YARN-7221. Add security check for privileged docker container. Contributed by Eric Yang
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/933477e9 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/933477e9 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/933477e9 Branch: refs/heads/HDFS-7240 Commit: 933477e9e0526e2ed81ea454f8806de31981822a Parents: f7d5bac Author: Billie Rinaldi <bil...@apache.org> Authored: Wed Apr 11 08:23:20 2018 -0700 Committer: Billie Rinaldi <bil...@apache.org> Committed: Wed Apr 11 11:24:23 2018 -0700 ---------------------------------------------------------------------- .../runtime/DockerLinuxContainerRuntime.java | 10 +- .../container-executor/impl/utils/docker-util.c | 100 ++++++++++++++++++- .../test/utils/test_docker_util.cc | 97 +++++++++--------- .../runtime/TestDockerContainerRuntime.java | 11 +- 4 files changed, 157 insertions(+), 61 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/933477e9/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java ---------------------------------------------------------------------- diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java index 51abeb6..7106aad 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java @@ -767,7 +767,11 @@ public class DockerLinuxContainerRuntime implements LinuxContainerRuntime { throw new ContainerExecutionException(message); } } - dockerRunAsUser = uid + ":" + gid; + if (!allowPrivilegedContainerExecution(container)) { + dockerRunAsUser = uid + ":" + gid; + } else { + dockerRunAsUser = ctx.getExecutionAttribute(USER); + } } //List<String> -> stored as List -> fetched/converted to List<String> @@ -879,7 +883,9 @@ public class DockerLinuxContainerRuntime implements LinuxContainerRuntime { } if(enableUserReMapping) { - runCommand.groupAdd(groups); + if (!allowPrivilegedContainerExecution(container)) { + runCommand.groupAdd(groups); + } } // use plugins to update docker run command. http://git-wip-us.apache.org/repos/asf/hadoop/blob/933477e9/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c ---------------------------------------------------------------------- diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c index 3bd94a1..fdeaeea 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c @@ -16,6 +16,9 @@ * limitations under the License. */ +#include <stdio.h> +#include <unistd.h> +#include <sys/wait.h> #include <string.h> #include <strings.h> #include <stdlib.h> @@ -25,6 +28,9 @@ #include "docker-util.h" #include "string-utils.h" #include "util.h" +#include <grp.h> +#include <pwd.h> +#include <errno.h> static int read_and_verify_command_file(const char *command_file, const char *docker_command, struct configuration *command_config) { @@ -1254,14 +1260,94 @@ static int add_rw_mounts(const struct configuration *command_config, const stru return add_mounts(command_config, conf, "rw-mounts", 0, out, outlen); } +static int check_privileges(const char *user) { + int ngroups = 0; + gid_t *groups = NULL; + struct passwd *pw; + struct group *gr; + int ret = 0; + int waitid = -1; + int statval = 0; + + pw = getpwnam(user); + if (pw == NULL) { + fprintf(ERRORFILE, "User %s does not exist in host OS.\n", user); + exit(INITIALIZE_USER_FAILED); + } + + int rc = getgrouplist(user, pw->pw_gid, groups, &ngroups); + if (rc < 0) { + groups = (gid_t *) alloc_and_clear_memory(ngroups, sizeof(gid_t)); + if (groups == NULL) { + fprintf(ERRORFILE, "Failed to allocate buffer for group lookup for user %s.\n", user); + exit(OUT_OF_MEMORY); + } + if (getgrouplist(user, pw->pw_gid, groups, &ngroups) == -1) { + fprintf(ERRORFILE, "Fail to lookup groups for user %s.\n", user); + ret = 2; + } + } + + if (ret != 2) { + for (int j = 0; j < ngroups; j++) { + gr = getgrgid(groups[j]); + if (gr != NULL) { + if (strcmp(gr->gr_name, "root")==0 || strcmp(gr->gr_name, "docker")==0) { + ret = 1; + break; + } + } + } + } + + if (ret != 1) { + int child_pid = fork(); + if (child_pid == 0) { + execl("/bin/sudo", "sudo", "-U", user, "-n", "-l", "docker", NULL); + exit(INITIALIZE_USER_FAILED); + } else { + while ((waitid = waitpid(child_pid, &statval, 0)) != child_pid) { + if (waitid == -1 && errno != EINTR) { + fprintf(ERRORFILE, "waitpid failed: %s\n", strerror(errno)); + break; + } + } + if (waitid == child_pid) { + if (WIFEXITED(statval)) { + if (WEXITSTATUS(statval) == 0) { + ret = 1; + } + } else if (WIFSIGNALED(statval)) { + fprintf(ERRORFILE, "sudo