diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java index 71a7134..17f710f 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java @@ -1439,6 +1439,18 @@ public static boolean isAclEnabled(Configuration conf) { /** Prefix for runtime configuration constants. */ public static final String LINUX_CONTAINER_RUNTIME_PREFIX = NM_PREFIX + "runtime.linux."; + + /** + * Comma separated list of runtimes that are allowed when using + * LinuxContainerExecutor. + */ + public static final String LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES = + LINUX_CONTAINER_RUNTIME_PREFIX + "allowed-runtimes"; + + /** The default list of allowed runtimes when using LinuxContainerExecutor. */ + public static final String[] DEFAULT_LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES + = { "DefaultLinuxContainerRuntime" }; + public static final String DOCKER_CONTAINER_RUNTIME_PREFIX = LINUX_CONTAINER_RUNTIME_PREFIX + "docker."; diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml index 95b8a88..68b1b99 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml @@ -1581,6 +1581,13 @@ + Comma separated list of runtimes that are allowed when using + LinuxContainerExecutor. + yarn.nodemanager.runtime.linux.allowed-runtimes + DefaultLinuxContainerRuntime + + + This configuration setting determines the capabilities assigned to docker containers when they are launched. While these may not be case-sensitive from a docker perspective, it is best to keep these diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/ContainerExecutor.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/ContainerExecutor.java index 0581878..57ab19c 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/ContainerExecutor.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/ContainerExecutor.java @@ -51,6 +51,7 @@ import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container; import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.ContainerDiagnosticsUpdateEvent; import org.apache.hadoop.yarn.server.nodemanager.containermanager.launcher.ContainerLaunch; +import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerExecutionException; import org.apache.hadoop.yarn.server.nodemanager.executor.ContainerPrepareContext; import org.apache.hadoop.yarn.server.nodemanager.util.NodeManagerHardwareUtils; import org.apache.hadoop.yarn.server.nodemanager.executor.ContainerLivenessContext; @@ -659,7 +660,8 @@ public void activateContainer(ContainerId containerId, Path pidFilePath) { } // LinuxContainerExecutor overrides this method and behaves differently. - public String[] getIpAndHost(Container container) { + public String[] getIpAndHost(Container container) + throws ContainerExecutionException { return getLocalIpAndHost(container); } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java index b3e13b4..3e03dc6 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java @@ -625,7 +625,8 @@ private ContainerRuntimeContext buildContainerRuntimeContext( } @Override - public String[] getIpAndHost(Container container) { + public String[] getIpAndHost(Container container) + throws ContainerExecutionException { return linuxContainerRuntime.getIpAndHost(container); } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DelegatingLinuxContainerRuntime.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DelegatingLinuxContainerRuntime.java index 90b13a2..675a08a 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DelegatingLinuxContainerRuntime.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DelegatingLinuxContainerRuntime.java @@ -20,6 +20,7 @@ package org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime; +import com.google.common.annotations.VisibleForTesting; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.classification.InterfaceAudience; @@ -31,8 +32,13 @@ import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntime; import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntimeContext; +import java.util.Arrays; +import java.util.List; import java.util.Map; +import static org.apache.hadoop.yarn.conf.YarnConfiguration.DEFAULT_LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES; +import static org.apache.hadoop.yarn.conf.YarnConfiguration.LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES; + /** * This class is a {@link ContainerRuntime} implementation that delegates all * operations to a {@link DefaultLinuxContainerRuntime} instance, a @@ -50,25 +56,35 @@ private