YARN-7960. Added security flag no-new-privileges for YARN Docker integration.
Contributed by Eric Badger
This commit is contained in:
parent
bcc8e76bad
commit
6176d2b35c
@ -15,6 +15,7 @@ feature.tc.enabled=false
|
|||||||
# docker.allowed.rw-mounts=## comma seperate volumes that can be mounted as read-write, add the yarn local and log dirs to this list to run Hadoop jobs
|
# docker.allowed.rw-mounts=## comma seperate volumes that can be mounted as read-write, add the yarn local and log dirs to this list to run Hadoop jobs
|
||||||
# docker.privileged-containers.enabled=false
|
# docker.privileged-containers.enabled=false
|
||||||
# docker.allowed.volume-drivers=## comma seperated list of allowed volume-drivers
|
# docker.allowed.volume-drivers=## comma seperated list of allowed volume-drivers
|
||||||
|
# docker.no-new-privileges.enabled=## enable/disable the no-new-privileges flag for docker run. Set to "true" to enable, disabled by default
|
||||||
|
|
||||||
# The configs below deal with settings for FPGA resource
|
# The configs below deal with settings for FPGA resource
|
||||||
#[fpga]
|
#[fpga]
|
||||||
|
@ -1374,6 +1374,18 @@ int get_docker_run_command(const char *command_file, const struct configuration
|
|||||||
reset_args(args);
|
reset_args(args);
|
||||||
return BUFFER_TOO_SMALL;
|
return BUFFER_TOO_SMALL;
|
||||||
}
|
}
|
||||||
|
char *no_new_privileges_enabled =
|
||||||
|
get_configuration_value("docker.no-new-privileges.enabled",
|
||||||
|
CONTAINER_EXECUTOR_CFG_DOCKER_SECTION, conf);
|
||||||
|
if (no_new_privileges_enabled != NULL &&
|
||||||
|
strcasecmp(no_new_privileges_enabled, "True") == 0) {
|
||||||
|
ret = add_to_args(args, "--security-opt=no-new-privileges");
|
||||||
|
if (ret != 0) {
|
||||||
|
reset_args(args);
|
||||||
|
return BUFFER_TOO_SMALL;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
free(no_new_privileges_enabled);
|
||||||
}
|
}
|
||||||
free(privileged);
|
free(privileged);
|
||||||
|
|
||||||
|
@ -1545,4 +1545,94 @@ namespace ContainerExecutor {
|
|||||||
|
|
||||||
run_docker_command_test(file_cmd_vec, bad_file_cmd_vec, get_docker_volume_command);
|
run_docker_command_test(file_cmd_vec, bad_file_cmd_vec, get_docker_volume_command);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
TEST_F(TestDockerUtil, test_docker_no_new_privileges) {
|
||||||
|
|
||||||
|
std::string container_executor_contents[] = {"[docker]\n"
|
||||||
|
" docker.privileged-containers.registries=hadoop\n"
|
||||||
|
" docker.privileged-containers.enabled=false\n"
|
||||||
|
" docker.no-new-privileges.enabled=true",
|
||||||
|
"[docker]\n"
|
||||||
|
" docker.privileged-containers.registries=hadoop\n"
|
||||||
|
" docker.privileged-containers.enabled=true\n"
|
||||||
|
" docker.no-new-privileges.enabled=true",
|
||||||
|
"[docker]\n"
|
||||||
|
" docker.privileged-containers.registries=hadoop\n"
|
||||||
|
" docker.privileged-containers.enabled=true\n"
|
||||||
|
" docker.no-new-privileges.enabled=true",
|
||||||
|
"[docker]\n"
|
||||||
|
" docker.privileged-containers.registries=hadoop\n"
|
||||||
|
" docker.privileged-containers.enabled=false\n"
|
||||||
|
" docker.no-new-privileges.enabled=false",
|
||||||
|
"[docker]\n"
|
||||||
|
" docker.privileged-containers.registries=hadoop\n"
|
||||||
|
" docker.privileged-containers.enabled=true\n"
|
||||||
|
" docker.no-new-privileges.enabled=false"};
|
||||||
|
for (int i = 0; i < 2; ++i) {
|
||||||
|
write_file(container_executor_cfg_file, container_executor_contents[i]);
|
||||||
|
int ret = read_config(container_executor_cfg_file.c_str(), &container_executor_cfg);
|
||||||
|
if (ret != 0) {
|
||||||
|
FAIL();
|
||||||
|
}
|
||||||
|
ret = create_ce_file();
|
||||||
|
if (ret != 0) {
|
||||||
|
std::cerr << "Could not create ce file, skipping test" << std::endl;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
std::vector<std::pair<std::string, std::string> > file_cmd_vec;
|
||||||
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
|
"[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n"
|
||||||
|
"image=hadoop/docker-image\n user=nobody",
|
||||||
|
"run --name=container_e1_12312_11111_02_000001 --user=nobody --security-opt=no-new-privileges "