terminated by signal %d\n", WTERMSIG(statval)); + } + } + } + } + free(groups); + if (ret == 1) { + fprintf(ERRORFILE, "check privileges passed for user: %s\n", user); + } else { + fprintf(ERRORFILE, "check privileges failed for user: %s, error code: %d\n", user, ret); + ret = 0; + } + return ret; +} + static int set_privileged(const struct configuration *command_config, const struct configuration *conf, char *out, const size_t outlen) { size_t tmp_buffer_size = 1024; + char *user = NULL; char *tmp_buffer = (char *) alloc_and_clear_memory(tmp_buffer_size, sizeof(char)); char *value = get_configuration_value("privileged", DOCKER_COMMAND_FILE_SECTION, command_config); char *privileged_container_enabled = get_configuration_value("docker.privileged-containers.enabled", CONTAINER_EXECUTOR_CFG_DOCKER_SECTION, conf); int ret = 0; + int allowed = 0; + + user = get_configuration_value("user", DOCKER_COMMAND_FILE_SECTION, command_config); + if (user == NULL) { + return INVALID_DOCKER_USER_NAME; + } if (value != NULL && strcasecmp(value, "true") == 0 ) { if (privileged_container_enabled != NULL) { @@ -1273,9 +1359,16 @@ static int set_privileged(const struct configuration *command_config, const stru ret = PRIVILEGED_CONTAINERS_DISABLED; goto free_and_exit; } - ret = add_to_buffer(out, outlen, "--privileged "); - if (ret != 0) { - ret = BUFFER_TOO_SMALL; + allowed = check_privileges(user); + if (allowed) { + ret = add_to_buffer(out, outlen, "--privileged "); + if (ret != 0) { + ret = BUFFER_TOO_SMALL; + } + } else { + fprintf(ERRORFILE, "Privileged containers are disabled for user: %s\n", user); + ret = PRIVILEGED_CONTAINERS_DISABLED; + goto free_and_exit; } } else { fprintf(ERRORFILE, "Privileged containers are disabled\n"); @@ -1293,6 +1386,7 @@ static int set_privileged(const struct configuration *command_config, const stru free(tmp_buffer); free(value); free(privileged_container_enabled); + free(user); if (ret != 0) { memset(out, 0, outlen); } http://git-wip-us.apache.org/repos/asf/hadoop/blob/933477e9/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc ---------------------------------------------------------------------- diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc index 5d9779c..35b7873 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc @@ -646,10 +646,10 @@ namespace ContainerExecutor { FAIL(); } ret = set_privileged(&cmd_cfg, &container_cfg, buff, buff_len); - ASSERT_EQ(0, ret); - ASSERT_STREQ(itr->second.c_str(), buff); + ASSERT_EQ(6, ret); + ASSERT_EQ(0, strlen(buff)); } - write_command_file("[docker-command-execution]\n docker-command=run\n privileged=true\n image=nothadoop/image"); + write_command_file("[docker-command-execution]\n docker-command=run\n user=nobody\n privileged=true\n image=nothadoop/image"); ret = read_config(docker_command_file.c_str(), &cmd_cfg); if (ret != 0) { FAIL(); @@ -669,9 +669,7 @@ namespace ContainerExecutor { } file_cmd_vec.clear(); file_cmd_vec.push_back(std::make_pair<std::string, std::string>( - "[docker-command-execution]\n docker-command=run\n privileged=false", "")); - file_cmd_vec.push_back(std::make_pair<std::string, std::string>( - "[docker-command-execution]\n docker-command=run", "")); + "[docker-command-execution]\n docker-command=run\n user=root\n privileged=false", "")); for (itr = file_cmd_vec.begin(); itr != file_cmd_vec.end(); ++itr) { memset(buff, 0, buff_len); write_command_file(itr->first); @@ -683,7 +681,7 @@ namespace ContainerExecutor { ASSERT_EQ(0, ret); ASSERT_STREQ(itr->second.c_str(), buff); } - write_command_file("[docker-command-execution]\n docker-command=run\n privileged=true"); + write_command_file("[docker-command-execution]\n docker-command=run\n user=root\n privileged=true"); ret = read_config(docker_command_file.c_str(), &cmd_cfg); if (ret != 0) { FAIL(); @@ -1114,64 +1112,64 @@ namespace ContainerExecutor { std::vector<std::pair<std::string, std::string> > file_cmd_vec; file_cmd_vec.push_back(std::make_pair<std::string, std::string>( - "[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test", - "run --name='container_e1_12312_11111_02_000001' --user='test' --cap-drop='ALL' 'hadoop/docker-image' ")); + "[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody", + "run --name='container_e1_12312_11111_02_000001' --user='nobody' --cap-drop='ALL' 'hadoop/docker-image' ")); file_cmd_vec.push_back(std::make_pair<std::string, std::string>( - "[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=test", - "run --name='container_e1_12312_11111_02_000001' --user='test' --cap-drop='ALL' 'nothadoop/docker-image' ")); + "[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=nobody", + "run --name='container_e1_12312_11111_02_000001' --user='nobody' --cap-drop='ALL' 'nothadoop/docker-image' ")); file_cmd_vec.push_back(std::make_pair<std::string, std::string>( - "[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n" + "[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n" " launch-command=bash,test_script.sh,arg1,arg2", - "run --name='container_e1_12312_11111_02_000001' --user='test' --cap-drop='ALL' 'hadoop/docker-image' 'bash' 'test_script.sh' 'arg1' 'arg2' ")); + "run --name='container_e1_12312_11111_02_000001' --user='nobody' --cap-drop='ALL' 'hadoop/docker-image' 'bash' 'test_script.sh' 'arg1' 'arg2' ")); // Test non-privileged conatiner with launch command file_cmd_vec.push_back(std::make_pair<std::string, std::string>( "[docker-command-execution]\n" - " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n hostname=host-id\n" + " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n" " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n" " network=bridge\n devices=/dev/test:/dev/test\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", - "run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'" + "run --name='container_e1_12312_11111_02_000001' --user='nobody' -d --rm -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'" " -v '/usr/bin/cut:/usr/bin/cut:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --cap-add='CHOWN'" " --cap-add='SETUID' --hostname='host-id' --device='/dev/test:/dev/test' 'hadoop/docker-image' 'bash' " "'test_script.sh' 'arg1' 'arg2' ")); file_cmd_vec.push_back(std::make_pair<std::string, std::string>( "[docker-command-execution]\n" - " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=test\n hostname=host-id\n" + " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=nobody\n hostname=host-id\n" " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n" " network=bridge\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", - "run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm" + "run --name='container_e1_12312_11111_02_000001' --user='nobody' -d --rm" " --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --hostname='host-id' 'nothadoop/docker-image' ")); // Test non-privileged container and drop all privileges file_cmd_vec.push_back(std::make_pair<std::string, std::string>( "[docker-command-execution]\n" - " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n hostname=host-id\n" + " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n" " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n" " network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", - "run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm --net='bridge' -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'" + "run --name='container_e1_12312_11111_02_000001' --user='nobody' -d --rm --net='bridge' -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'" " -v '/usr/bin/cut:/usr/bin/cut:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --cap-add='CHOWN' " "--cap-add='SETUID' --hostname='host-id' --device='/dev/test:/dev/test' 'hadoop/docker-image' 'bash'" " 'test_script.sh' 'arg1' 'arg2' ")); file_cmd_vec.push_back(std::make_pair<std::string, std::string>( "[docker-command-execution]\n" - " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=test\n hostname=host-id\n" + " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=nobody\n hostname=host-id\n" " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n" " network=bridge\n net=bridge\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", - "run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm --net='bridge'" + "run --name='container_e1_12312_11111_02_000001' --user='nobody' -d --rm --net='bridge'" " --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --hostname='host-id' 'nothadoop/docker-image' ")); // Test privileged container file_cmd_vec.push_back(std::make_pair<std::string, std::string>( "[docker-command-execution]\n" - " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n hostname=host-id\n" + " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=root\n hostname=host-id\n" " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n" " network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n