DefaultLinuxContainerRuntime defaultLinuxContainerRuntime; private DockerLinuxContainerRuntime dockerLinuxContainerRuntime; private JavaSandboxLinuxContainerRuntime javaSandboxLinuxContainerRuntime; + private List allowedRuntimes; @Override public void initialize(Configuration conf) throws ContainerExecutionException { + allowedRuntimes = Arrays.asList( + conf.getTrimmedStrings(LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES, + DEFAULT_LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES)); PrivilegedOperationExecutor privilegedOperationExecutor = PrivilegedOperationExecutor.getInstance(conf); defaultLinuxContainerRuntime = new DefaultLinuxContainerRuntime( privilegedOperationExecutor); - defaultLinuxContainerRuntime.initialize(conf); + if (isRuntimeAllowed(defaultLinuxContainerRuntime)) { + defaultLinuxContainerRuntime.initialize(conf); + } dockerLinuxContainerRuntime = new DockerLinuxContainerRuntime( privilegedOperationExecutor); - dockerLinuxContainerRuntime.initialize(conf); + if (isRuntimeAllowed(dockerLinuxContainerRuntime)) { + dockerLinuxContainerRuntime.initialize(conf); + } javaSandboxLinuxContainerRuntime = new JavaSandboxLinuxContainerRuntime( privilegedOperationExecutor); - javaSandboxLinuxContainerRuntime.initialize(conf); + if (isRuntimeAllowed(javaSandboxLinuxContainerRuntime)) { + javaSandboxLinuxContainerRuntime.initialize(conf); + } } private LinuxContainerRuntime pickContainerRuntime( - Map environment){ + Map environment) throws ContainerExecutionException { LinuxContainerRuntime runtime; //Sandbox checked first to ensure DockerRuntime doesn't circumvent controls if (javaSandboxLinuxContainerRuntime.isSandboxContainerRequested()){ @@ -80,6 +96,11 @@ private LinuxContainerRuntime pickContainerRuntime( runtime = defaultLinuxContainerRuntime; } + if (!isRuntimeAllowed(runtime)) { + throw new ContainerExecutionException("Requested runtime is not allowed: " + + runtime.getClass().getSimpleName()); + } + if (LOG.isDebugEnabled()) { LOG.debug("Using container runtime: " + runtime.getClass() .getSimpleName()); @@ -88,7 +109,8 @@ private LinuxContainerRuntime pickContainerRuntime( return runtime; } - private LinuxContainerRuntime pickContainerRuntime(Container container) { + private LinuxContainerRuntime pickContainerRuntime(Container container) + throws ContainerExecutionException { return pickContainerRuntime(container.getLaunchContext().getEnvironment()); } @@ -127,8 +149,14 @@ public void reapContainer(ContainerRuntimeContext ctx) } @Override - public String[] getIpAndHost(Container container) { + public String[] getIpAndHost(Container container) + throws ContainerExecutionException { LinuxContainerRuntime runtime = pickContainerRuntime(container); return runtime.getIpAndHost(container); } + + @VisibleForTesting + protected boolean isRuntimeAllowed(LinuxContainerRuntime runtime) { + return allowedRuntimes.contains(runtime.getClass().getSimpleName()); + } } \ No newline at end of file diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/monitor/ContainersMonitorImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/monitor/ContainersMonitorImpl.java index 6ee60bd..a491e7e 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/monitor/ContainersMonitorImpl.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/monitor/ContainersMonitorImpl.java @@ -38,6 +38,7 @@ import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container; import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.ContainerImpl; import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.ContainerKillEvent; +import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerExecutionException; import org.apache.hadoop.yarn.server.nodemanager.timelineservice.NMTimelinePublisher; import org.apache.hadoop.yarn.server.nodemanager.util.NodeManagerHardwareUtils; import org.apache.hadoop.yarn.util.ResourceCalculatorPlugin; @@ -502,7 +503,8 @@ public void run() { * @param entry process tree entry to fill in */ private void initializeProcessTrees( - Entry entry) { + Entry entry) + throws ContainerExecutionException { ContainerId containerId = entry.getKey(); ProcessTreeInfo ptInfo = entry.getValue(); String pId = ptInfo.getPID(); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/runtime/ContainerRuntime.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/runtime/ContainerRuntime.java index b15690f..7caa0ed 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/runtime/ContainerRuntime.