Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-5456

container-executor support for FreeBSD, NetBSD, and others if conf path is absolute

    Details

      Description

      YARN-5121 fixed quite a few portability issues, but it also changed how it determines it's location to be very operating specific for security reasons. We should add support for FreeBSD to unbreak it's ports entry, NetBSD (the sysctl options are just in a different order), and for operating systems that do not have a defined method, an escape hatch.

      1. YARN-5456.00.patch
        9 kB
        Allen Wittenauer
      2. YARN-5456.01.patch
        16 kB
        Allen Wittenauer

        Issue Links

          Activity

          Hide
          aw Allen Wittenauer added a comment -

          -00:

          • first pass
          Show
          aw Allen Wittenauer added a comment - -00: first pass
          Hide
          hadoopqa Hadoop QA added a comment -
          -1 overall



          Vote Subsystem Runtime Comment
          0 reexec 0m 19s Docker mode activated.
          +1 @author 0m 0s The patch does not contain any @author tags.
          -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
          +1 mvninstall 6m 47s trunk passed
          +1 compile 0m 27s trunk passed
          +1 mvnsite 0m 26s trunk passed
          +1 mvneclipse 0m 13s trunk passed
          +1 mvninstall 0m 22s the patch passed
          +1 compile 0m 23s the patch passed
          -1 cc 0m 23s hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-nodemanager generated 1 new + 0 unchanged - 0 fixed = 1 total (was 0)
          +1 javac 0m 23s the patch passed
          +1 mvnsite 0m 23s the patch passed
          +1 mvneclipse 0m 10s the patch passed
          +1 whitespace 0m 0s The patch has no whitespace issues.
          +1 unit 13m 5s hadoop-yarn-server-nodemanager in the patch passed.
          +1 asflicense 0m 15s The patch does not generate ASF License warnings.
          23m 6s



          Subsystem Report/Notes
          Docker Image:yetus/hadoop:9560f25
          JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12821242/YARN-5456.00.patch
          JIRA Issue YARN-5456
          Optional Tests asflicense compile cc mvnsite javac unit
          uname Linux c4103fd91243 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
          Build tool maven
          Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh
          git revision trunk / 34ccaa8
          Default Java 1.8.0_101
          cc https://builds.apache.org/job/PreCommit-YARN-Build/12583/artifact/patchprocess/diff-compile-cc-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-nodemanager.txt
          Test Results https://builds.apache.org/job/PreCommit-YARN-Build/12583/testReport/
          modules C: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager U: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager
          Console output https://builds.apache.org/job/PreCommit-YARN-Build/12583/console
          Powered by Apache Yetus 0.3.0 http://yetus.apache.org

          This message was automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment 0 reexec 0m 19s Docker mode activated. +1 @author 0m 0s The patch does not contain any @author tags. -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 mvninstall 6m 47s trunk passed +1 compile 0m 27s trunk passed +1 mvnsite 0m 26s trunk passed +1 mvneclipse 0m 13s trunk passed +1 mvninstall 0m 22s the patch passed +1 compile 0m 23s the patch passed -1 cc 0m 23s hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-nodemanager generated 1 new + 0 unchanged - 0 fixed = 1 total (was 0) +1 javac 0m 23s the patch passed +1 mvnsite 0m 23s the patch passed +1 mvneclipse 0m 10s the patch passed +1 whitespace 0m 0s The patch has no whitespace issues. +1 unit 13m 5s hadoop-yarn-server-nodemanager in the patch passed. +1 asflicense 0m 15s The patch does not generate ASF License warnings. 23m 6s Subsystem Report/Notes Docker Image:yetus/hadoop:9560f25 JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12821242/YARN-5456.00.patch JIRA Issue YARN-5456 Optional Tests asflicense compile cc mvnsite javac unit uname Linux c4103fd91243 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh git revision trunk / 34ccaa8 Default Java 1.8.0_101 cc https://builds.apache.org/job/PreCommit-YARN-Build/12583/artifact/patchprocess/diff-compile-cc-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-nodemanager.txt Test Results https://builds.apache.org/job/PreCommit-YARN-Build/12583/testReport/ modules C: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager U: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager Console output https://builds.apache.org/job/PreCommit-YARN-Build/12583/console Powered by Apache Yetus 0.3.0 http://yetus.apache.org This message was automatically generated.
          Hide
          cnauroth Chris Nauroth added a comment -

          Allen Wittenauer, thank you for the patch. I ran it on OS X, Linux and FreeBSD. I think this will be ready to go after adding error checks on the malloc call and discussing a testing obstacle I'm hitting.

