You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by xy...@apache.org on 2018/05/23 22:56:00 UTC
[08/50] [abbrv] hadoop git commit: YARN-7960. Added security flag
no-new-privileges for YARN Docker integration. Contributed by Eric Badger
YARN-7960. Added security flag no-new-privileges for YARN Docker integration.
Contributed by Eric Badger
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/6176d2b3
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/6176d2b3
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/6176d2b3
Branch: refs/heads/HDDS-4
Commit: 6176d2b35c85715aae93526236c29540f71ecac8
Parents: bcc8e76
Author: Eric Yang <ey...@apache.org>
Authored: Tue May 22 13:44:58 2018 -0400
Committer: Eric Yang <ey...@apache.org>
Committed: Tue May 22 13:44:58 2018 -0400
----------------------------------------------------------------------
.../hadoop-yarn/conf/container-executor.cfg | 1 +
.../container-executor/impl/utils/docker-util.c | 12 +++
.../test/utils/test_docker_util.cc | 90 ++++++++++++++++++++
.../src/site/markdown/DockerContainers.md | 1 +
4 files changed, 104 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hadoop/blob/6176d2b3/hadoop-yarn-project/hadoop-yarn/conf/container-executor.cfg
----------------------------------------------------------------------
diff --git a/hadoop-yarn-project/hadoop-yarn/conf/container-executor.cfg b/hadoop-yarn-project/hadoop-yarn/conf/container-executor.cfg
index 36676b0..d19874f 100644
--- a/hadoop-yarn-project/hadoop-yarn/conf/container-executor.cfg
+++ b/hadoop-yarn-project/hadoop-yarn/conf/container-executor.cfg
@@ -15,6 +15,7 @@ feature.tc.enabled=false
# docker.allowed.rw-mounts=## comma seperate volumes that can be mounted as read-write, add the yarn local and log dirs to this list to run Hadoop jobs
# docker.privileged-containers.enabled=false
# docker.allowed.volume-drivers=## comma seperated list of allowed volume-drivers
+# docker.no-new-privileges.enabled=## enable/disable the no-new-privileges flag for docker run. Set to "true" to enable, disabled by default
# The configs below deal with settings for FPGA resource
#[fpga]
http://git-wip-us.apache.org/repos/asf/hadoop/blob/6176d2b3/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c
----------------------------------------------------------------------
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c
index 099e5b5..d34a5b2 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c
@@ -1374,6 +1374,18 @@ int get_docker_run_command(const char *command_file, const struct configuration
reset_args(args);
return BUFFER_TOO_SMALL;
}
+ char *no_new_privileges_enabled =
+ get_configuration_value("docker.no-new-privileges.enabled",
+ CONTAINER_EXECUTOR_CFG_DOCKER_SECTION, conf);
+ if (no_new_privileges_enabled != NULL &&
+ strcasecmp(no_new_privileges_enabled, "True") == 0) {
+ ret = add_to_args(args, "--security-opt=no-new-privileges");
+ if (ret != 0) {
+ reset_args(args);
+ return BUFFER_TOO_SMALL;
+ }
+ }
+ free(no_new_privileges_enabled);
}
free(privileged);
http://git-wip-us.apache.org/repos/asf/hadoop/blob/6176d2b3/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc
----------------------------------------------------------------------
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc
index e18bf63..613755c 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc
@@ -1545,4 +1545,94 @@ namespace ContainerExecutor {
run_docker_command_test(file_cmd_vec, bad_file_cmd_vec, get_docker_volume_command);
}
+
+ TEST_F(TestDockerUtil, test_docker_no_new_privileges) {
+
+ std::string container_executor_contents[] = {"[docker]\n"
+ " docker.privileged-containers.registries=hadoop\n"
+ " docker.privileged-containers.enabled=false\n"
+ " docker.no-new-privileges.enabled=true",
+ "[docker]\n"
+ " docker.privileged-containers.registries=hadoop\n"
+ " docker.privileged-containers.enabled=true\n"
+ " docker.no-new-privileges.enabled=true",
+ "[docker]\n"
+ " docker.privileged-containers.registries=hadoop\n"
+ " docker.privileged-containers.enabled=true\n"
+ " docker.no-new-privileges.enabled=true",
+ "[docker]\n"
+ " docker.privileged-containers.registries=hadoop\n"