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/runtime/ContainerRuntime.java @@ -77,6 +77,10 @@ void reapContainer(ContainerRuntimeContext ctx) /** * Return the host and ip of the container + * + * @param container the {@link Container} + * @throws ContainerExecutionException if an error occurs while getting the ip + * and hostname */ - String[] getIpAndHost(Container container); + String[] getIpAndHost(Container container) throws ContainerExecutionException; } \ No newline at end of file diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/TestDelegatingLinuxContainerRuntime.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/TestDelegatingLinuxContainerRuntime.java new file mode 100644 index 0000000..cf08cb6 --- /dev/null +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/TestDelegatingLinuxContainerRuntime.java @@ -0,0 +1,122 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.privileged.PrivilegedOperationExecutor; +import org.junit.Before; +import org.junit.Test; + +import static org.apache.hadoop.yarn.conf.YarnConfiguration.LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES; +import static org.junit.Assert.*; + +/** + * Test container runtime delegation. + */ +public class TestDelegatingLinuxContainerRuntime { + + private DefaultLinuxContainerRuntime defaultLinuxContainerRuntime; + private DockerLinuxContainerRuntime dockerLinuxContainerRuntime; + private JavaSandboxLinuxContainerRuntime javaSandboxLinuxContainerRuntime; + private Configuration conf = new Configuration(); + + @Before + public void setUp() throws Exception { + PrivilegedOperationExecutor privilegedOperationExecutor = + PrivilegedOperationExecutor.getInstance(conf); + // Default Runtime + defaultLinuxContainerRuntime = new DefaultLinuxContainerRuntime( + privilegedOperationExecutor); + defaultLinuxContainerRuntime.initialize(conf); + // Docker Runtime + dockerLinuxContainerRuntime = new DockerLinuxContainerRuntime( + privilegedOperationExecutor); + dockerLinuxContainerRuntime.initialize(conf); + // Java Sandbox Runtime + javaSandboxLinuxContainerRuntime = new JavaSandboxLinuxContainerRuntime( + privilegedOperationExecutor); + javaSandboxLinuxContainerRuntime.initialize(conf); + } + + @Test + public void testIsRuntimeAllowedDefault() throws Exception { + DelegatingLinuxContainerRuntime delegatingLinuxContainerRuntime = + new DelegatingLinuxContainerRuntime(); + delegatingLinuxContainerRuntime.initialize(conf); + assertTrue(delegatingLinuxContainerRuntime.isRuntimeAllowed( + defaultLinuxContainerRuntime)); + assertFalse(delegatingLinuxContainerRuntime.isRuntimeAllowed( + dockerLinuxContainerRuntime)); + assertFalse(delegatingLinuxContainerRuntime.isRuntimeAllowed( + javaSandboxLinuxContainerRuntime)); + } + + @Test + public void testIsRuntimeAllowedDocker() throws Exception { + conf.set(LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES, + "DockerLinuxContainerRuntime"); + DelegatingLinuxContainerRuntime delegatingLinuxContainerRuntime = + new DelegatingLinuxContainerRuntime(); + delegatingLinuxContainerRuntime.initialize(conf); + assertTrue(delegatingLinuxContainerRuntime.isRuntimeAllowed( + dockerLinuxContainerRuntime)); + } + + @Test + public void testIsRuntimeAllowedJavaSandbox() throws Exception { + conf.set(LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES, + "JavaSandboxLinuxContainerRuntime"); + DelegatingLinuxContainerRuntime delegatingLinuxContainerRuntime = + new DelegatingLinuxContainerRuntime(); + delegatingLinuxContainerRuntime.initialize(conf); + assertTrue(delegatingLinuxContainerRuntime.isRuntimeAllowed( + javaSandboxLinuxContainerRuntime)); + } + + @Test + public void testIsRuntimeAllowedNotDefault() throws Exception { + conf.set(LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES, + "DockerLinuxContainerRuntime,JavaSandboxLinuxContainerRuntime"); + DelegatingLinuxContainerRuntime delegatingLinuxContainerRuntime = + new DelegatingLinuxContainerRuntime(); + delegatingLinuxContainerRuntime.initialize(conf); + assertFalse(delegatingLinuxContainerRuntime.isRuntimeAllowed( + defaultLinuxContainerRuntime)); + } + + @Test + public void testIsRuntimeAllowedNotDocker() throws Exception { + conf.set(LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES, + "DefaultLinuxContainerRuntime,JavaSandboxLinuxContainerRuntime"); + DelegatingLinuxContainerRuntime delegatingLinuxContainerRuntime = + new