From 42297f7d99df2769846a58efcf1b02fadb5ba60b Mon Sep 17 00:00:00 2001 From: Billie Rinaldi Date: Fri, 14 Dec 2018 18:44:36 -0800 Subject: [PATCH] YARN-8963. Add flag to disable interactive shell. Contributed by Eric Yang --- .../container-executor/impl/container-executor.c | 6 ++++++ .../container-executor/impl/container-executor.h | 6 ++++++ .../src/main/native/container-executor/impl/main.c | 14 ++++++++++---- .../src/site/markdown/SecureContainer.md | 3 +++ 4 files changed, 25 insertions(+), 4 deletions(-) diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c index dcbfb0fda9..65bb8035f3 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c @@ -73,6 +73,7 @@ static const int DEFAULT_MIN_USERID = 1000; static const char* DEFAULT_BANNED_USERS[] = {"yarn", "mapred", "hdfs", "bin", 0}; +static const int DEFAULT_TERMINAL_SUPPORT_ENABLED = 0; static const int DEFAULT_DOCKER_SUPPORT_ENABLED = 0; static const int DEFAULT_TC_SUPPORT_ENABLED = 0; static const int DEFAULT_MOUNT_CGROUP_SUPPORT_ENABLED = 0; @@ -490,6 +491,11 @@ int is_feature_enabled(const char* feature_key, int default_value, } } +int is_terminal_support_enabled() { + return is_feature_enabled(TERMINAL_SUPPORT_ENABLED_KEY, + DEFAULT_TERMINAL_SUPPORT_ENABLED, &executor_cfg); +} + int is_docker_support_enabled() { return is_feature_enabled(DOCKER_SUPPORT_ENABLED_KEY, DEFAULT_DOCKER_SUPPORT_ENABLED, &executor_cfg) diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.h b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.h index bf994522dd..b215af72a8 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.h +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.h @@ -67,6 +67,7 @@ enum operations { #define MIN_USERID_KEY "min.user.id" #define BANNED_USERS_KEY "banned.users" #define ALLOWED_SYSTEM_USERS_KEY "allowed.system.users" +#define TERMINAL_SUPPORT_ENABLED_KEY "feature.terminal.enabled" #define DOCKER_SUPPORT_ENABLED_KEY "feature.docker.enabled" #define TC_SUPPORT_ENABLED_KEY "feature.tc.enabled" #define MOUNT_CGROUP_SUPPORT_ENABLED_KEY "feature.mount-cgroup.enabled" @@ -341,3 +342,8 @@ char* flatten(char **args); * Remove docker container */ int remove_docker_container(char **argv, int argc); + +/** + * Check if terminal feature is enabled + */ +int is_terminal_support_enabled(); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/main.c b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/main.c index 512489076d..8cdb8a3412 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/main.c +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/main.c @@ -54,20 +54,26 @@ static void display_usage(FILE *stream) { if(is_docker_support_enabled()) { fprintf(stream, " container-executor --run-docker \n" - " container-executor --exec-container \n" " container-executor --remove-docker-container [hierarchy] " "\n" " container-executor --inspect-docker-container \n"); } else { fprintf(stream, "[DISABLED] container-executor --run-docker \n" - "[DISABLED] container-executor --exec-container \n" "[DISABLED] container-executor --remove-docker-container [hierarchy] " "\n" "[DISABLED] container-executor --inspect-docker-container " " ... \n"); } + if (is_terminal_support_enabled()) { + fprintf(stream, + " container-executor --exec-container \n"); + } else { + fprintf(stream, + "[DISABLED] container-executor --exec-container \n"); + } + fprintf(stream, " container-executor \n" " where command and command-args: \n" \ @@ -351,7 +357,7 @@ static int validate_arguments(int argc, char **argv , int *operation) { } if (strcmp("--exec-container", argv[1]) == 0) { - if(is_docker_support_enabled()) { + if(is_terminal_support_enabled()) { if (argc != 3) { display_usage(stdout); return INVALID_ARGUMENT_NUMBER; @@ -361,7 +367,7 @@ static int validate_arguments(int argc, char **argv , int *operation) { *operation = EXEC_CONTAINER; return 0; } else { - display_feature_disabled_message("docker"); + display_feature_disabled_message("feature.terminal.enabled"); return FEATURE_DISABLED; } } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/SecureContainer.md b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/SecureContainer.md index a66c042137..397e76bf90 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/SecureContainer.md +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/SecureContainer.md @@ -59,8 +59,11 @@ yarn.nodemanager.linux-container-executor.group=#configured value of yarn.nodema banned.users=#comma separated list of users who can not run applications allowed.system.users=#comma separated list of allowed system users min.user.id=1000#Prevent other super-users +feature.terminal.enabled=1 ``` +Terminal feature (feature.terminal.enabled) allows restricted shell into secure container via YARN UI2. + ###Windows Secure Container Executor (WSCE) The Windows environment secure container executor is the `WindowsSecureContainerExecutor`. It uses the Windows S4U infrastructure to launch the container as the YARN application user. The WSCE requires the presense of the `hadoopwinutilsvc` service. This services is hosted by `%HADOOP_HOME%\bin\winutils.exe` started with the `service` command line argument. This service offers some privileged operations that require LocalSystem authority so that the NM is not required to run the entire JVM and all the NM code in an elevated context. The NM interacts with the `hadoopwintulsvc` service by means of Local RPC (LRPC) via calls JNI to the RCP client hosted in `hadoop.dll`.