diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java index fa4d2e3..c6dcd52 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java @@ -1449,6 +1449,13 @@ public static boolean isAclEnabled(Configuration conf) { public static final boolean DEFAULT_NM_DOCKER_ALLOW_PRIVILEGED_CONTAINERS = false; + /** disable user remapping. */ + public static final String NM_DOCKER_DISABLE_USERREMAPPING = + DOCKER_CONTAINER_RUNTIME_PREFIX + "disable-userremapping.allowed"; + + /** Set disable user remapping as false by default */ + public static final boolean DEFAULT_NM_DOCKER_DISABLE_USERREMAPPING = false; + /** ACL list for users allowed to run privileged containers. */ public static final String NM_DOCKER_PRIVILEGED_CONTAINERS_ACL = DOCKER_CONTAINER_RUNTIME_PREFIX + "privileged-containers.acl"; diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java index b70a4e1..5417752 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java @@ -29,6 +29,7 @@ import org.apache.hadoop.fs.Path; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.authorize.AccessControlList; +import org.apache.hadoop.util.Shell; import org.apache.hadoop.util.StringUtils; import org.apache.hadoop.yarn.conf.YarnConfiguration; import org.apache.hadoop.yarn.server.nodemanager.ContainerExecutor; @@ -143,6 +144,9 @@ public static final String ENV_DOCKER_CONTAINER_RUN_PRIVILEGED_CONTAINER = "YARN_CONTAINER_RUNTIME_DOCKER_RUN_PRIVILEGED_CONTAINER"; @InterfaceAudience.Private + public static final String ENV_DOCKER_CONTAINER_RUN_DISABLE_USERREMAPPING = + "YARN_CONTAINER_RUNTIME_DOCKER_RUN_DISABLE_USERREMAPPING"; + @InterfaceAudience.Private public static final String ENV_DOCKER_CONTAINER_LOCAL_RESOURCE_MOUNTS = "YARN_CONTAINER_RUNTIME_DOCKER_LOCAL_RESOURCE_MOUNTS"; @@ -155,6 +159,7 @@ private String defaultNetwork; private CGroupsHandler cGroupsHandler; private AccessControlList privilegedContainersAcl; + private boolean disableUserReMapping; /** * Return whether the given environment variables indicate that the operation @@ -238,6 +243,10 @@ public void initialize(Configuration conf) throw new ContainerExecutionException(message); } + disableUserReMapping = conf.getBoolean( + YarnConfiguration.NM_DOCKER_DISABLE_USERREMAPPING, + YarnConfiguration.DEFAULT_NM_DOCKER_DISABLE_USERREMAPPING); + privilegedContainersAcl = new AccessControlList(conf.getTrimmed( YarnConfiguration.NM_DOCKER_PRIVILEGED_CONTAINERS_ACL, YarnConfiguration.DEFAULT_NM_DOCKER_PRIVILEGED_CONTAINERS_ACL)); @@ -398,6 +407,19 @@ protected String validateMount(String mount, "resource: " + mount); } + private String getUserIdInfo(String userName, String parameter) { + String id = ""; + Shell.ShellCommandExecutor shexec = new ShellCommandExecutor( + new String[]{"id", parameter, userName}); + try { + sshexec.execute(); + id = shexec.getOutput().replaceAll("[^0-9]", ""); + } catch (Exception e) { + LOG.warn("Could not run id command: " + e); + } + return id; + } + @Override public void launchContainer(ContainerRuntimeContext ctx) throws ContainerExecutionException { @@ -421,6 +443,12 @@ public void launchContainer(ContainerRuntimeContext ctx) String containerIdStr = container.getContainerId().toString(); String runAsUser = ctx.getExecutionAttribute(RUN_AS_USER); Path containerWorkDir = ctx.getExecutionAttribute(CONTAINER_WORK_DIR); + + if (disableUserReMapping) { + runAsUser = getUserIdInfo(runAsUser, "-u") + + getUserIdInfo(runAsUser, "-g"); + } + //List -> stored as List -> fetched/converted to List //we can't do better here thanks to type-erasure @SuppressWarnings("unchecked")