YARN-8963. Add flag to disable interactive shell. Contributed by Eric Yang
This commit is contained in:
parent
aab310978f
commit
42297f7d99
@ -73,6 +73,7 @@ static const int DEFAULT_MIN_USERID = 1000;
|
|||||||
|
|
||||||
static const char* DEFAULT_BANNED_USERS[] = {"yarn", "mapred", "hdfs", "bin", 0};
|
static const char* DEFAULT_BANNED_USERS[] = {"yarn", "mapred", "hdfs", "bin", 0};
|
||||||
|
|
||||||
|
static const int DEFAULT_TERMINAL_SUPPORT_ENABLED = 0;
|
||||||
static const int DEFAULT_DOCKER_SUPPORT_ENABLED = 0;
|
static const int DEFAULT_DOCKER_SUPPORT_ENABLED = 0;
|
||||||
static const int DEFAULT_TC_SUPPORT_ENABLED = 0;
|
static const int DEFAULT_TC_SUPPORT_ENABLED = 0;
|
||||||
static const int DEFAULT_MOUNT_CGROUP_SUPPORT_ENABLED = 0;
|
static const int DEFAULT_MOUNT_CGROUP_SUPPORT_ENABLED = 0;
|
||||||
@ -490,6 +491,11 @@ int is_feature_enabled(const char* feature_key, int default_value,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int is_terminal_support_enabled() {
|
||||||
|
return is_feature_enabled(TERMINAL_SUPPORT_ENABLED_KEY,
|
||||||
|
DEFAULT_TERMINAL_SUPPORT_ENABLED, &executor_cfg);
|
||||||
|
}
|
||||||
|
|
||||||
int is_docker_support_enabled() {
|
int is_docker_support_enabled() {
|
||||||
return is_feature_enabled(DOCKER_SUPPORT_ENABLED_KEY,
|
return is_feature_enabled(DOCKER_SUPPORT_ENABLED_KEY,
|
||||||
DEFAULT_DOCKER_SUPPORT_ENABLED, &executor_cfg)
|
DEFAULT_DOCKER_SUPPORT_ENABLED, &executor_cfg)
|
||||||
|
@ -67,6 +67,7 @@ enum operations {
|
|||||||
#define MIN_USERID_KEY "min.user.id"
|
#define MIN_USERID_KEY "min.user.id"
|
||||||
#define BANNED_USERS_KEY "banned.users"
|
#define BANNED_USERS_KEY "banned.users"
|
||||||
#define ALLOWED_SYSTEM_USERS_KEY "allowed.system.users"
|
#define ALLOWED_SYSTEM_USERS_KEY "allowed.system.users"
|
||||||
|
#define TERMINAL_SUPPORT_ENABLED_KEY "feature.terminal.enabled"
|
||||||
#define DOCKER_SUPPORT_ENABLED_KEY "feature.docker.enabled"
|
#define DOCKER_SUPPORT_ENABLED_KEY "feature.docker.enabled"
|
||||||
#define TC_SUPPORT_ENABLED_KEY "feature.tc.enabled"
|
#define TC_SUPPORT_ENABLED_KEY "feature.tc.enabled"
|
||||||
#define MOUNT_CGROUP_SUPPORT_ENABLED_KEY "feature.mount-cgroup.enabled"
|
#define MOUNT_CGROUP_SUPPORT_ENABLED_KEY "feature.mount-cgroup.enabled"
|
||||||
@ -341,3 +342,8 @@ char* flatten(char **args);
|
|||||||
* Remove docker container
|
* Remove docker container
|
||||||
*/
|
*/
|
||||||
int remove_docker_container(char **argv, int argc);
|
int remove_docker_container(char **argv, int argc);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Check if terminal feature is enabled
|
||||||
|
*/
|
||||||
|
int is_terminal_support_enabled();
|
||||||
|
@ -54,20 +54,26 @@ static void display_usage(FILE *stream) {
|
|||||||
if(is_docker_support_enabled()) {
|
if(is_docker_support_enabled()) {
|
||||||
fprintf(stream,
|
fprintf(stream,
|
||||||
" container-executor --run-docker <command-file>\n"
|
" container-executor --run-docker <command-file>\n"
|
||||||
" container-executor --exec-container <command-file>\n"
|
|
||||||
" container-executor --remove-docker-container [hierarchy] "
|
" container-executor --remove-docker-container [hierarchy] "
|
||||||
"<container_id>\n"
|
"<container_id>\n"
|
||||||
" container-executor --inspect-docker-container <container_id>\n");
|
" container-executor --inspect-docker-container <container_id>\n");
|
||||||
} else {
|
} else {
|
||||||
fprintf(stream,
|
fprintf(stream,
|
||||||
"[DISABLED] container-executor --run-docker <command-file>\n"
|
"[DISABLED] container-executor --run-docker <command-file>\n"
|
||||||
"[DISABLED] container-executor --exec-container <command-file>\n"
|
|
||||||
"[DISABLED] container-executor --remove-docker-container [hierarchy] "
|
"[DISABLED] container-executor --remove-docker-container [hierarchy] "
|
||||||
"<container_id>\n"
|
"<container_id>\n"
|
||||||
"[DISABLED] container-executor --inspect-docker-container "
|
