diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c index f361d347a34..8a21b38540e 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c @@ -1480,6 +1480,11 @@ int get_docker_run_command(const char *command_file, const struct configuration reset_args(args); return BUFFER_TOO_SMALL; } + ret = add_to_args(args, "--security-opt=no-new-privileges"); + if (ret != 0) { + reset_args(args); + return BUFFER_TOO_SMALL; + } } free(privileged); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc index 1fa425cf00e..6452b7467d2 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc @@ -1151,14 +1151,17 @@ namespace ContainerExecutor { std::vector > file_cmd_vec; file_cmd_vec.push_back(std::make_pair( "[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody", - "/usr/bin/docker run --name=container_e1_12312_11111_02_000001 --user=nobody --cap-drop=ALL hadoop/docker-image")); + "/usr/bin/docker run --name=container_e1_12312_11111_02_000001 --user=nobody --security-opt=no-new-privileges " + "--cap-drop=ALL hadoop/docker-image")); file_cmd_vec.push_back(std::make_pair( "[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=nobody", - "/usr/bin/docker run --name=container_e1_12312_11111_02_000001 --user=nobody --cap-drop=ALL nothadoop/docker-image")); + "/usr/bin/docker run --name=container_e1_12312_11111_02_000001 --user=nobody --security-opt=no-new-privileges " + "--cap-drop=ALL nothadoop/docker-image")); file_cmd_vec.push_back(std::make_pair( "[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n" " launch-command=bash,test_script.sh,arg1,arg2", - "/usr/bin/docker run --name=container_e1_12312_11111_02_000001 --user=nobody --cap-drop=ALL hadoop/docker-image bash test_script.sh arg1 arg2")); + "/usr/bin/docker run --name=container_e1_12312_11111_02_000001 --user=nobody --security-opt=no-new-privileges " + "--cap-drop=ALL hadoop/docker-image bash test_script.sh arg1 arg2")); // Test non-privileged conatiner with launch command file_cmd_vec.push_back(std::make_pair( @@ -1168,7 +1171,8 @@ namespace ContainerExecutor { " network=bridge\n devices=/dev/test:/dev/test\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", - "/usr/bin/docker run --name=container_e1_12312_11111_02_000001 --user=nobody -d --rm -v /var/log:/var/log:ro -v /var/lib:/lib:ro" + "/usr/bin/docker run --name=container_e1_12312_11111_02_000001 --user=nobody --security-opt=no-new-privileges " + "-d --rm -v /var/log:/var/log:ro -v /var/lib:/lib:ro" " -v /usr/bin/cut:/usr/bin/cut:ro -v /tmp:/tmp --cgroup-parent=ctr-cgroup --cap-drop=ALL --cap-add=CHOWN" " --cap-add=SETUID --hostname=host-id --device=/dev/test:/dev/test hadoop/docker-image bash " "test_script.sh arg1 arg2")); @@ -1179,8 +1183,8 @@ namespace ContainerExecutor { " network=bridge\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", - "/usr/bin/docker run --name=container_e1_12312_11111_02_000001 --user=nobody -d --rm" - " --cgroup-parent=ctr-cgroup --cap-drop=ALL --hostname=host-id nothadoop/docker-image")); + "/usr/bin/docker run --name=container_e1_12312_11111_02_000001 --user=nobody --security-opt=no-new-privileges " + "-d --rm --cgroup-parent=ctr-cgroup --cap-drop=ALL --hostname=host-id nothadoop/docker-image")); // Test non-privileged container and drop all privileges file_cmd_vec.push_back(std::make_pair( @@ -1190,7 +1194,8 @@ namespace ContainerExecutor { " network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", - "/usr/bin/docker run --name=container_e1_12312_11111_02_000001 --user=nobody -d --rm --net=bridge -v /var/log:/var/log:ro -v /var/lib:/lib:ro" + "/usr/bin/docker run --name=container_e1_12312_11111_02_000001 --user=nobody --security-opt=no-new-privileges " + "-d --rm --net=bridge -v /var/log:/var/log:ro -v /var/lib:/lib:ro" " -v /usr/bin/cut:/usr/bin/cut:ro -v /tmp:/tmp --cgroup-parent=ctr-cgroup --cap-drop=ALL --cap-add=CHOWN " "--cap-add=SETUID --hostname=host-id --device=/dev/test:/dev/test hadoop/docker-image bash" " test_script.sh arg1 arg2")); @@ -1201,7 +1206,8 @@ namespace ContainerExecutor { " network=bridge\n net=bridge\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", - "/usr/bin/docker run --name=container_e1_12312_11111_02_000001 --user=nobody -d --rm --net=bridge" + "/usr/bin/docker run --name=container_e1_12312_11111_02_000001 --user=nobody --security-opt=no-new-privileges " + "-d --rm --net=bridge" " --cgroup-parent=ctr-cgroup --cap-drop=ALL --hostname=host-id nothadoop/docker-image")); // Test privileged container @@ -1235,7 +1241,8 @@ namespace ContainerExecutor { " network=bridge\n net=bridge\n" " detach=true\n rm=true\n group-add=1000,1001\n" " launch-command=bash,test_script.sh,arg1,arg2", - "/usr/bin/docker