diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
index 2bc233065e5..cd7cb8d022e 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
@@ -1605,7 +1605,8 @@
This configuration setting determines the capabilities
assigned to docker containers when they are launched. While these may not
be case-sensitive from a docker perspective, it is best to keep these
- uppercase.
+ uppercase. To run without any capabilites, set this value to
+ "none"
yarn.nodemanager.runtime.linux.docker.capabilities
CHOWN,DAC_OVERRIDE,FSETID,FOWNER,MKNOD,NET_RAW,SETGID,SETUID,SETFCAP,SETPCAP,NET_BIND_SERVICE,SYS_CHROOT,KILL,AUDIT_WRITE
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/docker/DockerRunCommand.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/docker/DockerRunCommand.java
index c7bf827f545..b270dbb138f 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/docker/DockerRunCommand.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/docker/DockerRunCommand.java
@@ -87,12 +87,18 @@ public DockerRunCommand setPrivileged() {
return this;
}
- public DockerRunCommand setCapabilities(Set capabilties) {
+ public DockerRunCommand setCapabilities(Set capabilities) {
//first, drop all capabilities
super.addCommandArguments("cap-drop", "ALL");
+ //the "none" keyword anywhere in the set overrides
+ //all other capabilities
+ if(capabilities.contains("none")) {
+ return this;
+ }
+
//now, add the capabilities supplied
- for (String capability : capabilties) {
+ for (String capability : capabilities) {
super.addCommandArguments("cap-add", capability);
}
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/docker/TestDockerRunCommand.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/docker/TestDockerRunCommand.java
index e51d7ecc7c5..4f0c7993781 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/docker/TestDockerRunCommand.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/docker/TestDockerRunCommand.java
@@ -21,9 +21,13 @@
import org.junit.Test;
import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashSet;
import java.util.List;
+import java.util.Set;
import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotEquals;
/**
* Tests the docker run command and its command
@@ -77,4 +81,36 @@ public void testCommandArguments() {
.get("launch-command")));
assertEquals(7, dockerRunCommand.getDockerCommandWithArguments().size());
}
+
+ @Test
+ public void testDockerCapabilities() {
+ String[] caps = new String[3];
+
+ //none keyword at start, should result in no capabilities
+ caps[0] = "none";
+ caps[1] = "CHOWN";
+ caps[2] = "DAC_OVERRIDE";
+ Set capabilities = new HashSet<>(Arrays.asList(caps));
+ dockerRunCommand.setCapabilities(capabilities);
+ assertEquals(null, dockerRunCommand.getDockerCommandWithArguments()
+ .get("cap-add"));
+
+ //none keyword at end, should result in no capabilities
+ caps[0] = "CHOWN";
+ caps[1] = "DAC_OVERRIDE";
+ caps[2] = "none";
+ capabilities = new HashSet<>(Arrays.asList(caps));
+ dockerRunCommand.setCapabilities(capabilities);
+ assertEquals(null, dockerRunCommand.getDockerCommandWithArguments()
+ .get("cap-add"));
+
+ //no none keyword, should result in the specified capabilities
+ caps[0] = "CHOWN";
+ caps[1] = "DAC_OVERRIDE";
+ caps[2] = "";
+ capabilities = new HashSet<>(Arrays.asList(caps));
+ dockerRunCommand.setCapabilities(capabilities);
+ assertNotEquals(null, dockerRunCommand.getDockerCommandWithArguments()
+ .get("cap-add"));
+ }
}