diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c index ced7424e569..8cf2cd5c5f7 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c @@ -113,6 +113,7 @@ int check_trusted_image(const struct configuration *command_config, const struct int found = 0; int i = 0; int ret = 0; + int no_registry_prefix_in_image_name = 0; char *image_name = get_configuration_value("image", DOCKER_COMMAND_FILE_SECTION, command_config); char **privileged_registry = get_configuration_values_delimiter("docker.trusted.registries", CONTAINER_EXECUTOR_CFG_DOCKER_SECTION, conf, ","); char *registry_ptr = NULL; @@ -120,8 +121,21 @@ int check_trusted_image(const struct configuration *command_config, const struct ret = INVALID_DOCKER_IMAGE_NAME; goto free_and_exit; } + if (strchr(image_name, '/') == NULL) { + no_registry_prefix_in_image_name = 1; + } if (privileged_registry != NULL) { for (i = 0; privileged_registry[i] != NULL; i++) { + // "library" means we trust public top + if (strncmp(privileged_registry[i], "library", strlen("library")) == 0) { + // image name doens't contains "/" + if (no_registry_prefix_in_image_name) { + // if image doesn't exists, docker pull will automatically happen + found = 1; + fprintf(LOGFILE, "image: %s is a trusted top-level image.\n", image_name); + break; + } + } int len = strlen(privileged_registry[i]); if (privileged_registry[i][len - 1] != '/') { registry_ptr = (char *) alloc_and_clear_memory(len + 2, sizeof(char)); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc index 66e987ea30d..514454ca6aa 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc @@ -1859,4 +1859,45 @@ namespace ContainerExecutor { run_docker_command_test(file_cmd_vec, bad_file_cmd_vec, get_docker_exec_command); free_configuration(&container_executor_cfg); } + + TEST_F(TestDockerUtil, test_trusted_top_level_image) { + struct configuration container_cfg, cmd_cfg; + std::string container_executor_contents = "[docker]\n" + " docker.trusted.registries=library\n"; + write_file(container_executor_cfg_file, container_executor_contents); + int ret = read_config(container_executor_cfg_file.c_str(), &container_cfg); + if (ret != 0) { + FAIL(); + } + ret = create_ce_file(); + if (ret != 0) { + std::cerr << "Could not create ce file, skipping test" << std::endl; + return; + } + std::vector > file_cmd_vec; + file_cmd_vec.push_back(std::make_pair( + "[docker-command-execution]\n" + " image=centos", + "centos")); + file_cmd_vec.push_back(std::make_pair( + "[docker-command-execution]\n" + " image=ubuntu:latest", + "centos")); + file_cmd_vec.push_back(std::make_pair( + "[docker-command-execution]\n" + " image=library/centos", + "centos")); + std::vector >::const_iterator itr; + + for (itr = file_cmd_vec.begin(); itr != file_cmd_vec.end(); ++itr) { + write_command_file(itr->first); + ret = read_config(docker_command_file.c_str(), &cmd_cfg); + if (ret != 0) { + FAIL(); + } + ret = check_trusted_image(&cmd_cfg, &container_cfg); + ASSERT_EQ(0, ret); + } + free_configuration(&container_cfg); + } }