|
||||||
|
"--cap-drop=ALL hadoop/docker-image"));
|
||||||
|
|
||||||
|
std::vector<std::pair<std::string, int> > bad_file_cmd_vec;
|
||||||
|
run_docker_command_test(file_cmd_vec, bad_file_cmd_vec, get_docker_run_command);
|
||||||
|
}
|
||||||
|
|
||||||
|
for (int i = 2; i < 3; ++i) {
|
||||||
|
write_file(container_executor_cfg_file, container_executor_contents[i]);
|
||||||
|
int ret = read_config(container_executor_cfg_file.c_str(), &container_executor_cfg);
|
||||||
|
if (ret != 0) {
|
||||||
|
FAIL();
|
||||||
|
}
|
||||||
|
ret = create_ce_file();
|
||||||
|
if (ret != 0) {
|
||||||
|
std::cerr << "Could not create ce file, skipping test" << std::endl;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
std::vector<std::pair<std::string, std::string> > file_cmd_vec;
|
||||||
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
|
"[docker-command-execution]\n docker-command=run\n privileged=true\n"
|
||||||
|
"name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=root",
|
||||||
|
"run --name=container_e1_12312_11111_02_000001 --privileged --cap-drop=ALL hadoop/docker-image"));
|
||||||
|
|
||||||
|
std::vector<std::pair<std::string, int> > bad_file_cmd_vec;
|
||||||
|
run_docker_command_test(file_cmd_vec, bad_file_cmd_vec, get_docker_run_command);
|
||||||
|
}
|
||||||
|
|
||||||
|
for (int i = 3; i < 5; ++i) {
|
||||||
|
write_file(container_executor_cfg_file, container_executor_contents[i]);
|
||||||
|
int ret = read_config(container_executor_cfg_file.c_str(), &container_executor_cfg);
|
||||||
|
if (ret != 0) {
|
||||||
|
FAIL();
|
||||||
|
}
|
||||||
|
ret = create_ce_file();
|
||||||
|
if (ret != 0) {
|
||||||
|
std::cerr << "Could not create ce file, skipping test" << std::endl;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
std::vector<std::pair<std::string, std::string> > file_cmd_vec;
|
||||||
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
|
"[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n"
|
||||||
|
"image=hadoop/docker-image\n user=nobody",
|
||||||
|
"run --name=container_e1_12312_11111_02_000001 --user=nobody --cap-drop=ALL hadoop/docker-image"));
|
||||||
|
|
||||||
|
std::vector<std::pair<std::string, int> > bad_file_cmd_vec;
|
||||||
|
run_docker_command_test(file_cmd_vec, bad_file_cmd_vec, get_docker_run_command);
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -208,6 +208,7 @@ are allowed. It contains the following properties:
|
|||||||
| `docker.privileged-containers.enabled` | Set to "true" or "false" to enable or disable launching privileged containers. Default value is "false". |
|
| `docker.privileged-containers.enabled` | Set to "true" or "false" to enable or disable launching privileged containers. Default value is "false". |
|
||||||
| `docker.privileged-containers.registries` | Comma separated list of trusted docker registries for running trusted privileged docker containers. By default, no registries are defined. |
|
| `docker.privileged-containers.registries` | Comma separated list of trusted docker registries for running trusted privileged docker containers. By default, no registries are defined. |
|
||||||
| `docker.inspect.max.retries` | Integer value to check docker container readiness. Each inspection is set with 3 seconds delay. Default value of 10 will wait 30 seconds for docker container to become ready before marked as container failed. |
|
| `docker.inspect.max.retries` | Integer value to check docker container readiness. Each inspection is set with 3 seconds delay. Default value of 10 will wait 30 seconds for docker container to become ready before marked as container failed. |
|
||||||
|
| `docker.no-new-privileges.enabled` | Enable/disable the no-new-privileges flag for docker run. Set to "true" to enable, disabled by default. |
|
||||||
|
|
||||||
Please note that if you wish to run Docker containers that require access to the YARN local directories, you must add them to the docker.allowed.rw-mounts list.
|
Please note that if you wish to run Docker containers that require access to the YARN local directories, you must add them to the docker.allowed.rw-mounts list.
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user