          I'm running test-container-executor, and it passes everywhere except my FreeBSD VM. In target/native-results/test-container-executor.stdout, I see this:

          Testing delete_container()
          Can't chmod /tmp/test-container-executor/local-1/usercache/cnauroth to add the sticky bit - Operation not permitted
          Can't chmod /tmp/test-container-executor/local-2/usercache/cnauroth to add the sticky bit - Operation not permitted
          Can't chmod /tmp/test-container-executor/local-3/usercache/cnauroth to add the sticky bit - Operation not permitted
          Can't chmod /tmp/test-container-executor/local-4/usercache/cnauroth to add the sticky bit - Operation not permitted
          Can't chmod /tmp/test-container-executor/local-5/usercache/cnauroth to add the sticky bit - Operation not permitted
          FAIL: failed to initialize user cnauroth
          

          That error comes from this code in container-executor.c:

          int create_directory_for_user(const char* path) {
            // set 2750 permissions and group sticky bit
            mode_t permissions = S_IRWXU | S_IRGRP | S_IXGRP | S_ISGID;
          ...
                if (chmod(path, permissions) != 0) {
                  fprintf(LOGFILE, "Can't chmod %s to add the sticky bit - %s\n",
                          path, strerror(errno));
                  ret = -1;
          

          I tried testing chmod to set the setgid bit, and sure enough it fails on FreeBSD. I can set the setuid bit and the sticky bit. The problem only happens for trying to set the setgid bit when I'm a non-root user.

          > chmod 4750 /tmp/test-container-executor/local-1/usercache/cnauroth
          
          > chmod 2750 /tmp/test-container-executor/local-1/usercache/cnauroth
          chmod: /tmp/test-container-executor/local-1/usercache/cnauroth: Operation not permitted
          
          > chmod 1750 /tmp/test-container-executor/local-1/usercache/cnauroth
          

          I don't see this behavior on any other OS. I assume it's some kind of environmental configuration quirk, but I haven't been able to find any tips in documentation. Have you seen this? Does the test pass for you on FreeBSD?

          Show
          cnauroth Chris Nauroth added a comment - Allen Wittenauer , thank you for the patch. I ran it on OS X, Linux and FreeBSD. I think this will be ready to go after adding error checks on the malloc call and discussing a testing obstacle I'm hitting. I'm running test-container-executor , and it passes everywhere except my FreeBSD VM. In target/native-results/test-container-executor.stdout, I see this: Testing delete_container() Can't chmod /tmp/test-container-executor/local-1/usercache/cnauroth to add the sticky bit - Operation not permitted Can't chmod /tmp/test-container-executor/local-2/usercache/cnauroth to add the sticky bit - Operation not permitted Can't chmod /tmp/test-container-executor/local-3/usercache/cnauroth to add the sticky bit - Operation not permitted Can't chmod /tmp/test-container-executor/local-4/usercache/cnauroth to add the sticky bit - Operation not permitted Can't chmod /tmp/test-container-executor/local-5/usercache/cnauroth to add the sticky bit - Operation not permitted FAIL: failed to initialize user cnauroth That error comes from this code in container-executor.c: int create_directory_for_user( const char * path) { // set 2750 permissions and group sticky bit mode_t permissions = S_IRWXU | S_IRGRP | S_IXGRP | S_ISGID; ... if (chmod(path, permissions) != 0) { fprintf(LOGFILE, "Can't chmod %s to add the sticky bit - %s\n" , path, strerror(errno)); ret = -1; I tried testing chmod to set the setgid bit, and sure enough it fails on FreeBSD. I can set the setuid bit and the sticky bit. The problem only happens for trying to set the setgid bit when I'm a non-root user. > chmod 4750 /tmp/test-container-executor/local-1/usercache/cnauroth > chmod 2750 /tmp/test-container-executor/local-1/usercache/cnauroth chmod: /tmp/test-container-executor/local-1/usercache/cnauroth: Operation not permitted > chmod 1750 /tmp/test-container-executor/local-1/usercache/cnauroth I don't see this behavior on any other OS. I assume it's some kind of environmental configuration quirk, but I haven't been able to find any tips in documentation. Have you seen this? Does the test pass for you on FreeBSD?
          Hide
          aw Allen Wittenauer added a comment -

          It fails for me too.

          My main goal was to fix the compilation errors so that ports/hadoopX still works when passed -Pnative. Fixing this particular problem will likely require a lot more work, including changing where/how we drop privs.

          [FWIW, we still need fix MR's native task stuff to work on bits besides two platforms. I'm tempted to suggest it get pulled from the default native profile and require a custom profile because of it's non-portability.]

          We should open a new JIRA to deal with the setgid bit on the BSDs.