privileged=true\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" @@ -1181,10 +1179,9 @@ namespace ContainerExecutor { "--cap-add='CHOWN' --cap-add='SETUID' --hostname='host-id' --device='/dev/test:/dev/test' 'hadoop/docker-image' " "'bash' 'test_script.sh' 'arg1' 'arg2' ")); - file_cmd_vec.push_back(std::make_pair<std::string, std::string>( "[docker-command-execution]\n" - " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n hostname=host-id\n" + " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=root\n hostname=host-id\n" " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n" " network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n privileged=true\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n group-add=1000,1001\n" @@ -1196,28 +1193,28 @@ namespace ContainerExecutor { file_cmd_vec.push_back(std::make_pair<std::string, std::string>( "[docker-command-execution]\n" - " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n user=test\n hostname=host-id\n" + " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n user=nobody\n hostname=host-id\n" " network=bridge\n net=bridge\n" " detach=true\n rm=true\n group-add=1000,1001\n" " launch-command=bash,test_script.sh,arg1,arg2", - "run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm --net='bridge' --cap-drop='ALL' " + "run --name='container_e1_12312_11111_02_000001' --user='nobody' -d --rm --net='bridge' --cap-drop='ALL' " "--hostname='host-id' --group-add '1000' --group-add '1001' " "'docker-image' ")); std::vector<std::pair<std::string, int> > bad_file_cmd_vec; bad_file_cmd_vec.push_back(std::make_pair<std::string, int>( - "[docker-command-execution]\n docker-command=run\n image=hadoop/docker-image\n user=test", + "[docker-command-execution]\n docker-command=run\n image=hadoop/docker-image\n user=nobody", static_cast<int>(INVALID_DOCKER_CONTAINER_NAME))); bad_file_cmd_vec.push_back(std::make_pair<std::string, int>( - "[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n user=test\n", + "[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n user=nobody\n", static_cast<int>(INVALID_DOCKER_IMAGE_NAME))); bad_file_cmd_vec.push_back(std::make_pair<std::string, int>( "[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n", static_cast<int>(INVALID_DOCKER_USER_NAME))); bad_file_cmd_vec.push_back(std::make_pair<std::string, int>( "[docker-command-execution]\n" - " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=test\n hostname=host-id\n" + " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=nobody\n hostname=host-id\n" " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n" " network=bridge\n net=bridge\n privileged=true\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n group-add=1000,1001\n" @@ -1227,7 +1224,7 @@ namespace ContainerExecutor { // invalid rw mount bad_file_cmd_vec.push_back(std::make_pair<std::string, int>( "[docker-command-execution]\n" - " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n hostname=host-id\n" + " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n" " ro-mounts=/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/var/log:/var/log\n" " network=bridge\n devices=/dev/test:/dev/test\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" @@ -1237,7 +1234,7 @@ namespace ContainerExecutor { // invalid ro mount bad_file_cmd_vec.push_back(std::make_pair<std::string, int>( "[docker-command-execution]\n" - " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n hostname=host-id\n" + " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n" " ro-mounts=/bin:/bin,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n" " network=bridge\n devices=/dev/test:/dev/test\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" @@ -1247,7 +1244,7 @@ namespace ContainerExecutor { // invalid capability bad_file_cmd_vec.push_back(std::make_pair<std::string, int>( "[docker-command-execution]\n" - " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n hostname=host-id\n" + " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n" " ro-mounts=/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n" " network=bridge\n devices=/dev/test:/dev/test\n" " cap-add=CHOWN,SETUID,SETGID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" @@ -1257,17 +1254,17 @@ namespace ContainerExecutor { // invalid device bad_file_cmd_vec.push_back(std::make_pair<std::string, int>( "[docker-command-execution]\n" - " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n