DelegatingLinuxContainerRuntime(); + delegatingLinuxContainerRuntime.initialize(conf); + assertFalse(delegatingLinuxContainerRuntime.isRuntimeAllowed( + dockerLinuxContainerRuntime)); + } + + @Test + public void testIsRuntimeAllowedNotJavaSandbox() throws Exception { + conf.set(LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES, + "DefaultLinuxContainerRuntime,DockerLinuxContainerRuntime"); + DelegatingLinuxContainerRuntime delegatingLinuxContainerRuntime = + new DelegatingLinuxContainerRuntime(); + delegatingLinuxContainerRuntime.initialize(conf); + assertFalse(delegatingLinuxContainerRuntime.isRuntimeAllowed( + javaSandboxLinuxContainerRuntime)); + } +} \ No newline at end of file diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md index 4de0a6a..2e56d81 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md @@ -71,68 +71,82 @@ request. For example: The following properties should be set in yarn-site.xml: ```xml - - yarn.nodemanager.container-executor.class - org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor - - This is the container executor setting that ensures that all applications - are started with the LinuxContainerExecutor. - - - - - yarn.nodemanager.linux-container-executor.group - hadoop - - The POSIX group of the NodeManager. It should match the setting in - "container-executor.cfg". This configuration is required for validating - the secure access of the container-executor binary. - - - - - yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users - false - - Whether all applications should be run as the NodeManager process' owner. - When false, applications are launched instead as the application owner. - - - - - yarn.nodemanager.runtime.linux.docker.allowed-container-networks - host,none,bridge - - Optional. A comma-separated set of networks allowed when launching - containers. Valid values are determined by Docker networks available from - `docker network ls` - - - - - The network used when launching Docker containers when no - network is specified in the request. This network must be one of the - (configurable) set of allowed container networks. - yarn.nodemanager.runtime.linux.docker.default-container-network - host - - - - yarn.nodemanager.runtime.linux.docker.privileged-containers.allowed - false - - Optional. Whether applications are allowed to run in privileged containers. - - - - - yarn.nodemanager.runtime.linux.docker.privileged-containers.acl - - - Optional. A comma-separated list of users who are allowed to request - privileged contains if privileged containers are allowed. - - + + + yarn.nodemanager.container-executor.class + org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor + + This is the container executor setting that ensures that all applications + are started with the LinuxContainerExecutor. + + + + + yarn.nodemanager.linux-container-executor.group + hadoop + + The POSIX group of the NodeManager. It should match the setting in + "container-executor.cfg". This configuration is required for validating + the secure access of the container-executor binary. + + + + + yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users + false + + Whether all applications should be run as the NodeManager process' owner. + When false, applications are launched instead as the application owner. + + + + + yarn.nodemanager.runtime.linux.allowed-runtimes + DefaultLinuxContainerRuntime,DockerLinuxContainerRuntime + + Comma separated list of runtimes that are allowed when using + LinuxContainerExecutor. + + + + + yarn.nodemanager.runtime.linux.docker.allowed-container-networks + host,none,bridge + + Optional. A comma-separated set of networks allowed when launching + containers. Valid values are determined by Docker networks available from + `docker network ls` + + + + + yarn.nodemanager.runtime.linux.docker.default-container-network + host + + The network used when launching Docker containers when no + network is specified in the request. This network must be one of the + (configurable) set of allowed container networks. + + + + + yarn.nodemanager.runtime.linux.docker.privileged-containers.allowed + false + + Optional. Whether applications are allowed to run in privileged + containers. + + + + + yarn.nodemanager.runtime.linux.docker.privileged-containers.acl + + + Optional. A comma-separated list of users who are allowed to request + privileged contains if privileged containers are allowed. + + + ``` In addition, a container-executer.cfg file must exist and contain settings for