commit 3ccc554a5022eb546dda618387c2e8a410a62ceb Author: Eric Yang Date: Thu May 24 18:25:48 2018 -0400 YARN-8342. Allow launch_command for untrusted image. Contributed by Eric Yang diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c index d34a5b2..224472a 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c @@ -1046,6 +1046,10 @@ static int check_mount_permitted(const char **permitted_mounts, const char *requ return -1; } for (i = 0; permitted_mounts[i] != NULL; ++i) { + if (ends_with(normalized_path, "launch_container.sh")) { + ret = 1; + break; + } if (strcmp(normalized_path, permitted_mounts[i]) == 0) { ret = 1; break; @@ -1480,10 +1484,6 @@ int get_docker_run_command(const char *command_file, const struct configuration launch_command = get_configuration_values_delimiter("launch-command", DOCKER_COMMAND_FILE_SECTION, &command_config, ","); - if (check_trusted_image(&command_config, conf) != 0) { - launch_command = NULL; - } - if (launch_command != NULL) { for (i = 0; launch_command[i] != NULL; ++i) { ret = add_to_args(args, launch_command[i]); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/string-utils.c b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/string-utils.c index 80511e5..6aa472c 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/string-utils.c +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/string-utils.c @@ -180,3 +180,18 @@ char *make_string(const char *fmt, ...) { } return buf; } + +/* + * String ends with. + */ +int ends_with(const char *str, const char *suffix) { + if (!str || !suffix) { + return 0; + } + size_t lenstr = strlen(str); + size_t lensuffix = strlen(suffix); + if (lensuffix > lenstr) { + return 0; + } + return strncmp(str + lenstr - lensuffix, suffix, lensuffix) == 0; +} diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/string-utils.h b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/string-utils.h index affb3c3..88cb946 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/string-utils.h +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/string-utils.h @@ -38,4 +38,9 @@ int get_numbers_split_by_comma(const char* input, int** numbers, size_t* n_numbe * String format utility */ char *make_string(const char *fmt, ...); + +/* + * String ends with + */ +int ends_with(const char *str, const char *suffix); #endif diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc index 613755c..a76b10a 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc @@ -1180,7 +1180,7 @@ namespace ContainerExecutor { " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", "run --name=container_e1_12312_11111_02_000001 --user=nobody -d --rm" - " --cgroup-parent=ctr-cgroup --cap-drop=ALL --hostname=host-id nothadoop/docker-image")); + " --cgroup-parent=ctr-cgroup --cap-drop=ALL --hostname=host-id nothadoop/docker-image bash test_script.sh arg1 arg2")); // Test non-privileged container and drop all privileges file_cmd_vec.push_back(std::make_pair( @@ -1202,7 +1202,7 @@ namespace ContainerExecutor { " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", "run --name=container_e1_12312_11111_02_000001 --user=nobody -d --rm --net=bridge" - " --cgroup-parent=ctr-cgroup --cap-drop=ALL --hostname=host-id nothadoop/docker-image")); + " --cgroup-parent=ctr-cgroup --cap-drop=ALL --hostname=host-id nothadoop/docker-image bash test_script.sh arg1 arg2")); // Test privileged container file_cmd_vec.push_back(std::make_pair( @@ -1237,7 +1237,7 @@ namespace ContainerExecutor { " launch-command=bash,test_script.sh,arg1,arg2", "run --name=container_e1_12312_11111_02_000001 --user=nobody -d --rm --net=bridge --cap-drop=ALL " "--hostname=host-id --group-add 1000 --group-add 1001 " - "docker-image")); + "docker-image bash test_script.sh arg1 arg2")); std::vector > bad_file_cmd_vec; @@ -1386,7 +1386,7 @@ namespace ContainerExecutor { file_cmd_vec.push_back(std::make_pair( "[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n" " user=nobody\n launch-command=bash,test_script.sh,arg1,arg2", - "run --name=container_e1_12312_11111_02_000001 --user=nobody --cap-drop=ALL docker-image")); + "run --name=container_e1_12312_11111_02_000001 --user=nobody --cap-drop=ALL docker-image bash test_script.sh arg1 arg2")); file_cmd_vec.push_back(std::make_pair( "[docker-command-execution]\n" @@ -1407,7 +1407,7 @@ namespace ContainerExecutor { " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", "run --name=container_e1_12312_11111_02_000001 --user=nobody -d --rm" - " --cgroup-parent=ctr-cgroup --cap-drop=ALL --hostname=host-id nothadoop/docker-image")); + " --cgroup-parent=ctr-cgroup --cap-drop=ALL --hostname=host-id nothadoop/docker-image bash test_script.sh arg1 arg2")); file_cmd_vec.push_back(std::make_pair( "[docker-command-execution]\n" @@ -1428,7 +1428,7 @@ namespace ContainerExecutor { " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", "run --name=container_e1_12312_11111_02_000001 --user=nobody -d --rm --net=bridge" - " --cgroup-parent=ctr-cgroup --cap-drop=ALL --hostname=host-id nothadoop/docker-image")); + " --cgroup-parent=ctr-cgroup --cap-drop=ALL --hostname=host-id nothadoop/docker-image bash test_script.sh arg1 arg2")); std::vector > bad_file_cmd_vec; bad_file_cmd_vec.push_back(std::make_pair(