commit 842096591f4c1b4a8a53c512e844c698e94a59f4 Author: Eric Yang Date: Mon Feb 25 13:52:36 2019 -0500 YARN-7904. Blocked privileged Docker container for non-entry-point mode. Contributed by Eric Yang diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c index 6db5b5d..3bb2f46 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c @@ -1525,6 +1525,12 @@ static int set_privileged(const struct configuration *command_config, const stru if (privileged_container_enabled != NULL) { if (strcmp(privileged_container_enabled, "1") == 0 || strcasecmp(privileged_container_enabled, "True") == 0) { + // Disable set privileged if entry point mode is disabled + if (get_use_entry_point_flag() != 1) { + fprintf(ERRORFILE, "Privileged containers are disabled for non-entry-point mode\n"); + ret = PRIVILEGED_CONTAINERS_DISABLED; + goto free_and_exit; + } // Disable set privileged if image is not trusted. if (check_trusted_image(command_config, conf) != 0) { fprintf(ERRORFILE, "Privileged containers are disabled from untrusted source\n"); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc index 0401808..006ebc0 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc @@ -791,7 +791,7 @@ namespace ContainerExecutor { std::vector > file_cmd_vec; std::vector >::const_iterator itr; file_cmd_vec.push_back(std::make_pair( - "[docker-command-execution]\n docker-command=run\n privileged=true\n image=hadoop/image", "--privileged ")); + "[docker-command-execution]\n docker-command=run\n privileged=true\n image=hadoop/image\n use-entry-point=true", "--privileged ")); file_cmd_vec.push_back(std::make_pair( "[docker-command-execution]\n docker-command=run\n privileged=false\n image=hadoop/image", "")); file_cmd_vec.push_back(std::make_pair( @@ -1459,7 +1459,7 @@ namespace ContainerExecutor { "[docker-command-execution]\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=root\n hostname=host-id\n" " mounts=/var/log:/var/log:ro,/var/lib:/lib:ro,/usr/bin/cut:/usr/bin/cut:ro,/tmp:/tmp:rw\n" - " network=bridge\n devices=/dev/test:/dev/test\n privileged=true\n" + " network=bridge\n devices=/dev/test:/dev/test\n privileged=true\n use-entry-point=true\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", "run --name=container_e1_12312_11111_02_000001 -d --rm -v /var/log:/var/log:ro -v /var/lib:/lib:ro" @@ -1471,7 +1471,7 @@ namespace ContainerExecutor { "[docker-command-execution]\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=root\n hostname=host-id\n" " mounts=/var/log:/var/log:ro,/var/lib:/lib:ro,/usr/bin/cut:/usr/bin/cut:ro,/tmp:/tmp:rw\n" - " network=bridge\n devices=/dev/test:/dev/test\n privileged=true\n" + " network=bridge\n devices=/dev/test:/dev/test\n privileged=true\n use-entry-point=true\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n group-add=1000,1001\n" " launch-command=bash,test_script.sh,arg1,arg2", "run --name=container_e1_12312_11111_02_000001 -d --rm -v /var/log:/var/log:ro -v /var/lib:/lib:ro" @@ -1860,7 +1860,7 @@ namespace ContainerExecutor { std::vector > file_cmd_vec; file_cmd_vec.push_back(std::make_pair( - "[docker-command-execution]\n docker-command=run\n privileged=true\n" + "[docker-command-execution]\n docker-command=run\n privileged=true\n use-entry-point=true\n" "name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=root", "run --name=container_e1_12312_11111_02_000001 --privileged --cap-drop=ALL hadoop/docker-image"));