commit 8d243588518d2a495efbb9f20883a1cc716aa8b8 Author: Eric Yang Date: Mon Feb 25 13:52:36 2019 -0500 YARN-7904. Blocked privileged Docker container for non-entry-point mode. Contributed by Eric Yang diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c index 6db5b5d..3bb2f46 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c @@ -1525,6 +1525,12 @@ static int set_privileged(const struct configuration *command_config, const stru if (privileged_container_enabled != NULL) { if (strcmp(privileged_container_enabled, "1") == 0 || strcasecmp(privileged_container_enabled, "True") == 0) { + // Disable set privileged if entry point mode is disabled + if (get_use_entry_point_flag() != 1) { + fprintf(ERRORFILE, "Privileged containers are disabled for non-entry-point mode\n"); + ret = PRIVILEGED_CONTAINERS_DISABLED; + goto free_and_exit; + } // Disable set privileged if image is not trusted. if (check_trusted_image(command_config, conf) != 0) { fprintf(ERRORFILE, "Privileged containers are disabled from untrusted source\n"); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc index 0401808..a5a67d2 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc @@ -791,7 +791,7 @@ namespace ContainerExecutor { std::vector > file_cmd_vec; std::vector >::const_iterator itr; file_cmd_vec.push_back(std::make_pair( - "[docker-command-execution]\n docker-command=run\n privileged=true\n image=hadoop/image", "--privileged ")); + "[docker-command-execution]\n docker-command=run\n privileged=true\n image=hadoop/image\n use-entry-point=true", "--privileged ")); file_cmd_vec.push_back(std::make_pair( "[docker-command-execution]\n docker-command=run\n privileged=false\n image=hadoop/image", "")); file_cmd_vec.push_back(std::make_pair(