"[DISABLED] container-executor --inspect-docker-container "
|
||||||
"<format> ... <container_id>\n");
|
"<format> ... <container_id>\n");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (is_terminal_support_enabled()) {
|
||||||
|
fprintf(stream,
|
||||||
|
" container-executor --exec-container <command-file>\n");
|
||||||
|
} else {
|
||||||
|
fprintf(stream,
|
||||||
|
"[DISABLED] container-executor --exec-container <command-file>\n");
|
||||||
|
}
|
||||||
|
|
||||||
fprintf(stream,
|
fprintf(stream,
|
||||||
" container-executor <user> <yarn-user> <command> <command-args>\n"
|
" container-executor <user> <yarn-user> <command> <command-args>\n"
|
||||||
" where command and command-args: \n" \
|
" where command and command-args: \n" \
|
||||||
@ -351,7 +357,7 @@ static int validate_arguments(int argc, char **argv , int *operation) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (strcmp("--exec-container", argv[1]) == 0) {
|
if (strcmp("--exec-container", argv[1]) == 0) {
|
||||||
if(is_docker_support_enabled()) {
|
if(is_terminal_support_enabled()) {
|
||||||
if (argc != 3) {
|
if (argc != 3) {
|
||||||
display_usage(stdout);
|
display_usage(stdout);
|
||||||
return INVALID_ARGUMENT_NUMBER;
|
return INVALID_ARGUMENT_NUMBER;
|
||||||
@ -361,7 +367,7 @@ static int validate_arguments(int argc, char **argv , int *operation) {
|
|||||||
*operation = EXEC_CONTAINER;
|
*operation = EXEC_CONTAINER;
|
||||||
return 0;
|
return 0;
|
||||||
} else {
|
} else {
|
||||||
display_feature_disabled_message("docker");
|
display_feature_disabled_message("feature.terminal.enabled");
|
||||||
return FEATURE_DISABLED;
|
return FEATURE_DISABLED;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -59,8 +59,11 @@ yarn.nodemanager.linux-container-executor.group=#configured value of yarn.nodema
|
|||||||
banned.users=#comma separated list of users who can not run applications
|
banned.users=#comma separated list of users who can not run applications
|
||||||
allowed.system.users=#comma separated list of allowed system users
|
allowed.system.users=#comma separated list of allowed system users
|
||||||
min.user.id=1000#Prevent other super-users
|
min.user.id=1000#Prevent other super-users
|
||||||
|
feature.terminal.enabled=1
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Terminal feature (feature.terminal.enabled) allows restricted shell into secure container via YARN UI2.
|
||||||
|
|
||||||
###Windows Secure Container Executor (WSCE)
|
###Windows Secure Container Executor (WSCE)
|
||||||
|
|
||||||
The Windows environment secure container executor is the `WindowsSecureContainerExecutor`. It uses the Windows S4U infrastructure to launch the container as the YARN application user. The WSCE requires the presense of the `hadoopwinutilsvc` service. This services is hosted by `%HADOOP_HOME%\bin\winutils.exe` started with the `service` command line argument. This service offers some privileged operations that require LocalSystem authority so that the NM is not required to run the entire JVM and all the NM code in an elevated context. The NM interacts with the `hadoopwintulsvc` service by means of Local RPC (LRPC) via calls JNI to the RCP client hosted in `hadoop.dll`.
|
The Windows environment secure container executor is the `WindowsSecureContainerExecutor`. It uses the Windows S4U infrastructure to launch the container as the YARN application user. The WSCE requires the presense of the `hadoopwinutilsvc` service. This services is hosted by `%HADOOP_HOME%\bin\winutils.exe` started with the `service` command line argument. This service offers some privileged operations that require LocalSystem authority so that the NM is not required to run the entire JVM and all the NM code in an elevated context. The NM interacts with the `hadoopwintulsvc` service by means of Local RPC (LRPC) via calls JNI to the RCP client hosted in `hadoop.dll`.
|
||||||
|
Loading…
Reference in New Issue
Block a user