hostname=host-id\n" + " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n" " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n" " network=bridge\n devices=/dev/dev1:/dev/dev1\n privileged=true\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", - static_cast<int>(INVALID_DOCKER_DEVICE))); + static_cast<int>(PRIVILEGED_CONTAINERS_DISABLED))); // invalid network bad_file_cmd_vec.push_back(std::make_pair<std::string, int>( "[docker-command-execution]\n" - " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n hostname=host-id\n" + " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n" " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n" " network=bridge\n devices=/dev/test:/dev/test\n privileged=true\n net=host\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" @@ -1304,59 +1301,59 @@ namespace ContainerExecutor { std::vector<std::pair<std::string, std::string> > file_cmd_vec; file_cmd_vec.push_back(std::make_pair<std::string, std::string>( - "[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n user=test", - "run --name='container_e1_12312_11111_02_000001' --user='test' --cap-drop='ALL' 'docker-image' ")); + "[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n user=nobody", + "run --name='container_e1_12312_11111_02_000001' --user='nobody' --cap-drop='ALL' 'docker-image' ")); file_cmd_vec.push_back(std::make_pair<std::string, std::string>( "[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n" - " user=test\n launch-command=bash,test_script.sh,arg1,arg2", - "run --name='container_e1_12312_11111_02_000001' --user='test' --cap-drop='ALL' 'docker-image' ")); + " user=nobody\n launch-command=bash,test_script.sh,arg1,arg2", + "run --name='container_e1_12312_11111_02_000001' --user='nobody' --cap-drop='ALL' 'docker-image' ")); file_cmd_vec.push_back(std::make_pair<std::string, std::string>( "[docker-command-execution]\n" - " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n hostname=host-id\n" + " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n" " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n" " network=bridge\n devices=/dev/test:/dev/test\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", - "run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'" + "run --name='container_e1_12312_11111_02_000001' --user='nobody' -d --rm -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'" " -v '/usr/bin/cut:/usr/bin/cut:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --cap-add='CHOWN'" " --cap-add='SETUID' --hostname='host-id' --device='/dev/test:/dev/test' 'hadoop/docker-image' 'bash' " "'test_script.sh' 'arg1' 'arg2' ")); file_cmd_vec.push_back(std::make_pair<std::string, std::string>( "[docker-command-execution]\n" - " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=test\n hostname=host-id\n" + " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=nobody\n hostname=host-id\n" " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n" " network=bridge\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", - "run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm" + "run --name='container_e1_12312_11111_02_000001' --user='nobody' -d --rm" " --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --hostname='host-id' 'nothadoop/docker-image' ")); file_cmd_vec.push_back(std::make_pair<std::string, std::string>( "[docker-command-execution]\n" - " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n hostname=host-id\n" + " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n" " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n" " network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", - "run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm --net='bridge' -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'" + "run --name='container_e1_12312_11111_02_000001' --user='nobody' -d --rm --net='bridge' -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'" " -v '/usr/bin/cut:/usr/bin/cut:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --cap-add='CHOWN' " "--cap-add='SETUID' --hostname='host-id' --device='/dev/test:/dev/test' 'hadoop/docker-image' 'bash'" " 'test_script.sh' 'arg1' 'arg2' ")); file_cmd_vec.push_back(std::make_pair<std::string, std::string>( "[docker-command-execution]\n" - " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=test\n hostname=host-id\n" + " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=nobody\n