You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by eb...@apache.org on 2019/08/13 17:49:17 UTC
[hadoop] branch branch-2.9 updated: YARN-9442. container working
directory has group read permissions. Contributed by Jim Brennan.
This is an automated email from the ASF dual-hosted git repository.
ebadger pushed a commit to branch branch-2.9
in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/branch-2.9 by this push:
new fcaa2c4 YARN-9442. container working directory has group read permissions. Contributed by Jim Brennan.
fcaa2c4 is described below
commit fcaa2c4607119d74a890071be78b8b8c2b2f1604
Author: Eric Badger <eb...@verizonmedia.com>
AuthorDate: Tue Aug 13 17:41:10 2019 +0000
YARN-9442. container working directory has group read permissions. Contributed by Jim Brennan.
(cherry picked from commit 2ac029b949f041da2ee04da441c5f9f85e1f2c64)
Conflicts:
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/test-container-executor.c
(cherry picked from commit cec71691be76577718b22f936aea9e2b2cd100ea)
Conflicts:
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c
(cherry picked from commit db88224e8f9d164ac811fcca9efe4a350cebecd1)
---
.../container-executor/impl/container-executor.c | 73 +++++++++++++++-------
.../test/test-container-executor.c | 12 ++++
2 files changed, 62 insertions(+), 23 deletions(-)
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c
index a4803be..e6dcac7 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c
@@ -695,8 +695,8 @@ int check_dir(const char* npath, mode_t st_mode, mode_t desired, int finalCompon
*/
static int create_container_directories(const char* user, const char *app_id,
const char *container_id, char* const* local_dir, char* const* log_dir, const char *work_dir) {
- // create dirs as 0750
- const mode_t perms = S_IRWXU | S_IRGRP | S_IXGRP;
+ // create dirs as 0710
+ const mode_t perms = S_IRWXU | S_IXGRP;
if (user == NULL || app_id == NULL || container_id == NULL ||
local_dir == NULL || log_dir == NULL || work_dir == NULL ||
user_detail == NULL || user_detail->pw_name == NULL) {
@@ -739,6 +739,9 @@ static int create_container_directories(const char* user, const char *app_id,
sprintf(combined_name, "%s/%s", app_id, container_id);
char* const* log_dir_ptr;
+ // Log dirs need 750 access
+ const mode_t logdir_perms = S_IRWXU | S_IRGRP | S_IXGRP;
+
for(log_dir_ptr = log_dir; *log_dir_ptr != NULL; ++log_dir_ptr) {
char *container_log_dir = get_app_log_directory(*log_dir_ptr, combined_name);
int check = check_nm_local_dir(nm_uid, *log_dir_ptr);
@@ -752,8 +755,8 @@ static int create_container_directories(const char* user, const char *app_id,
if (container_log_dir == NULL) {
free(combined_name);
return OUT_OF_MEMORY;
- } else if (mkdirs(container_log_dir, perms) != 0) {
- free(container_log_dir);
+ } else if (mkdirs(container_log_dir, logdir_perms) != 0) {
+ free(container_log_dir);
} else {
result = 0;
free(container_log_dir);
@@ -1115,6 +1118,37 @@ int create_log_dirs(const char *app_id, char * const * log_dirs) {
/**
+ * Function to create the application directories.
+ * Returns pointer to primary_app_dir or NULL if it fails.
+ */
+static char *create_app_dirs(const char *user,
+ const char *app_id,
+ char* const* local_dirs)
+{
+ // 750
+ mode_t permissions = S_IRWXU | S_IRGRP | S_IXGRP;
+ char* const* nm_root;
+ char *primary_app_dir = NULL;
+ for(nm_root=local_dirs; *nm_root != NULL; ++nm_root) {
+ char *app_dir = get_app_directory(*nm_root, user, app_id);
+ if (app_dir == NULL) {
+ // try the next one
+ } else if (mkdirs(app_dir, permissions) != 0) {
+ free(app_dir);
+ } else if (primary_app_dir == NULL) {
+ primary_app_dir = app_dir;
+ } else {
+ free(app_dir);
+ }
+ }
+
+ if (primary_app_dir == NULL) {
+ fprintf(LOGFILE, "Did not create any app directories\n");
+ }
+ return primary_app_dir;
+}
+
+/**
* Function to prepare the application directories for the container.
*/
int initialize_app(const char *user, const char *app_id,
@@ -1149,25 +1183,9 @@ int initialize_app(const char *user, const char *app_id,
return -1;
}
- // 750
- mode_t permissions = S_IRWXU | S_IRGRP | S_IXGRP;
- char* const* nm_root;
- char *primary_app_dir = NULL;
- for(nm_root=local_dirs; *nm_root != NULL; ++nm_root) {
- char *app_dir = get_app_directory(*nm_root, user, app_id);
- if (app_dir == NULL) {
- // try the next one
- } else if (mkdirs(app_dir, permissions) != 0) {
- free(app_dir);
- } else if (primary_app_dir == NULL) {
- primary_app_dir = app_dir;
- } else {
- free(app_dir);
- }
- }
-
+ // Create application directories
+ char *primary_app_dir = create_app_dirs(user, app_id, local_dirs);
if (primary_app_dir == NULL) {
- fprintf(LOGFILE, "Did not create any app directories\n");
return -1;
}
@@ -1325,8 +1343,17 @@ int create_local_dirs(const char * user, const char *app_id,
goto cleanup;
}
}
+
+ // Create application directories if not already created by localization
+ char *primary_app_dir = create_app_dirs(user, app_id, local_dirs);
+ if (primary_app_dir == NULL) {
+ exit_code = COULD_NOT_CREATE_WORK_DIRECTORIES;
+ goto cleanup;
+ }
+ free(primary_app_dir);
+
// Create container specific directories as user. If there are no resources
- // to localize for this container, app-directories and log-directories are
+ // to localize for this container, log-directories are
// also created automatically as part of this call.
int directory_create_result = create_container_directories(user, app_id,
container_id, local_dirs, log_dirs, work_dir);
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/test-container-executor.c b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/test-container-executor.c
index a0e18e6..39c8ef4 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/test-container-executor.c
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/test-container-executor.c
@@ -921,6 +921,18 @@ void test_run_container() {
printf("FAIL: failed to create container directory %s\n", container_dir);
exit(1);
}
+ // Verify no group read permission on container_dir
+ struct stat st_buf;
+ if (stat(container_dir, &st_buf) < 0) {
+ printf("FAIL: failed to stat container directory %s\n", container_dir);
+ exit(1);
+ }
+ if ((st_buf.st_mode & S_IRGRP) != 0) {
+ printf("FAIL: group read permission should not be set on "
+ "container directory %s\n", container_dir);
+ exit(1);
+ }
+
char buffer[100000];
sprintf(buffer, "%s/foobar", container_dir);
if (access(buffer, R_OK) != 0) {
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org