commit 7b916bda6805f1dff3214b6dfc43ccb4d8c3b52a Author: eyang Date: Mon Oct 16 20:43:57 2017 -0400 YARN-7197. Added black list check for volumes. diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c index 860320d..8dc5d10 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c @@ -700,6 +700,36 @@ static int check_mount_permitted(const char **permitted_mounts, const char *requ return ret; } +static int check_banned_mounts(const char **banned_mounts, const char *requested) { + int i = 0, ret = 0; + size_t banned_mount_len = 0; + char *normalized_path = normalize_mount(requested); + if (banned_mounts == NULL) { + return 0; + } + if (normalized_path == NULL) { + return -1; + } + for (i = 0; banned_mounts[i] != NULL; ++i) { + if (strcmp(normalized_path, banned_mounts[i]) == 0) { + ret = -1; + break; + } + // directory check + banned_mount_len = strlen(banned_mounts[i]); + if (banned_mount_len > 0 + && banned_mounts[i][banned_mount_len - 1] == '/') { + if (strncmp(normalized_path, banned_mounts[i], banned_mount_len) == 0) { + ret = -1; + break; + } + } + + } + free(normalized_path); + return ret; +} + static char* get_mount_source(const char *mount) { char *src_mount = NULL; const char *tmp = NULL; @@ -722,6 +752,8 @@ static int add_mounts(const struct configuration *command_config, const struct c CONTAINER_EXECUTOR_CFG_DOCKER_SECTION, conf, ","); char **permitted_rw_mounts = get_configuration_values_delimiter("docker.allowed.rw-mounts", CONTAINER_EXECUTOR_CFG_DOCKER_SECTION, conf, ","); + char **banned_mounts = get_configuration_values_delimiter("docker.banned.mounts", + CONTAINER_EXECUTOR_CFG_DOCKER_SECTION, conf, ","); char **values = get_configuration_values_delimiter(key, DOCKER_COMMAND_FILE_SECTION, command_config, ","); char *tmp_buffer_2 = NULL, *mount_src = NULL; const char *container_executor_cfg_path = normalize_mount(get_config_path("")); @@ -747,6 +779,8 @@ static int add_mounts(const struct configuration *command_config, const struct c } permitted_rw = check_mount_permitted((const char **) permitted_rw_mounts, mount_src); permitted_ro = check_mount_permitted((const char **) permitted_ro_mounts, mount_src); + permitted_rw = check_banned_mounts((const char **) banned_mounts, mount_src); + permitted_ro = check_banned_mounts((const char **) banned_mounts, mount_src); if (permitted_ro == -1 || permitted_rw == -1) { fprintf(ERRORFILE, "Invalid docker mount '%s', realpath=%s\n", values[i], mount_src); ret = INVALID_DOCKER_MOUNT; @@ -799,6 +833,7 @@ static int add_mounts(const struct configuration *command_config, const struct c free_and_exit: free_values(permitted_ro_mounts); free_values(permitted_rw_mounts); + free_values(banned_mounts); free_values(values); free(mount_src); free((void *) container_executor_cfg_path); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc index c627ca8..d8a1dd8 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc @@ -444,6 +444,22 @@ namespace ContainerExecutor { } } + TEST_F(TestDockerUtil, test_check_banned_mounts) { + const char *banned_mounts[] = {"/sys/", "/var/run/docker.sock", "/etc/shadow", NULL}; + std::vector > test_data; + test_data.push_back(std::make_pair("/sys", -1)); + test_data.push_back(std::make_pair("/sys/", -1)); + test_data.push_back(std::make_pair("/var/run/docker.sock", -1)); + test_data.push_back(std::make_pair("/bin/", 0)); + test_data.push_back(std::make_pair("/etc/shadow", -1)); + + std::vector >::const_iterator itr; + for (itr = test_data.begin(); itr != test_data.end(); ++itr) { + int ret = check_banned_mounts(banned_mounts, itr->first.c_str()); + ASSERT_EQ(itr->second, ret) << "for input " << itr->first; + } + } + TEST_F(TestDockerUtil, test_normalize_mounts) { const int entries = 4; const char *permitted_mounts[] = {"/home", "/usr", "/bin/ls", NULL}; diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md index 36c391a..0ed3da7 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md @@ -180,6 +180,7 @@ are allowed. It contains the following properties: | `docker.allowed.networks` | Comma separated networks that containers are allowed to use. If no network is specified when launching the container, the default Docker network will be used. | | `docker.allowed.ro-mounts` | Comma separated directories that containers are allowed to mount in read-only mode. By default, no directories are allowed to mounted. | | `docker.allowed.rw-mounts` | Comma separated directories that containers are allowed to mount in read-write mode. By default, no directories are allowed to mounted. | +| `docker.banned.mounts` | Comma separated directories and files that containers are forbidden to mount. | | `docker.privileged-containers.enabled` | Set to 1 or 0 to enable or disable launching privileged containers. Default value is 0. | Please note that if you wish to run Docker containers that require access to the YARN local directories, you must add them to the docker.allowed.rw-mounts list. @@ -205,6 +206,7 @@ yarn.nodemanager.linux-container-executor.group=yarn docker.allowed.networks=bridge,host,none docker.allowed.ro-mounts=/sys/fs/cgroup docker.allowed.rw-mounts=/var/hadoop/yarn/local-dir,/var/hadoop/yarn/log-dir + docker.banned.mounts=/run ```