hostname=host-id\n" " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n" " network=bridge\n net=bridge\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", - "run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm --net='bridge'" + "run --name='container_e1_12312_11111_02_000001' --user='nobody' -d --rm --net='bridge'" " --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --hostname='host-id' 'nothadoop/docker-image' ")); std::vector<std::pair<std::string, int> > bad_file_cmd_vec; bad_file_cmd_vec.push_back(std::make_pair<std::string, int>( "[docker-command-execution]\n" - " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n hostname=host-id\n" + " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n" " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n" " network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n privileged=true\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" @@ -1387,8 +1384,8 @@ namespace ContainerExecutor { "--config='/my-config' stop container_e1_12312_11111_02_000001")); input_output_map.push_back(std::make_pair<std::string, std::string>( "[docker-command-execution]\n docker-command=run\n docker-config=/my-config\n name=container_e1_12312_11111_02_000001\n" - " image=docker-image\n user=test", - "--config='/my-config' run --name='container_e1_12312_11111_02_000001' --user='test' --cap-drop='ALL' 'docker-image' ")); + " image=docker-image\n user=nobody", + "--config='/my-config' run --name='container_e1_12312_11111_02_000001' --user='nobody' --cap-drop='ALL' 'docker-image' ")); std::vector<std::pair<std::string, std::string> >::const_iterator itr; char buffer[4096]; http://git-wip-us.apache.org/repos/asf/hadoop/blob/933477e9/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/TestDockerContainerRuntime.java ---------------------------------------------------------------------- diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/TestDockerContainerRuntime.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/TestDockerContainerRuntime.java index acb3e42..8fbfbe2 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/TestDockerContainerRuntime.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/TestDockerContainerRuntime.java @@ -214,7 +214,7 @@ public class TestDockerContainerRuntime { // Prevent gid threshold failures for these tests conf.setInt(YarnConfiguration.NM_DOCKER_USER_REMAPPING_GID_THRESHOLD, 0); - user = "user"; + user = submittingUser; appId = "app_id"; containerIdStr = containerId; containerWorkDir = new Path("/test_container_work_dir"); @@ -957,7 +957,7 @@ public class TestDockerContainerRuntime { List<String> dockerCommands = Files.readAllLines(Paths.get (dockerCommandFile), Charset.forName("UTF-8")); - int expected = 15; + int expected = 14; int counter = 0; Assert.assertEquals(expected, dockerCommands.size()); Assert.assertEquals("[docker-command-execution]", @@ -967,8 +967,6 @@ public class TestDockerContainerRuntime { Assert.assertEquals(" cap-drop=ALL", dockerCommands.get(counter++)); Assert.assertEquals(" detach=true", dockerCommands.get(counter++)); Assert.assertEquals(" docker-command=run", dockerCommands.get(counter++)); - Assert.assertEquals(" group-add=" + String.join(",", groups), - dockerCommands.get(counter++)); Assert .assertEquals(" image=busybox:latest", dockerCommands.get(counter++)); Assert.assertEquals( @@ -984,7 +982,8 @@ public class TestDockerContainerRuntime { " rw-mounts=/test_container_log_dir:/test_container_log_dir," + "/test_application_local_dir:/test_application_local_dir", dockerCommands.get(counter++)); - Assert.assertEquals(" user=" + uidGidPair, dockerCommands.get(counter++)); + Assert.assertEquals(" user=" + submittingUser, + dockerCommands.get(counter++)); Assert.assertEquals(" workdir=/test_container_work_dir", dockerCommands.get(counter)); } @@ -1303,7 +1302,7 @@ public class TestDockerContainerRuntime { Assert.assertEquals(op.getOperationType(), PrivilegedOperation.OperationType.SIGNAL_CONTAINER); Assert.assertEquals(runAsUser, op.getArguments().get(0)); - Assert.assertEquals("user", op.getArguments().get(1)); + Assert.assertEquals(submittingUser, op.getArguments().get(1)); Assert.assertEquals("2", op.getArguments().get(2)); Assert.assertEquals("1234", op.getArguments().get(3)); Assert.assertEquals("0", op.getArguments().get(4)); --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org