          Show
          aw Allen Wittenauer added a comment - It fails for me too. My main goal was to fix the compilation errors so that ports/hadoopX still works when passed -Pnative. Fixing this particular problem will likely require a lot more work, including changing where/how we drop privs. [FWIW, we still need fix MR's native task stuff to work on bits besides two platforms. I'm tempted to suggest it get pulled from the default native profile and require a custom profile because of it's non-portability.] We should open a new JIRA to deal with the setgid bit on the BSDs.
          Hide
          cnauroth Chris Nauroth added a comment -

          OK, this plan sounds fine to me. I think the only additional thing we need here is the check on the malloc call.

          Show
          cnauroth Chris Nauroth added a comment - OK, this plan sounds fine to me. I think the only additional thing we need here is the check on the malloc call.
          Hide
          aw Allen Wittenauer added a comment -

          -01:

          • fix the malloc
          • protect and/or prototype sysctl as apporpriate (sysctl causes compiler error on e.g., Solaris)
          • fix getline() prototyping on FreeBSD
          • don't shortcut chown's on FreeBSD and NetBSD since group perms are inherited
          • reverse the order of the bit set and the ownership to a) remove a potential race condition and b) so that the bits can actually be set on more restrictive operating systems
          • test-container-executor now works on FreeBSD!
          • make some of the error messages more useful
          • sysctl prototyping doesn't want const's, so remove them to remove a compiler warning
          • add a test for get_executable to test-container-executor
          Show
          aw Allen Wittenauer added a comment - -01: fix the malloc protect and/or prototype sysctl as apporpriate (sysctl causes compiler error on e.g., Solaris) fix getline() prototyping on FreeBSD don't shortcut chown's on FreeBSD and NetBSD since group perms are inherited reverse the order of the bit set and the ownership to a) remove a potential race condition and b) so that the bits can actually be set on more restrictive operating systems test-container-executor now works on FreeBSD! make some of the error messages more useful sysctl prototyping doesn't want const's, so remove them to remove a compiler warning add a test for get_executable to test-container-executor
          Hide
          hadoopqa Hadoop QA added a comment -
          +1 overall



          Vote Subsystem Runtime Comment
          0 reexec 0m 24s Docker mode activated.
          +1 @author 0m 0s The patch does not contain any @author tags.
          +1 test4tests 0m 0s The patch appears to include 1 new or modified test files.
          +1 mvninstall 8m 12s trunk passed
          +1 compile 0m 32s trunk passed
          +1 mvnsite 0m 34s trunk passed
          +1 mvneclipse 0m 17s trunk passed
          +1 mvninstall 0m 28s the patch passed
          +1 compile 0m 31s the patch passed
          +1 cc 0m 31s the patch passed
          +1 javac 0m 31s the patch passed
          +1 mvnsite 0m 29s the patch passed
          +1 mvneclipse 0m 12s the patch passed
          +1 whitespace 0m 0s The patch has no whitespace issues.
          +1 unit 13m 40s hadoop-yarn-server-nodemanager in the patch passed.
          +1 asflicense 0m 17s The patch does not generate ASF License warnings.
          25m 56s



          Subsystem Report/Notes
          Docker Image:yetus/hadoop:9560f25
          JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12821488/YARN-5456.01.patch
          JIRA Issue YARN-5456
          Optional Tests asflicense compile cc mvnsite javac unit
          uname Linux 6674a2ba62d8 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
          Build tool maven
          Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh
          git revision trunk / 9f473cf
          Default Java 1.8.0_101
          Test Results https://builds.apache.org/job/PreCommit-YARN-Build/12605/testReport/
          modules C: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager U: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager
          Console output https://builds.apache.org/job/PreCommit-YARN-Build/12605/console
          Powered by Apache Yetus 0.3.0 http://yetus.apache.org

          This message was automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - +1 overall Vote Subsystem Runtime Comment 0 reexec 0m 24s Docker mode activated. +1 @author 0m 0s The patch does not contain any @author tags. +1 test4tests 0m 0s The patch appears to include 1 new or modified test files. +1 mvninstall 8m 12s trunk passed +1 compile 0m 32s trunk passed +1 mvnsite 0m 34s trunk passed +1 mvneclipse 0m 17s trunk passed +1 mvninstall 0m 28s the patch passed +1 compile 0m 31s the patch passed +1 cc 0m 31s the patch passed +1 javac 0m 31s the patch passed +1 mvnsite 0m 29s the patch passed +1 mvneclipse 0m 12s the patch passed +1 whitespace 0m 0s The patch has no whitespace issues. +1 unit 13m 40s hadoop-yarn-server-nodemanager in the patch passed. +1 asflicense 0m 17s The patch does not generate ASF License warnings. 25m 56s Subsystem Report/Notes Docker Image:yetus/hadoop:9560f25 JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12821488/YARN-5456.01.patch JIRA Issue YARN-5456 Optional Tests asflicense compile cc mvnsite javac unit uname Linux 6674a2ba62d8 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh git revision trunk / 9f473cf Default Java 1.8.0_101 Test Results https://builds.apache.org/job/PreCommit-YARN-Build/12605/testReport/ modules C: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager U: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager Console output https://builds.apache.org/job/PreCommit-YARN-Build/12605/console Powered by Apache Yetus 0.3.0 http://yetus.apache.org This message was automatically generated.
          Hide
          cnauroth Chris Nauroth added a comment -

