YARN-7446. Remove --user flag when running privileged mode docker container. Contributed by Eric Yang
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/c7a4463f Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/c7a4463f Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/c7a4463f Branch: refs/heads/YARN-7055 Commit: c7a4463f69bf4471633c839657826067c7b6fe94 Parents: 97af19c Author: Billie Rinaldi <bil...@apache.org> Authored: Tue Feb 27 14:33:03 2018 -0800 Committer: Rohith Sharma K S <rohithsharm...@apache.org> Committed: Fri Mar 2 11:08:28 2018 +0530 ---------------------------------------------------------------------- .../container-executor/impl/utils/docker-util.c | 24 ++++++++++++++++---- .../test/utils/test_docker_util.cc | 9 +++++--- 2 files changed, 25 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/c7a4463f/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c ---------------------------------------------------------------------- diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c index 7159374..dfc044b 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c @@ -805,6 +805,14 @@ static int set_group_add(const struct configuration *command_config, char *out, char **group_add = get_configuration_values_delimiter("group-add", DOCKER_COMMAND_FILE_SECTION, command_config, ","); size_t tmp_buffer_size = 4096; char *tmp_buffer = NULL; + char *privileged = NULL; + + privileged = get_configuration_value("privileged", DOCKER_COMMAND_FILE_SECTION, command_config); + if (privileged != NULL && strcasecmp(privileged, "true") == 0 ) { + free(privileged); + return ret; + } + free(privileged); if (group_add != NULL) { for (i = 0; group_add[i] != NULL; ++i) { @@ -1211,6 +1219,7 @@ int get_docker_run_command(const char *command_file, const struct configuration size_t tmp_buffer_size = 1024; char *tmp_buffer = NULL; char **launch_command = NULL; + char *privileged = NULL; struct configuration command_config = {0, NULL}; ret = read_and_verify_command_file(command_file, DOCKER_RUN_COMMAND, &command_config); if (ret != 0) { @@ -1250,12 +1259,17 @@ int get_docker_run_command(const char *command_file, const struct configuration } memset(tmp_buffer, 0, tmp_buffer_size); - quote_and_append_arg(&tmp_buffer, &tmp_buffer_size, "--user=", user); - ret = add_to_buffer(out, outlen, tmp_buffer); - if (ret != 0) { - return BUFFER_TOO_SMALL; + privileged = get_configuration_value("privileged", DOCKER_COMMAND_FILE_SECTION, &command_config); + + if (privileged == NULL || strcasecmp(privileged, "false") == 0) { + quote_and_append_arg(&tmp_buffer, &tmp_buffer_size, "--user=", user); + ret = add_to_buffer(out, outlen, tmp_buffer); + if (ret != 0) { + return BUFFER_TOO_SMALL; + } + memset(tmp_buffer, 0, tmp_buffer_size); } - memset(tmp_buffer, 0, tmp_buffer_size); + free(privileged); ret = detach_container(&command_config, out, outlen); if (ret != 0) { http://git-wip-us.apache.org/repos/asf/hadoop/blob/c7a4463f/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc ---------------------------------------------------------------------- diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc index 7617d2c..81823a8 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc @@ -1063,6 +1063,7 @@ namespace ContainerExecutor { " launch-command=bash,test_script.sh,arg1,arg2", "run --name='container_e1_12312_11111_02_000001' --user='test' --cap-drop='ALL' 'hadoop/docker-image' 'bash' 'test_script.sh' 'arg1' 'arg2' ")); + // Test non-privileged conatiner with launch command file_cmd_vec.push_back(std::make_pair<std::string, std::string>( "[docker-command-execution]\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n hostname=host-id\n" @@ -1084,6 +1085,7 @@ namespace ContainerExecutor { "run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm" " --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --hostname='host-id' 'nothadoop/docker-image' ")); + // Test non-privileged container and drop all privileges file_cmd_vec.push_back(std::make_pair<std::string, std::string>( "[docker-command-execution]\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n hostname=host-id\n" @@ -1105,6 +1107,7 @@ namespace ContainerExecutor { "run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm --net='bridge'" " --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --hostname='host-id' 'nothadoop/docker-image' ")); + // Test privileged container file_cmd_vec.push_back(std::make_pair<std::string, std::string>( "[docker-command-execution]\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n hostname=host-id\n" @@ -1112,7 +1115,7 @@ namespace ContainerExecutor { " network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n privileged=true\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", - "run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm --net='bridge' -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'" + "run --name='container_e1_12312_11111_02_000001' -d --rm --net='bridge' -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'" " -v '/usr/bin/cut:/usr/bin/cut:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --privileged --cap-drop='ALL' " "--cap-add='CHOWN' --cap-add='SETUID' --hostname='host-id' --device='/dev/test:/dev/test' 'hadoop/docker-image' " "'bash' 'test_script.sh' 'arg1' 'arg2' ")); @@ -1125,9 +1128,9 @@ namespace ContainerExecutor { " network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n privileged=true\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n group-add=1000,1001\n" " launch-command=bash,test_script.sh,arg1,arg2", - "run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm --net='bridge' -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'" + "run --name='container_e1_12312_11111_02_000001' -d --rm --net='bridge' -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'" " -v '/usr/bin/cut:/usr/bin/cut:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --privileged --cap-drop='ALL' " - "--cap-add='CHOWN' --cap-add='SETUID' --hostname='host-id' --group-add '1000' --group-add '1001' " + "--cap-add='CHOWN' --cap-add='SETUID' --hostname='host-id' " "--device='/dev/test:/dev/test' 'hadoop/docker-image' 'bash' 'test_script.sh' 'arg1' 'arg2' ")); file_cmd_vec.push_back(std::make_pair<std::string, std::string>( --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org
