From 5b88cb339898f82519223bcd07e1caedff02d051 Mon Sep 17 00:00:00 2001 From: Chris Douglas Date: Mon, 12 Feb 2018 21:00:47 -0800 Subject: [PATCH] HADOOP-15195. With SELinux enabled, directories mounted with start-build-env.sh may not be accessible. Contributed by Grigori Rybkine --- .../src/test/scripts/start-build-env.bats | 102 ++++++++++++++++++ start-build-env.sh | 32 +++++- 2 files changed, 131 insertions(+), 3 deletions(-) create mode 100644 hadoop-common-project/hadoop-common/src/test/scripts/start-build-env.bats diff --git a/hadoop-common-project/hadoop-common/src/test/scripts/start-build-env.bats b/hadoop-common-project/hadoop-common/src/test/scripts/start-build-env.bats new file mode 100644 index 0000000000..0c32bcf434 --- /dev/null +++ b/hadoop-common-project/hadoop-common/src/test/scripts/start-build-env.bats @@ -0,0 +1,102 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +load hadoop-functions_test_helper + +# Mock docker command +docker () { + if [ "$1" = "-v" ]; then + shift + echo Docker version ${DCKR_MOCK_VER:?} + elif [ "$1" = run ]; then + shift + until [ $# -eq 0 ]; do + if [ "$1" = -v ]; then + shift + echo "$1"|awk -F':' '{if (NF == 3 && $3 == "z") + printf "Mounted %s with %s option.\n", $1, $3 + else if (NF == 2) + printf "Mounted %s without %s option.\n", $1, "z"}' + fi + shift + done + fi +} +export -f docker +export DCKR_MOCK_VER + +# Mock a SELinux enabled system +enable_selinux () { + mkdir -p "${TMP}/bin" + echo true >"${TMP}/bin"/selinuxenabled + chmod a+x "${TMP}/bin"/selinuxenabled + if [ "${PATH#${TMP}/bin}" = "${PATH}" ]; then + PATH="${TMP}/bin":"$PATH" + fi +} + +setup_user () { + if [ -z "$(printenv USER)" ]; then + if [ -z "$USER" ]; then + USER=${HOME##*/} + fi + export USER + fi +} + +# Mock stat command as used in start-build-env.sh +stat () { + if [ "$1" = --printf='%C' -a $# -eq 2 ]; then + printf 'mock_u:mock_r:mock_t:s0' + else + command stat "$@" + fi +} +export -f stat + +# Verify that host directories get mounted without z option +# and INFO messages get printed out +@test "start-build-env.sh (Docker without z mount option)" { + if [ "$(uname -s)" != "Linux" ]; then + skip "Not on Linux platform" + fi + enable_selinux + setup_user + DCKR_MOCK_VER=1.4 + run "${BATS_TEST_DIRNAME}/../../../../../start-build-env.sh" + [ "$status" -eq 0 ] + [[ ${lines[0]} == "INFO: SELinux policy is enforced." ]] + [[ ${lines[1]} =~ \ + "Mounted ".*" may not be accessible to the container." ]] + [[ ${lines[2]} == \ + "INFO: If so, on the host, run the following command:" ]] + [[ ${lines[3]} =~ "# chcon -Rt svirt_sandbox_file_t " ]] + [[ ${lines[-2]} =~ "Mounted ".*" without z option." ]] + [[ ${lines[-1]} =~ "Mounted ".*" without z option." ]] +} + +# Verify that host directories get mounted with z option +@test "start-build-env.sh (Docker with z mount option)" { + if [ "$(uname -s)" != "Linux" ]; then + skip "Not on Linux platform" + fi + enable_selinux + setup_user + DCKR_MOCK_VER=1.7 + run "${BATS_TEST_DIRNAME}/../../../../../start-build-env.sh" + [ "$status" -eq 0 ] + [[ ${lines[-2]} =~ "Mounted ".*" with z option." ]] + [[ ${lines[-1]} =~ "Mounted ".*" with z option." ]] +} diff --git a/start-build-env.sh b/start-build-env.sh index 5a18151dfa..60efea5645 100755 --- a/start-build-env.sh +++ b/start-build-env.sh @@ -21,10 +21,36 @@ cd "$(dirname "$0")" # connect to root docker build -t hadoop-build dev-support/docker -if [ "$(uname -s)" == "Linux" ]; then +if [ "$(uname -s)" = "Linux" ]; then USER_NAME=${SUDO_USER:=$USER} USER_ID=$(id -u "${USER_NAME}") GROUP_ID=$(id -g "${USER_NAME}") + # man docker-run + # When using SELinux, mounted directories may not be accessible + # to the container. To work around this, with Docker prior to 1.7 + # one needs to run the "chcon -Rt svirt_sandbox_file_t" command on + # the directories. With Docker 1.7 and later the z mount option + # does this automatically. + if command -v selinuxenabled >/dev/null && selinuxenabled; then + DCKR_VER=$(docker -v|awk '$1 == "Docker" && $2 == "version"\ + {split($3,ver,".");print ver[1]"."ver[2]}') + DCKR_MAJ=${DCKR_VER%.*} + DCKR_MIN=${DCKR_VER#*.} + if [ "${DCKR_MAJ}" -eq 1 ] && [ "${DCKR_MIN}" -ge 7 ] || + [ "${DCKR_MAJ}" -gt 1 ]; then + V_OPTS=:z + else + for d in "${PWD}" "${HOME}/.m2"; do + ctx=$(stat --printf='%C' "$d"|cut -d':' -f3) + if [ "$ctx" != svirt_sandbox_file_t ] && [ "$ctx" != container_file_t ]; then + printf 'INFO: SELinux policy is enforced.\n' + printf '\tMounted %s may not be accessible to the container.\n' "$d" + printf 'INFO: If so, on the host, run the following command:\n' + printf '\t# chcon -Rt svirt_sandbox_file_t %s\n' "$d" + fi + done + fi + fi else # boot2docker uid and gid USER_NAME=$USER USER_ID=1000 @@ -45,8 +71,8 @@ UserSpecificDocker # system. And this also is a significant speedup in subsequent # builds because the dependencies are downloaded only once. docker run --rm=true -t -i \ - -v "${PWD}:/home/${USER_NAME}/hadoop" \ + -v "${PWD}:/home/${USER_NAME}/hadoop${V_OPTS:-}" \ -w "/home/${USER_NAME}/hadoop" \ - -v "${HOME}/.m2:/home/${USER_NAME}/.m2" \ + -v "${HOME}/.m2:/home/${USER_NAME}/.m2${V_OPTS:-}" \ -u "${USER_NAME}" \ "hadoop-build-${USER_ID}"