          Allen Wittenauer, patch 01 looks good. I verified this on OS X, Linux and FreeBSD. It's cool to see the test passing on FreeBSD this time around! My only other suggestion is to try deploying this change in a secured cluster for a bit of manual testing before we commit.

          Show
          cnauroth Chris Nauroth added a comment - Allen Wittenauer , patch 01 looks good. I verified this on OS X, Linux and FreeBSD. It's cool to see the test passing on FreeBSD this time around! My only other suggestion is to try deploying this change in a secured cluster for a bit of manual testing before we commit.
          Hide
          aw Allen Wittenauer added a comment -

          I have a Kerberized Ubuntu/x86 VM that I generally use for testing things. Popped trunk+this patch onto it. Looks like things are working the way they are supposed to.

          Ran a simple sleep streaming job and ended up with the following dirs in the nm-local-dir:

          root@ku:/tmp/hadoop-yarn/nm-local-dir# find . -user aw -type d -ls
            9367    4 drwxr-s---   4 aw       yarn         4096 Aug  2 16:08 ./usercache/aw
            9368    4 drwxr-s---   3 aw       yarn         4096 Aug  2 16:08 ./usercache/aw/appcache
            9370    4 drwxr-s---   7 aw       yarn         4096 Aug  2 16:08 ./usercache/aw/appcache/application_1470179247859_0001
          

          after job finished, directories disappeared as expected.

          Show
          aw Allen Wittenauer added a comment - I have a Kerberized Ubuntu/x86 VM that I generally use for testing things. Popped trunk+this patch onto it. Looks like things are working the way they are supposed to. Ran a simple sleep streaming job and ended up with the following dirs in the nm-local-dir: root@ku:/tmp/hadoop-yarn/nm-local-dir# find . -user aw -type d -ls 9367 4 drwxr-s--- 4 aw yarn 4096 Aug 2 16:08 ./usercache/aw 9368 4 drwxr-s--- 3 aw yarn 4096 Aug 2 16:08 ./usercache/aw/appcache 9370 4 drwxr-s--- 7 aw yarn 4096 Aug 2 16:08 ./usercache/aw/appcache/application_1470179247859_0001 after job finished, directories disappeared as expected.
          Hide
          cnauroth Chris Nauroth added a comment -

          Allen Wittenauer, thank you for the additional testing. +1 for patch 01. I have committed this to trunk.

          Show
          cnauroth Chris Nauroth added a comment - Allen Wittenauer , thank you for the additional testing. +1 for patch 01. I have committed this to trunk.
          Hide
          hudson Hudson added a comment -

          SUCCESS: Integrated in Hadoop-trunk-Commit #10198 (See https://builds.apache.org/job/Hadoop-trunk-Commit/10198/)
          YARN-5456. container-executor support for FreeBSD, NetBSD, and others if (cnauroth: rev b913677365ad77ca7daa5741c04c14df1a0313cd)

          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/configuration.h
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/get_executable.c
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/main.c
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.h
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/test-container-executor.c
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/CMakeLists.txt
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/config.h.cmake
          Show
          hudson Hudson added a comment - SUCCESS: Integrated in Hadoop-trunk-Commit #10198 (See https://builds.apache.org/job/Hadoop-trunk-Commit/10198/ ) YARN-5456 . container-executor support for FreeBSD, NetBSD, and others if (cnauroth: rev b913677365ad77ca7daa5741c04c14df1a0313cd) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/configuration.h hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/get_executable.c hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/main.c hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.h hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/test-container-executor.c hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/CMakeLists.txt hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/config.h.cmake
          Hide
          aw Allen Wittenauer added a comment -

          Thanks!

          Show
          aw Allen Wittenauer added a comment - Thanks!

            People

            • Assignee:
              aw Allen Wittenauer
              Reporter:
              aw Allen Wittenauer
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development