseurl=https://packages.cloud.google.com/yum/repos/gcsfuse-el7-x86_64\nenabled=1\ngpgcheck=1\nrepo_gpgcheck=0\ngpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg\n       https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg\n' > /etc/yum.repos.d/gcsfuse.repo && \
-    yum install -y gcsfuse && \
-    yum clean all
+    dnf clean all
 
 ###############################################################################
 # Google Cloud SDK
@@ -66,6 +47,10 @@ RUN groupadd -g 1100 aougroup && \
 ###############################################################################
 RUN echo "-work /data/saswork" >> /opt/sas/viya/config/etc/workspaceserver/default/sasv9_usermods.cfg && \
     echo "-utilloc /data/utilloc" >> /opt/sas/viya/config/etc/workspaceserver/default/sasv9_usermods.cfg && \
+    echo 'if [ -f /data/.aou-env ]; then source /data/.aou-env; fi' >> \
+      /opt/sas/viya/config/etc/workspaceserver/default/workspaceserver_usermods.sh && \
+    echo 'if [ -f /data/.workbench-env ]; then source /data/.workbench-env; fi' >> \
+      /opt/sas/viya/config/etc/workspaceserver/default/workspaceserver_usermods.sh && \
     sed -Ei 's#^USERMODS=(.*)#USERMODS=-allowxcmd \1#g' \
       /opt/sas/viya/config/etc/spawner/default/spawner_usermods.sh
 
@@ -87,6 +72,12 @@ RUN PROXY_CONF=/etc/httpd/conf.d/dkrapro-proxy.conf && \
     sed -i '/AOU-CONFIGURED/a Header unset Content-Security-Policy' "${PROXY_CONF}" && \
     sed -i '/AOU-CONFIGURED/a Header edit Set-Cookie "^(.*SameSite=None.*)\$" "\$1; Secure"' "${PROXY_CONF}"
 
+###############################################################################
+# Create /data directory and chown to AoU user. When the volume is mounted it
+# will inherit the owner
+###############################################################################
+RUN mkdir -p /data && chown aou:aougroup /data
+
 # Wrapper entrypoint: copies the SAS license from Mikey Secrets (if active)
 # to /sasinside/ before handing off to the SAS entrypoint.
 COPY --from=wb-secret-receiver /dist/wb-secret-receiver /wb-secret-receiver

src/aou-sas/devcontainer-template.json

@@ -0,0 +1,20 @@
+{
+  "id": "aou-sas",
+  "version": "1.0.0",
+  "name": "SAS App for AoU",
+  "description": "SAS Analytics Pro for All of Us",
+  "options": {
+    "cloud": {
+      "type": "string",
+      "description": "VM cloud environment",
+      "proposals": ["gcp", "aws"],
+      "default": "gcp"
+    },
+    "login": {
+      "type": "string",
+      "description": "Whether to log in to workbench CLI",
+      "proposals": ["true", "false"],
+      "default": "false"
+    }
+  }
+}

src/aou-sas/docker-compose.yaml

@@ -18,19 +18,17 @@ services:
       # SAS startup script — invoked via PRE_DEPLOY_SCRIPT before SAS
       # services start.  Must NOT mount at /tmp/pre_deploy.sh because
       # the entrypoint overwrites that path with the env var content.
-      - ./sas-startup.sh:/opt/sas/aou/sas-startup.sh:ro
-      # Fallback license mount for manual GCE testing without Mikey Secrets.
-      # With Mikey Secrets, the entrypoint wrapper populates /sasinside/ from
-      # the SAS_LICENSE_PATH file descriptor instead.
-      - ./sasinside:/sasinside
+      - ./sas-pre-deploy.sh:/opt/sas/aou/sas-pre-deploy.sh:ro
+      - ./sas-post-deploy.sh:/opt/sas/aou/sas-post-deploy.sh:ro
     tmpfs:
       - /data/workspace:uid=1002,gid=1100
     environment:
       HOST_AUTH: ""
       SAS_DEBUG: "0"
       SASLICENSEFILE: "SASLicense.jwt"
       GOMEMLIMIT: "20MiB"
-      PRE_DEPLOY_SCRIPT: "bash /opt/sas/aou/sas-startup.sh"
+      PRE_DEPLOY_SCRIPT: "bash /opt/sas/aou/sas-pre-deploy.sh"
+      POST_DEPLOY_SCRIPT: "bash /opt/sas/aou/sas-post-deploy.sh"
       JAVA_OPTION_SAS_COMMONS_WEB_SECURITY_CORS_ALLOWEDORIGINS: "-Dsas.commons.web.security.cors.allowedOrigins=*"
       JAVA_OPTION_SAS_COMMONS_WEB_SECURITY_CORS_ALLOWCREDENTIALS: "-Dsas.commons.web.security.cors.allowCredentials=false"
       JAVA_OPTION_SAS_COMMONS_WEB_SECURITY_CORS_ALLOWEDHEADERS: "-Dsas.commons.web.security.cors.allowedHeaders=*"

src/aou-sas/sas-entrypoint.sh

@@ -6,14 +6,13 @@
 # copies the license to /sasinside/SASLicense.jwt where the SAS Analytics
 # Pro entrypoint expects it.
 #
-# When SAS_LICENSE_PATH is not set (manual GCE testing), this script is a
-# no-op passthrough — SAS reads the license from the bind-mounted /sasinside/.
+# When SAS_LICENSE_PATH is not set, this script is a no-op passthrough.
 
