diff --git hadoop-common-project/hadoop-common/src/main/winutils/service.c hadoop-common-project/hadoop-common/src/main/winutils/service.c
index b90203f..f70d7a5 100644
--- hadoop-common-project/hadoop-common/src/main/winutils/service.c
+++ hadoop-common-project/hadoop-common/src/main/winutils/service.c
@@ -29,7 +29,8 @@
#pragma comment(lib, "advapi32.lib")
#pragma comment(lib, "authz.lib")
-LPCWSTR NM_WSCE_ALLOWED = L"yarn.nodemanager.windows-secure-container-executor.allowed";
+LPCWSTR NM_WSCE_ALLOWED = L"yarn.nodemanager.windows-secure-container-executor.allowed";
+LPCWSTR NM_WSCE_JOB_NAME = L"yarn.nodemanager.windows-secure-container-executor.job-name";
LPCWSTR NM_WSCE_LOCAL_DIRS = L"yarn.nodemanager.windows-secure-container-executor.local-dirs";
#define SERVICE_ACCESS_MASK 0x00000001
@@ -43,7 +44,8 @@ BOOL isListenning = FALSE;
PSECURITY_DESCRIPTOR pAllowedSD = NULL;
LPWSTR* gLocalDirs = NULL;
size_t gLocalDirsCount = 0;
-int* gCchLocalDir = NULL;
+int* gCchLocalDir = NULL;
+LPCWSTR gJobName = NULL;
VOID SvcError(DWORD dwError);
VOID WINAPI SvcMain(DWORD dwArg, LPTSTR* lpszArgv);
@@ -310,6 +312,35 @@ done:
}
//----------------------------------------------------------------------------
+// Function: InitJobName
+//
+// Description:
+// Loads the job name to be used for created processes
+//
+DWORD InitJobName() {
+ DWORD dwError = ERROR_SUCCESS;
+ size_t len = 0;
+ LPCWSTR value = NULL;
+ int crt = 0;
+
+ // Services can be restarted
+ if (gJobName) LocalFree(gJobName);
+ gJobName = NULL;
+
+ dwError = GetConfigValue(
+ wsceConfigRelativePath,
+ NM_WSCE_JOB_NAME, &len, &value);
+ CHECK_SVC_STATUS_DONE(dwError, L"GetConfigValue");
+
+ if (len) {
+ gJobName = value;
+ }
+done:
+ return dwError;
+}
+
+
+//----------------------------------------------------------------------------
// Function: InitLocalDirs
//
// Description:
@@ -560,7 +591,14 @@ DWORD SvcInit() {
LogDebugMessage(L"InitLocalDirs failed: %d", dwError);
SvcError(dwError);
goto done;
- }
+ }
+
+ dwError = InitJobName();
+ if (ERROR_SUCCESS != dwError) {
+ LogDebugMessage(L"InitJobName failed: %d", dwError);
+ SvcError(dwError);
+ goto done;
+ }
// Report running status when initialization is complete.
ReportSvcStatus( SERVICE_RUNNING, NO_ERROR, 0 );
@@ -937,7 +975,8 @@ error_status_t WinutilsCreateProcessAsUser(
hDuplicateStdIn = INVALID_HANDLE_VALUE,
hDuplicateStdOut = INVALID_HANDLE_VALUE,
hDuplicateStdErr = INVALID_HANDLE_VALUE,
- hSelfProcess = INVALID_HANDLE_VALUE;
+ hSelfProcess = INVALID_HANDLE_VALUE,
+ hJob = INVALID_HANDLE_VALUE;
BOOL fMustCleanupProcess = FALSE;
HRESULT hr;
@@ -952,6 +991,18 @@ error_status_t WinutilsCreateProcessAsUser(
pi.hThread = INVALID_HANDLE_VALUE;
ZeroMemory( &saTaskStdInOutErr, sizeof(saTaskStdInOutErr));
+
+ if (gJobName) {
+ hJob = OpenJobObject(JOB_OBJECT_ASSIGN_PROCESS, FALSE, gJobName);
+ if (!hJob) {
+ dwError = GetLastError();
+ ReportSvcCheckError(EVENTLOG_ERROR_TYPE, SERVICE_CATEGORY,
+ dwError, L"OpenJobObject");
+ goto done;
+ }
+ }
+
+
// NB: GetCurrentProcess returns a pseudo-handle that just so happens
// has the value -1, ie. INVALID_HANDLE_VALUE. It cannot fail.
