You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by su...@apache.org on 2019/03/01 19:10:01 UTC
[hadoop] branch trunk updated: YARN-7904. Privileged,
trusted containers should be supported only in ENTRYPOINT mode.
Contributed by Eric Yang.
This is an automated email from the ASF dual-hosted git repository.
sumasai pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/trunk by this push:
new cab8529 YARN-7904. Privileged, trusted containers should be supported only in ENTRYPOINT mode. Contributed by Eric Yang.
cab8529 is described below
commit cab8529ecb2d213b349773cbedcae4821012930b
Author: Suma Shivaprasad <su...@apache.org>
AuthorDate: Fri Mar 1 11:06:09 2019 -0800
YARN-7904. Privileged, trusted containers should be supported only in ENTRYPOINT mode. Contributed by Eric Yang.
---
.../container-executor/impl/utils/docker-util.c | 19 +++++++++++++------
.../container-executor/test/utils/test_docker_util.cc | 8 ++++----
.../src/site/markdown/DockerContainers.md | 2 +-
3 files changed, 18 insertions(+), 11 deletions(-)
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c
index 59a39fa..090d2fc 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c
@@ -416,12 +416,6 @@ int get_docker_command(const char *command_file, const struct configuration *con
return INVALID_COMMAND_FILE;
}
- char *value = get_configuration_value("use-entry-point", DOCKER_COMMAND_FILE_SECTION, &command_config);
- if (value != NULL && strcasecmp(value, "true") == 0) {
- entry_point = 1;
- }
- free(value);
-
char *docker = get_docker_binary(conf);
ret = add_to_args(args, docker);
free(docker);
@@ -1527,6 +1521,12 @@ static int set_privileged(const struct configuration *command_config, const stru
if (privileged_container_enabled != NULL) {
if (strcmp(privileged_container_enabled, "1") == 0 ||
strcasecmp(privileged_container_enabled, "True") == 0) {
+ // Disable set privileged if entry point mode is disabled
+ if (get_use_entry_point_flag() != 1) {
+ fprintf(ERRORFILE, "Privileged containers are disabled for non-entry-point mode\n");
+ ret = PRIVILEGED_CONTAINERS_DISABLED;
+ goto free_and_exit;
+ }
// Disable set privileged if image is not trusted.
if (check_trusted_image(command_config, conf) != 0) {
fprintf(ERRORFILE, "Privileged containers are disabled from untrusted source\n");
@@ -1570,12 +1570,19 @@ int get_docker_run_command(const char *command_file, const struct configuration
char **launch_command = NULL;
char *privileged = NULL;
char *no_new_privileges_enabled = NULL;
+ char *use_entry_point = NULL;
struct configuration command_config = {0, NULL};
ret = read_and_verify_command_file(command_file, DOCKER_RUN_COMMAND, &command_config);
if (ret != 0) {
goto free_and_exit;
}
+ use_entry_point = get_configuration_value("use-entry-point", DOCKER_COMMAND_FILE_SECTION, &command_config);
+ if (use_entry_point != NULL && strcasecmp(use_entry_point, "true") == 0) {
+ entry_point = 1;
+ }
+ free(use_entry_point);
+
container_name = get_configuration_value("name", DOCKER_COMMAND_FILE_SECTION, &command_config);
if (container_name == NULL || validate_container_name(container_name) != 0) {
ret = INVALID_DOCKER_CONTAINER_NAME;
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc
index a2f843d..3d052e4 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc
@@ -791,7 +791,7 @@ namespace ContainerExecutor {
std::vector<std::pair<std::string, std::string> > file_cmd_vec;
std::vector<std::pair<std::string, std::string> >::const_iterator itr;
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
- "[docker-command-execution]\n docker-command=run\n privileged=true\n image=hadoop/image", "--privileged "));
+ "[docker-command-execution]\n docker-command=run\n privileged=true\n image=hadoop/image\n use-entry-point=true", "--privileged "));
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
"[docker-command-execution]\n docker-command=run\n privileged=false\n image=hadoop/image", ""));
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
@@ -1459,7 +1459,7 @@ namespace ContainerExecutor {
"[docker-command-execution]\n"
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=root\n hostname=host-id\n"
" mounts=/var/log:/var/log:ro,/var/lib:/lib:ro,/usr/bin/cut:/usr/bin/cut:ro,/tmp:/tmp:rw\n"
- " network=bridge\n devices=/dev/test:/dev/test\n privileged=true\n"
+ " network=bridge\n devices=/dev/test:/dev/test\n privileged=true\n use-entry-point=true\n"
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
" launch-command=bash,test_script.sh,arg1,arg2",
"run --name=container_e1_12312_11111_02_000001 -d --rm -v /var/log:/var/log:ro -v /var/lib:/lib:ro"
@@ -1471,7 +1471,7 @@ namespace ContainerExecutor {
"[docker-command-execution]\n"
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=root\n hostname=host-id\n"
" mounts=/var/log:/var/log:ro,/var/lib:/lib:ro,/usr/bin/cut:/usr/bin/cut:ro,/tmp:/tmp:rw\n"
- " network=bridge\n devices=/dev/test:/dev/test\n privileged=true\n"
+ " network=bridge\n devices=/dev/test:/dev/test\n privileged=true\n use-entry-point=true\n"
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n group-add=1000,1001\n"
" launch-command=bash,test_script.sh,arg1,arg2",
"run --name=container_e1_12312_11111_02_000001 -d --rm -v /var/log:/var/log:ro -v /var/lib:/lib:ro"
@@ -1860,7 +1860,7 @@ namespace ContainerExecutor {
std::vector<std::pair<std::string, std::string> > file_cmd_vec;
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
- "[docker-command-execution]\n docker-command=run\n privileged=true\n"
+ "[docker-command-execution]\n docker-command=run\n privileged=true\n use-entry-point=true\n"
"name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=root",
"run --name=container_e1_12312_11111_02_000001 --privileged --cap-drop=ALL hadoop/docker-image"));
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md
index 150f91c..f7c4c42 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md
@@ -640,7 +640,7 @@ Privileged Container Security Consideration
Privileged docker container can interact with host system devices. This can cause harm to host operating system without proper care. In order to mitigate risk of allowing privileged container to run on Hadoop cluster, we implemented a controlled process to sandbox unauthorized privileged docker images.
-The default behavior is disallow any privileged docker containers. When `docker.privileged-containers.enabled` is set to enabled, docker image can run with root privileges in the docker container, but access to host level devices are disabled. This allows developer and tester to run docker images from internet without causing harm to host operating system.
+The default behavior disallows any privileged docker containers. Privileged docker is only allowed with ENTRYPOINT enabled docker image, and `docker.privileged-containers.enabled` is set to enabled. Docker image can run with root privileges in the docker container, but access to host level devices are disabled. This allows developer and tester to run docker images from internet with some restrictions to prevent harm to host operating system.
When docker images have been certified by developers and testers to be trustworthy. The trusted image can be promoted to trusted docker registry. System administrator can define `docker.trusted.registries`, and setup private docker registry server to promote trusted images. System administrator may choose to allow official docker images from Docker Hub to be part of trusted registries. "library" is the name to use for trusting official docker images. Container-executor.cfg example:
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org