run --name=container_e1_12312_11111_02_000001 --user=nobody -d --rm --net=bridge --cap-drop=ALL " + "/usr/bin/docker run --name=container_e1_12312_11111_02_000001 --user=nobody --security-opt=no-new-privileges " + "-d --rm --net=bridge --cap-drop=ALL " "--hostname=host-id --group-add 1000 --group-add 1001 " "docker-image")); @@ -1339,7 +1346,8 @@ namespace ContainerExecutor { " user=nobody\n" " use-entry-point=true\n" " environ=/tmp/test.env\n", - "/usr/bin/docker run --name=container_e1_12312_11111_02_000001 --user=nobody --cap-drop=ALL " + "/usr/bin/docker run --name=container_e1_12312_11111_02_000001 --user=nobody --security-opt=no-new-privileges " + "--cap-drop=ALL " "--env-file /tmp/test.env hadoop/docker-image")); std::vector > bad_file_cmd_vec; @@ -1382,11 +1390,13 @@ namespace ContainerExecutor { std::vector > file_cmd_vec; file_cmd_vec.push_back(std::make_pair( "[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n user=nobody", - "/usr/bin/docker run --name=container_e1_12312_11111_02_000001 --user=nobody --cap-drop=ALL docker-image")); + "/usr/bin/docker run --name=container_e1_12312_11111_02_000001 --user=nobody --security-opt=no-new-privileges " + "--cap-drop=ALL docker-image")); file_cmd_vec.push_back(std::make_pair( "[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n" " user=nobody\n launch-command=bash,test_script.sh,arg1,arg2", - "/usr/bin/docker run --name=container_e1_12312_11111_02_000001 --user=nobody --cap-drop=ALL docker-image")); + "/usr/bin/docker run --name=container_e1_12312_11111_02_000001 --user=nobody --security-opt=no-new-privileges " + "--cap-drop=ALL docker-image")); file_cmd_vec.push_back(std::make_pair( "[docker-command-execution]\n" @@ -1395,7 +1405,8 @@ namespace ContainerExecutor { " network=bridge\n devices=/dev/test:/dev/test\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", - "/usr/bin/docker run --name=container_e1_12312_11111_02_000001 --user=nobody -d --rm -v /var/log:/var/log:ro -v /var/lib:/lib:ro" + "/usr/bin/docker run --name=container_e1_12312_11111_02_000001 --user=nobody --security-opt=no-new-privileges " + "-d --rm -v /var/log:/var/log:ro -v /var/lib:/lib:ro" " -v /usr/bin/cut:/usr/bin/cut:ro -v /tmp:/tmp --cgroup-parent=ctr-cgroup --cap-drop=ALL --cap-add=CHOWN" " --cap-add=SETUID --hostname=host-id --device=/dev/test:/dev/test hadoop/docker-image bash " "test_script.sh arg1 arg2")); @@ -1406,7 +1417,8 @@ namespace ContainerExecutor { " network=bridge\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", - "/usr/bin/docker run --name=container_e1_12312_11111_02_000001 --user=nobody -d --rm" + "/usr/bin/docker run --name=container_e1_12312_11111_02_000001 --user=nobody --security-opt=no-new-privileges " + "-d --rm" " --cgroup-parent=ctr-cgroup --cap-drop=ALL --hostname=host-id nothadoop/docker-image")); file_cmd_vec.push_back(std::make_pair( @@ -1416,7 +1428,8 @@ namespace ContainerExecutor { " network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", - "/usr/bin/docker run --name=container_e1_12312_11111_02_000001 --user=nobody -d --rm --net=bridge -v /var/log:/var/log:ro -v /var/lib:/lib:ro" + "/usr/bin/docker run --name=container_e1_12312_11111_02_000001 --user=nobody --security-opt=no-new-privileges " + "-d --rm --net=bridge -v /var/log:/var/log:ro -v /var/lib:/lib:ro" " -v /usr/bin/cut:/usr/bin/cut:ro -v /tmp:/tmp --cgroup-parent=ctr-cgroup --cap-drop=ALL --cap-add=CHOWN " "--cap-add=SETUID --hostname=host-id --device=/dev/test:/dev/test hadoop/docker-image bash" " test_script.sh arg1 arg2")); @@ -1427,7 +1440,8 @@ namespace ContainerExecutor { " network=bridge\n net=bridge\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", - "/usr/bin/docker run --name=container_e1_12312_11111_02_000001 --user=nobody -d --rm --net=bridge" + "/usr/bin/docker run --name=container_e1_12312_11111_02_000001 --user=nobody --security-opt=no-new-privileges " + "-d --rm --net=bridge" " --cgroup-parent=ctr-cgroup --cap-drop=ALL --hostname=host-id nothadoop/docker-image")); std::vector > bad_file_cmd_vec; @@ -1465,7 +1479,8 @@ namespace ContainerExecutor { input_output_map.push_back(std::make_pair( "[docker-command-execution]\n docker-command=run\n docker-config=/my-config\n name=container_e1_12312_11111_02_000001\n" " image=docker-image\n user=nobody", - "/usr/bin/docker --config=/my-config run --name=container_e1_12312_11111_02_000001 --user=nobody --cap-drop=ALL docker-image")); + "/usr/bin/docker --config=/my-config run --name=container_e1_12312_11111_02_000001 --user=nobody --security-opt=no-new-privileges " + "--cap-drop=ALL docker-image")); std::vector >::const_iterator itr; struct args buffer = ARGS_INITIAL_VALUE;