Repository: hadoop Updated Branches: refs/heads/trunk aab310978 -> 42297f7d9
YARN-8963. Add flag to disable interactive shell. Contributed by Eric Yang Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/42297f7d Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/42297f7d Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/42297f7d Branch: refs/heads/trunk Commit: 42297f7d99df2769846a58efcf1b02fadb5ba60b Parents: aab3109 Author: Billie Rinaldi <bil...@apache.org> Authored: Fri Dec 14 18:44:36 2018 -0800 Committer: Billie Rinaldi <bil...@apache.org> Committed: Fri Dec 14 18:44:36 2018 -0800 ---------------------------------------------------------------------- .../container-executor/impl/container-executor.c | 6 ++++++ .../container-executor/impl/container-executor.h | 6 ++++++ .../src/main/native/container-executor/impl/main.c | 14 ++++++++++---- .../src/site/markdown/SecureContainer.md | 3 +++ 4 files changed, 25 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/42297f7d/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c ---------------------------------------------------------------------- diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c index dcbfb0f..65bb803 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c @@ -73,6 +73,7 @@ static const int DEFAULT_MIN_USERID = 1000; static const char* DEFAULT_BANNED_USERS[] = {"yarn", "mapred", "hdfs", "bin", 0}; +static const int DEFAULT_TERMINAL_SUPPORT_ENABLED = 0; static const int DEFAULT_DOCKER_SUPPORT_ENABLED = 0; static const int DEFAULT_TC_SUPPORT_ENABLED = 0; static const int DEFAULT_MOUNT_CGROUP_SUPPORT_ENABLED = 0; @@ -490,6 +491,11 @@ int is_feature_enabled(const char* feature_key, int default_value, } } +int is_terminal_support_enabled() { + return is_feature_enabled(TERMINAL_SUPPORT_ENABLED_KEY, + DEFAULT_TERMINAL_SUPPORT_ENABLED, &executor_cfg); +} + int is_docker_support_enabled() { return is_feature_enabled(DOCKER_SUPPORT_ENABLED_KEY, DEFAULT_DOCKER_SUPPORT_ENABLED, &executor_cfg) http://git-wip-us.apache.org/repos/asf/hadoop/blob/42297f7d/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.h ---------------------------------------------------------------------- diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.h b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.h index bf99452..b215af7 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.h +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.h @@ -67,6 +67,7 @@ enum operations { #define MIN_USERID_KEY "min.user.id" #define BANNED_USERS_KEY "banned.users" #define ALLOWED_SYSTEM_USERS_KEY "allowed.system.users" +#define TERMINAL_SUPPORT_ENABLED_KEY "feature.terminal.enabled" #define DOCKER_SUPPORT_ENABLED_KEY "feature.docker.enabled" #define TC_SUPPORT_ENABLED_KEY "feature.tc.enabled" #define MOUNT_CGROUP_SUPPORT_ENABLED_KEY "feature.mount-cgroup.enabled" @@ -341,3 +342,8 @@ char* flatten(char **args); * Remove docker container */ int remove_docker_container(char **argv, int argc); + +/** + * Check if terminal feature is enabled + */ +int is_terminal_support_enabled(); http://git-wip-us.apache.org/repos/asf/hadoop/blob/42297f7d/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/main.c ---------------------------------------------------------------------- diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/main.c b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/main.c index 5124890..8cdb8a3 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/main.c +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/main.c @@ -54,20 +54,26 @@ static void display_usage(FILE *stream) { if(is_docker_support_enabled()) { fprintf(stream, " container-executor --run-docker <command-file>\n" - " container-executor --exec-container <command-file>\n" " container-executor --remove-docker-container [hierarchy] " "<container_id>\n" " container-executor --inspect-docker-container <container_id>\n"); } else { fprintf(stream, "[DISABLED] container-executor --run-docker <command-file>\n" - "[DISABLED] container-executor --exec-container <command-file>\n" "[DISABLED] container-executor --remove-docker-container [hierarchy] " "<container_id>\n" "[DISABLED] container-executor --inspect-docker-container " "<format> ... <container_id>\n"); } + if (is_terminal_support_enabled()) { + fprintf(stream, + " container-executor --exec-container <command-file>\n"); + } else { + fprintf(stream, + "[DISABLED] container-executor --exec-container <command-file>\n"); + } + fprintf(stream, " container-executor <user> <yarn-user> <command> <command-args>\n" " where command and command-args: \n" \ @@ -351,7 +357,7 @@ static int validate_arguments(int argc, char **argv , int *operation) { } if (strcmp("--exec-container", argv[1]) == 0) { - if(is_docker_support_enabled()) { + if(is_terminal_support_enabled()) { if (argc != 3) { display_usage(stdout); return INVALID_ARGUMENT_NUMBER; @@ -361,7 +367,7 @@ static int validate_arguments(int argc, char **argv , int *operation) { *operation = EXEC_CONTAINER; return 0; } else { - display_feature_disabled_message("docker"); + display_feature_disabled_message("feature.terminal.enabled"); return FEATURE_DISABLED; } } http://git-wip-us.apache.org/repos/asf/hadoop/blob/42297f7d/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/SecureContainer.md ---------------------------------------------------------------------- diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/SecureContainer.md b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/SecureContainer.md index a66c042..397e76b 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/SecureContainer.md +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/SecureContainer.md @@ -59,8 +59,11 @@ yarn.nodemanager.linux-container-executor.group=#configured value of yarn.nodema banned.users=#comma separated list of users who can not run applications allowed.system.users=#comma separated list of allowed system users min.user.id=1000#Prevent other super-users +feature.terminal.enabled=1 ``` +Terminal feature (feature.terminal.enabled) allows restricted shell into secure container via YARN UI2. + ###Windows Secure Container Executor (WSCE) The Windows environment secure container executor is the `WindowsSecureContainerExecutor`. It uses the Windows S4U infrastructure to launch the container as the YARN application user. The WSCE requires the presense of the `hadoopwinutilsvc` service. This services is hosted by `%HADOOP_HOME%\bin\winutils.exe` started with the `service` command line argument. This service offers some privileged operations that require LocalSystem authority so that the NM is not required to run the entire JVM and all the NM code in an elevated context. The NM interacts with the `hadoopwintulsvc` service by means of Local RPC (LRPC) via calls JNI to the RCP client hosted in `hadoop.dll`. --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org