 if [ -n "${SAS_LICENSE_PATH:-}" ]; then
   mkdir -p /sasinside
   cp "$SAS_LICENSE_PATH" /sasinside/SASLicense.jwt
   chmod 400 /sasinside/SASLicense.jwt
-  chown root:root /sasinside/SASLicense.jwt
+  chown sas:sas /sasinside/SASLicense.jwt
 fi
 
 exec /opt/sas/viya/home/bin/sas-analytics-pro-entrypoint.sh "$@"

src/aou-sas/sas-post-deploy.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+# sas-post-deploy.sh — Lock down the SAS license after it has been applied.
+#
+# Invoked via POST_DEPLOY_SCRIPT after SAS services start.  The license must
+# be readable by the sas user during application (PRE_DEPLOY), but afterward
+# we restrict it to root so the aou user cannot exfiltrate it via pipe commands.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+if [ -f /sasinside/SASLicense.jwt ]; then
+  chmod 400 /sasinside/SASLicense.jwt
+  chown root:root /sasinside/SASLicense.jwt
+fi

src/aou-sas/sas-startup.sh src/aou-sas/sas-pre-deploy.shsrc/aou-sas/sas-startup.sh renamed to src/aou-sas/sas-pre-deploy.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
-# sas-startup.sh — Runtime setup for SAS Analytics Pro on VWB GCE.
+# sas-pre-deploy.sh — Runtime setup for SAS Analytics Pro on VWB GCE.
 #
-# Mounted at /opt/sas/aou/sas-startup.sh and invoked via PRE_DEPLOY_SCRIPT
+# Mounted at /opt/sas/aou/sas-pre-deploy.sh and invoked via PRE_DEPLOY_SCRIPT
 # before SAS services start.  Only handles steps that depend on the /data
 # volume or runtime state; build-time setup is in the Dockerfile.
 #
@@ -17,22 +17,10 @@ set -o pipefail
 mkdir -p /data/saswork /data/utilloc
 chown -R aou:aougroup /data
 
-###############################################################################
-# Lock down the SAS license so the aou user cannot read it via pipe commands.
-# The entrypoint wrapper already sets root:root 0400 for Mikey Secrets, but
-# this covers the bind-mount fallback and acts as defence in depth.
-###############################################################################
-if [ -f /sasinside/SASLicense.jwt ]; then
-  chown root:root /sasinside/SASLicense.jwt
-  chmod 400 /sasinside/SASLicense.jwt
-fi
-
 ###############################################################################
 # AoU environment loader (staged in Dockerfile at /opt/sas/aou/)
 ###############################################################################
 if [ -d /opt/sas/aou ]; then
   cp -n /opt/sas/aou/load-env /opt/sas/aou/load-env.sh /data/ 2>/dev/null || true
   chown aou:aougroup /data/load-env /data/load-env.sh 2>/dev/null || true
-  grep -q "load-env.sh" /data/.bashrc 2>/dev/null || \
-    echo "source /data/load-env.sh" >> /data/.bashrc
 fi

src/aou-sas/sasinside/.gitignore

@@ -2,4 +2,4 @@ secrets:
   - name: "SASDockerAuth"
     dockerRegistry: "cr.sas.com"
   - name: "SASLicense"
-    pathVar: "SAS_LICENSE_PATH"
+    pipeVar: "SAS_LICENSE_PATH"

src/aou-sas/secrets.yml

@@ -0,0 +1,22 @@
+#!/bin/bash
+# setup-sas-env.sh — Populate environment files for SAS Studio sessions.
+#
+# Runs after post-startup.sh (or remount-on-restart.sh) to create env files
+# that the SAS workspace server sources on session start.
+#
+# - /data/.aou-env:       AoU CDR variables (from load-env)
+# - /data/.workbench-env: Workbench variables (extracted from .bashrc)
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+readonly USER_NAME="${1}"
+readonly DATA_DIR="${2}"
+
+if [ -f "${DATA_DIR}/load-env.sh" ]; then
+  sudo -u "${USER_NAME}" bash -c "source '${DATA_DIR}/load-env.sh'" || true
+fi
+
+# Extract export statements from .bashrc to get workbench environment variables
+grep '^export ' "${DATA_DIR}/.bashrc" > "${DATA_DIR}/.workbench-env" || true