+ " docker.privileged-containers.enabled=false\n"
+ " docker.no-new-privileges.enabled=false",
+ "[docker]\n"
+ " docker.privileged-containers.registries=hadoop\n"
+ " docker.privileged-containers.enabled=true\n"
+ " docker.no-new-privileges.enabled=false"};
+ for (int i = 0; i < 2; ++i) {
+ write_file(container_executor_cfg_file, container_executor_contents[i]);
+ int ret = read_config(container_executor_cfg_file.c_str(), &container_executor_cfg);
+ if (ret != 0) {
+ FAIL();
+ }
+ ret = create_ce_file();
+ if (ret != 0) {
+ std::cerr << "Could not create ce file, skipping test" << std::endl;
+ return;
+ }
+
+ std::vector<std::pair<std::string, std::string> > file_cmd_vec;
+ file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
+ "[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n"
+ "image=hadoop/docker-image\n user=nobody",
+ "run --name=container_e1_12312_11111_02_000001 --user=nobody --security-opt=no-new-privileges "
+ "--cap-drop=ALL hadoop/docker-image"));
+
+ std::vector<std::pair<std::string, int> > bad_file_cmd_vec;
+ run_docker_command_test(file_cmd_vec, bad_file_cmd_vec, get_docker_run_command);
+ }
+
+ for (int i = 2; i < 3; ++i) {
+ write_file(container_executor_cfg_file, container_executor_contents[i]);
+ int ret = read_config(container_executor_cfg_file.c_str(), &container_executor_cfg);
+ if (ret != 0) {
+ FAIL();
+ }
+ ret = create_ce_file();
+ if (ret != 0) {
+ std::cerr << "Could not create ce file, skipping test" << std::endl;
+ return;
+ }
+
+ std::vector<std::pair<std::string, std::string> > file_cmd_vec;
+ file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
+ "[docker-command-execution]\n docker-command=run\n privileged=true\n"
+ "name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=root",
+ "run --name=container_e1_12312_11111_02_000001 --privileged --cap-drop=ALL hadoop/docker-image"));
+
+ std::vector<std::pair<std::string, int> > bad_file_cmd_vec;
+ run_docker_command_test(file_cmd_vec, bad_file_cmd_vec, get_docker_run_command);
+ }
+
+ for (int i = 3; i < 5; ++i) {
+ write_file(container_executor_cfg_file, container_executor_contents[i]);
+ int ret = read_config(container_executor_cfg_file.c_str(), &container_executor_cfg);
+ if (ret != 0) {
+ FAIL();
+ }
+ ret = create_ce_file();
+ if (ret != 0) {
+ std::cerr << "Could not create ce file, skipping test" << std::endl;
+ return;
+ }
+
+ std::vector<std::pair<std::string, std::string> > file_cmd_vec;
+ file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
+ "[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n"
+ "image=hadoop/docker-image\n user=nobody",
+ "run --name=container_e1_12312_11111_02_000001 --user=nobody --cap-drop=ALL hadoop/docker-image"));
+
+ std::vector<std::pair<std::string, int> > bad_file_cmd_vec;
+ run_docker_command_test(file_cmd_vec, bad_file_cmd_vec, get_docker_run_command);
+ }
+ }
}
http://git-wip-us.apache.org/repos/asf/hadoop/blob/6176d2b3/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md
----------------------------------------------------------------------
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md
index 3c39291..0f49a06 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md
@@ -208,6 +208,7 @@ are allowed. It contains the following properties:
| `docker.privileged-containers.enabled` | Set to "true" or "false" to enable or disable launching privileged containers. Default value is "false". |
| `docker.privileged-containers.registries` | Comma separated list of trusted docker registries for running trusted privileged docker containers. By default, no registries are defined. |
| `docker.inspect.max.retries` | Integer value to check docker container readiness. Each inspection is set with 3 seconds delay. Default value of 10 will wait 30 seconds for docker container to become ready before marked as container failed. |
+| `docker.no-new-privileges.enabled` | Enable/disable the no-new-privileges flag for docker run. Set to "true" to enable, disabled by default. |
Please note that if you wish to run Docker containers that require access to the YARN local directories, you must add them to the docker.allowed.rw-mounts list.
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org