diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml index 2bc233065e5..cd7cb8d022e 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml @@ -1605,7 +1605,8 @@ This configuration setting determines the capabilities assigned to docker containers when they are launched. While these may not be case-sensitive from a docker perspective, it is best to keep these - uppercase. + uppercase. To run without any capabilites, set this value to + "none" yarn.nodemanager.runtime.linux.docker.capabilities CHOWN,DAC_OVERRIDE,FSETID,FOWNER,MKNOD,NET_RAW,SETGID,SETUID,SETFCAP,SETPCAP,NET_BIND_SERVICE,SYS_CHROOT,KILL,AUDIT_WRITE diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/docker/DockerRunCommand.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/docker/DockerRunCommand.java index c7bf827f545..b270dbb138f 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/docker/DockerRunCommand.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/docker/DockerRunCommand.java @@ -87,12 +87,18 @@ public DockerRunCommand setPrivileged() { return this; } - public DockerRunCommand setCapabilities(Set capabilties) { + public DockerRunCommand setCapabilities(Set capabilities) { //first, drop all capabilities super.addCommandArguments("cap-drop", "ALL"); + //the "none" keyword anywhere in the set overrides + //all other capabilities + if(capabilities.contains("none")) { + return this; + } + //now, add the capabilities supplied - for (String capability : capabilties) { + for (String capability : capabilities) { super.addCommandArguments("cap-add", capability); } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/docker/TestDockerRunCommand.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/docker/TestDockerRunCommand.java index e51d7ecc7c5..4f0c7993781 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/docker/TestDockerRunCommand.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/docker/TestDockerRunCommand.java @@ -21,9 +21,13 @@ import org.junit.Test; import java.util.ArrayList; +import java.util.Arrays; +import java.util.HashSet; import java.util.List; +import java.util.Set; import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertNotEquals; /** * Tests the docker run command and its command @@ -77,4 +81,36 @@ public void testCommandArguments() { .get("launch-command"))); assertEquals(7, dockerRunCommand.getDockerCommandWithArguments().size()); } + + @Test + public void testDockerCapabilities() { + String[] caps = new String[3]; + + //none keyword at start, should result in no capabilities + caps[0] = "none"; + caps[1] = "CHOWN"; + caps[2] = "DAC_OVERRIDE"; + Set capabilities = new HashSet<>(Arrays.asList(caps)); + dockerRunCommand.setCapabilities(capabilities); + assertEquals(null, dockerRunCommand.getDockerCommandWithArguments() + .get("cap-add")); + + //none keyword at end, should result in no capabilities + caps[0] = "CHOWN"; + caps[1] = "DAC_OVERRIDE"; + caps[2] = "none"; + capabilities = new HashSet<>(Arrays.asList(caps)); + dockerRunCommand.setCapabilities(capabilities); + assertEquals(null, dockerRunCommand.getDockerCommandWithArguments() + .get("cap-add")); + + //no none keyword, should result in the specified capabilities + caps[0] = "CHOWN"; + caps[1] = "DAC_OVERRIDE"; + caps[2] = ""; + capabilities = new HashSet<>(Arrays.asList(caps)); + dockerRunCommand.setCapabilities(capabilities); + assertNotEquals(null, dockerRunCommand.getDockerCommandWithArguments() + .get("cap-add")); + } }