commit 47e37aec826f1ab89adbf9415c753584c31ca2fa Author: Eric Yang Date: Mon Feb 25 13:52:36 2019 -0500 YARN-7904. Blocked privileged Docker container for non-entry-point mode. Contributed by Eric Yang diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c index 6db5b5d..f423e98 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c @@ -416,12 +416,6 @@ int get_docker_command(const char *command_file, const struct configuration *con return INVALID_COMMAND_FILE; } - char *value = get_configuration_value("use-entry-point", DOCKER_COMMAND_FILE_SECTION, &command_config); - if (value != NULL && strcasecmp(value, "true") == 0) { - entry_point = 1; - } - free(value); - char *docker = get_docker_binary(conf); ret = add_to_args(args, docker); free(docker); @@ -1525,6 +1519,12 @@ static int set_privileged(const struct configuration *command_config, const stru if (privileged_container_enabled != NULL) { if (strcmp(privileged_container_enabled, "1") == 0 || strcasecmp(privileged_container_enabled, "True") == 0) { + // Disable set privileged if entry point mode is disabled + if (get_use_entry_point_flag() != 1) { + fprintf(ERRORFILE, "Privileged containers are disabled for non-entry-point mode\n"); + ret = PRIVILEGED_CONTAINERS_DISABLED; + goto free_and_exit; + } // Disable set privileged if image is not trusted. if (check_trusted_image(command_config, conf) != 0) { fprintf(ERRORFILE, "Privileged containers are disabled from untrusted source\n"); @@ -1568,12 +1568,19 @@ int get_docker_run_command(const char *command_file, const struct configuration char **launch_command = NULL; char *privileged = NULL; char *no_new_privileges_enabled = NULL; + char *use_entry_point = NULL; struct configuration command_config = {0, NULL}; ret = read_and_verify_command_file(command_file, DOCKER_RUN_COMMAND, &command_config); if (ret != 0) { goto free_and_exit; } + use_entry_point = get_configuration_value("use-entry-point", DOCKER_COMMAND_FILE_SECTION, &command_config); + if (use_entry_point != NULL && strcasecmp(use_entry_point, "true") == 0) { + entry_point = 1; + } + free(use_entry_point); + container_name = get_configuration_value("name", DOCKER_COMMAND_FILE_SECTION, &command_config); if (container_name == NULL || validate_container_name(container_name) != 0) { ret = INVALID_DOCKER_CONTAINER_NAME; diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc index 0401808..006ebc0 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc @@ -791,7 +791,7 @@ namespace ContainerExecutor { std::vector > file_cmd_vec; std::vector >::const_iterator itr; file_cmd_vec.push_back(std::make_pair( - "[docker-command-execution]\n docker-command=run\n privileged=true\n image=hadoop/image", "--privileged ")); + "[docker-command-execution]\n docker-command=run\n privileged=true\n image=hadoop/image\n use-entry-point=true", "--privileged ")); file_cmd_vec.push_back(std::make_pair( "[docker-command-execution]\n docker-command=run\n privileged=false\n image=hadoop/image", "")); file_cmd_vec.push_back(std::make_pair( @@ -1459,7 +1459,7 @@ namespace ContainerExecutor { "[docker-command-execution]\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=root\n hostname=host-id\n" " mounts=/var/log:/var/log:ro,/var/lib:/lib:ro,/usr/bin/cut:/usr/bin/cut:ro,/tmp:/tmp:rw\n" - " network=bridge\n devices=/dev/test:/dev/test\n privileged=true\n" + " network=bridge\n devices=/dev/test:/dev/test\n privileged=true\n use-entry-point=true\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " launch-command=bash,test_script.sh,arg1,arg2", "run --name=container_e1_12312_11111_02_000001 -d --rm -v /var/log:/var/log:ro -v /var/lib:/lib:ro" @@ -1471,7 +1471,7 @@ namespace ContainerExecutor { "[docker-command-execution]\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=root\n hostname=host-id\n" " mounts=/var/log:/var/log:ro,/var/lib:/lib:ro,/usr/bin/cut:/usr/bin/cut:ro,/tmp:/tmp:rw\n" - " network=bridge\n devices=/dev/test:/dev/test\n privileged=true\n" + " network=bridge\n devices=/dev/test:/dev/test\n privileged=true\n use-entry-point=true\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n group-add=1000,1001\n" " launch-command=bash,test_script.sh,arg1,arg2", "run --name=container_e1_12312_11111_02_000001 -d --rm -v /var/log:/var/log:ro -v /var/lib:/lib:ro" @@ -1860,7 +1860,7 @@ namespace ContainerExecutor { std::vector > file_cmd_vec; file_cmd_vec.push_back(std::make_pair( - "[docker-command-execution]\n docker-command=run\n privileged=true\n" + "[docker-command-execution]\n docker-command=run\n privileged=true\n use-entry-point=true\n" "name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=root", "run --name=container_e1_12312_11111_02_000001 --privileged --cap-drop=ALL hadoop/docker-image")); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md index 4d55877..c6ff140 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md @@ -640,7 +640,7 @@ Privileged Container Security Consideration Privileged docker container can interact with host system devices. This can cause harm to host operating system without proper care. In order to mitigate risk of allowing privileged container to run on Hadoop cluster, we implemented a controlled process to sandbox unauthorized privileged docker images. -The default behavior is disallow any privileged docker containers. When `docker.privileged-containers.enabled` is set to enabled, docker image can run with root privileges in the docker container, but access to host level devices are disabled. This allows developer and tester to run docker images from internet without causing harm to host operating system. +The default behavior disallows any privileged docker containers. Privileged docker is only allowed with ENTRYPOINT enabled docker image, and `docker.privileged-containers.enabled` is set to enabled. Docker image can run with root privileges in the docker container, but access to host level devices are disabled. This allows developer and tester to run docker images from internet with some restrictions to prevent harm to host operating system. When docker images have been certified by developers and testers to be trustworthy. The trusted image can be promoted to trusted docker registry. System administrator can define `docker.trusted.registries`, and setup private docker registry server to promote trusted images.