//
@@ -960,6 +1011,8 @@ error_status_t WinutilsCreateProcessAsUser(
hNmProcess = OpenProcess(PROCESS_DUP_HANDLE, FALSE, nmPid);
if (NULL == hNmProcess) {
dwError = GetLastError();
+ ReportSvcCheckError(EVENTLOG_ERROR_TYPE, SERVICE_CATEGORY,
+ dwError, L"OpenProcess");
goto done;
}
@@ -1053,6 +1106,13 @@ error_status_t WinutilsCreateProcessAsUser(
LogDebugMessage(L"CreateProcess: pid:%x\n", pi.dwProcessId);
+ if (INVALID_HANDLE_VALUE != hJob) {
+ if (!AssignProcessToJobObject(hJob, pi.hProcess)) {
+ dwError = GetLastError();
+ goto done;
+ }
+ }
+
// Grant full access to the container user on the 'winutils task createAsUser ...' helper process
dwError = AddNodeManagerAndUserACEsToObject(pi.hProcess, request->user, PROCESS_ALL_ACCESS);
if (dwError) {
@@ -1153,6 +1213,8 @@ done:
if (INVALID_HANDLE_VALUE != pi.hThread) CloseHandle(pi.hThread);
if (INVALID_HANDLE_VALUE != pi.hProcess) CloseHandle(pi.hProcess);
+ if (hJob) CloseHandle(hJob);
+
return dwError;
}
diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/SecureContainer.apt.vm hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/SecureContainer.apt.vm
index b44c2b9..722870c 100644
--- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/SecureContainer.apt.vm
+++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/SecureContainer.apt.vm
@@ -133,7 +133,11 @@ min.user.id=1000#Prevent other super-users
yarn.nodemanager.windows-secure-container-executor.local-dirs
nm-local-dir, nm-log-dirs
-
+
+
+ yarn.nodemanager.windows-secure-container-executor.job-name
+ nodemanager-job-name
+
+---+
<<>> should contain the name of the service account running the
@@ -150,11 +154,23 @@ min.user.id=1000#Prevent other super-users
but note that hadoopwinutilsvc XML configuration processing does not do substitutions so the value must be the final value. All paths
must be absolute and no environment variable substitution will be performed. The paths are compared LOCAL_INVARIANT case insensitive string comparison,
the file path validated must start with one of the paths listed in local-dirs configuration. Use comma as path separator:<<<,>>>
+
+ <<>> should contain an Windows NT job name that all containers should be added to.
+ This configuration is optional. If not set, the container is not added to a global NodeManager job. Normally this should be set to the job that the NM is assigned to,
+ so that killing the NM kills also all containers. Hadoopwinutilsvc will not attempt to create this job, the job must exists when the container is launched.
+ If the value is set and the job does not exists, container launch will fail with error 2 <<>>.
+ Note that this global NM job is not related to the container job, which always gets created for each container and is named after the container ID.
+ This setting controls a global job that spans all containers and the parent NM, and as such it requires nested jobs.
+ Nested jobs are available only post Windows 8 and Windows Server 2012.
*** Useful Links
* {{{http://msdn.microsoft.com/en-us/magazine/cc188757.aspx}Exploring S4U Kerberos Extensions in Windows Server 2003}}
+ * {{{http://msdn.microsoft.com/en-us/library/windows/desktop/hh448388(v=vs.85).aspx}Nested Jobs}}
+
* {{{https://issues.apache.org/jira/browse/YARN-1063}Winutils needs ability to create task as domain user}}
* {{{https://issues.apache.org/jira/browse/YARN-1972}Implement secure Windows Container Executor}}
+
+ * {{{https://issues.apache.org/jira/browse/YARN-2198}Remove the need to run NodeManager as privileged account for Windows Secure Container Executor}}
\ No newline at end of file