commit ce81f2342082baaa3f9d04dbf45def9955376c9c Author: Eric Yang Date: Mon Feb 25 13:52:36 2019 -0500 YARN-7904. Blocked privileged Docker container for non-entry-point mode. Contributed by Eric Yang diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c index 6db5b5d..f423e98 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c @@ -416,12 +416,6 @@ int get_docker_command(const char *command_file, const struct configuration *con return INVALID_COMMAND_FILE; } - char *value = get_configuration_value("use-entry-point", DOCKER_COMMAND_FILE_SECTION, &command_config); - if (value != NULL && strcasecmp(value, "true") == 0) { - entry_point = 1; - } - free(value); - char *docker = get_docker_binary(conf); ret = add_to_args(args, docker); free(docker); @@ -1525,6 +1519,12 @@ static int set_privileged(const struct configuration *command_config, const stru if (privileged_container_enabled != NULL) { if (strcmp(privileged_container_enabled, "1") == 0 || strcasecmp(privileged_container_enabled, "True") == 0) { + // Disable set privileged if entry point mode is disabled + if (get_use_entry_point_flag() != 1) { + fprintf(ERRORFILE, "Privileged containers are disabled for non-entry-point mode\n"); + ret = PRIVILEGED_CONTAINERS_DISABLED; + goto free_and_exit; + } // Disable set privileged if image is not trusted. if (check_trusted_image(command_config, conf) != 0) { fprintf(ERRORFILE, "Privileged containers are disabled from untrusted source\n"); @@ -1568,12 +1568,19 @@ int get_docker_run_command(const char *command_file, const struct configuration char **launch_command = NULL; char *privileged = NULL; char *no_new_privileges_enabled = NULL; + char *use_entry_point = NULL; struct configuration command_config = {0, NULL}; ret = read_and_verify_command_file(command_file, DOCKER_RUN_COMMAND, &command_config); if (ret != 0) { goto free_and_exit; } + use_entry_point = get_configuration_value("use-entry-point", DOCKER_COMMAND_FILE_SECTION, &command_config); + if (use_entry_point != NULL && strcasecmp(use_entry_point, "true") == 0) { + entry_point = 1; + } + free(use_entry_point); + container_name = get_configuration_value("name", DOCKER_COMMAND_FILE_SECTION, &command_config); if (container_name == NULL || validate_container_name(container_name) != 0) { ret = INVALID_DOCKER_CONTAINER_NAME; diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc index 0401808..006ebc0 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc @@ -791,7 +791,7 @@ namespace ContainerExecutor { std::vector > file_cmd_vec; std::vector >::const_iterator itr; file_cmd_vec.push_back(std::make_pair( - "[docker-command-execution]\n docker-command=run\n privileged=true\n image=hadoop/image", "--privileged ")); + "[docker-command-execution]\n docker-command=run\n privileged=true\n image=hadoop/image\n use-entry-point=true", "--privileged ")); file_cmd_vec.push_back(std::make_pair( "[docker-command-execution]\n docker-command=run\n privileged=false\n image=hadoop/image", "")); file_cmd_vec.push_back(std::make_pair( @@ -1459,7 +1459,7 @@ namespace ContainerExecutor { "[docker-command-execution]\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=root\n hostname=host-id\n" " mounts=/var/log:/var/log:ro,/var/lib:/lib:ro,/usr/bin/cut:/usr/bin/cut:ro,/tmp:/tmp:rw\n" - " network=bridge\n devices=/dev/test:/dev/test\n privileged=true\n" + " network=bridge\n devices=/dev/test:/dev/test\n privileged=true\n use-entry-point=true\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", "run --name=container_e1_12312_11111_02_000001 -d --rm -v /var/log:/var/log:ro -v /var/lib:/lib:ro" @@ -1471,7 +1471,7 @@ namespace ContainerExecutor { "[docker-command-execution]\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=root\n hostname=host-id\n" " mounts=/var/log:/var/log:ro,/var/lib:/lib:ro,/usr/bin/cut:/usr/bin/cut:ro,/tmp:/tmp:rw\n" - " network=bridge\n devices=/dev/test:/dev/test\n privileged=true\n" + " network=bridge\n devices=/dev/test:/dev/test\n privileged=true\n use-entry-point=true\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n group-add=1000,1001\n" " launch-command=bash,test_script.sh,arg1,arg2", "run --name=container_e1_12312_11111_02_000001 -d --rm -v /var/log:/var/log:ro -v /var/lib:/lib:ro" @@ -1860,7 +1860,7 @@ namespace ContainerExecutor { std::vector > file_cmd_vec; file_cmd_vec.push_back(std::make_pair( - "[docker-command-execution]\n docker-command=run\n privileged=true\n" + "[docker-command-execution]\n docker-command=run\n privileged=true\n use-entry-point=true\n" "name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=root", "run --name=container_e1_12312_11111_02_000001 --privileged --cap-drop=ALL hadoop/docker-image"));