YARN-7446. Remove --user flag when running privileged mode docker container. Contributed by Eric Yang

This commit is contained in:
Billie Rinaldi 2018-02-27 14:33:03 -08:00
parent eea0b069e7
commit 727c033997
2 changed files with 25 additions and 8 deletions

View File

@ -805,6 +805,14 @@ static int set_group_add(const struct configuration *command_config, char *out,
char **group_add = get_configuration_values_delimiter("group-add", DOCKER_COMMAND_FILE_SECTION, command_config, ",");
size_t tmp_buffer_size = 4096;
char *tmp_buffer = NULL;
char *privileged = NULL;
privileged = get_configuration_value("privileged", DOCKER_COMMAND_FILE_SECTION, command_config);
if (privileged != NULL && strcasecmp(privileged, "true") == 0 ) {
free(privileged);
return ret;
}
free(privileged);
if (group_add != NULL) {
for (i = 0; group_add[i] != NULL; ++i) {
@ -1211,6 +1219,7 @@ int get_docker_run_command(const char *command_file, const struct configuration
size_t tmp_buffer_size = 1024;
char *tmp_buffer = NULL;
char **launch_command = NULL;
char *privileged = NULL;
struct configuration command_config = {0, NULL};
ret = read_and_verify_command_file(command_file, DOCKER_RUN_COMMAND, &command_config);
if (ret != 0) {
@ -1250,12 +1259,17 @@ int get_docker_run_command(const char *command_file, const struct configuration
}
memset(tmp_buffer, 0, tmp_buffer_size);
privileged = get_configuration_value("privileged", DOCKER_COMMAND_FILE_SECTION, &command_config);
if (privileged == NULL || strcasecmp(privileged, "false") == 0) {
quote_and_append_arg(&tmp_buffer, &tmp_buffer_size, "--user=", user);
ret = add_to_buffer(out, outlen, tmp_buffer);
if (ret != 0) {
return BUFFER_TOO_SMALL;
}
memset(tmp_buffer, 0, tmp_buffer_size);
}
free(privileged);
ret = detach_container(&command_config, out, outlen);
if (ret != 0) {

View File

@ -1063,6 +1063,7 @@ namespace ContainerExecutor {
" launch-command=bash,test_script.sh,arg1,arg2",
"run --name='container_e1_12312_11111_02_000001' --user='test' --cap-drop='ALL' 'hadoop/docker-image' 'bash' 'test_script.sh' 'arg1' 'arg2' "));
// Test non-privileged conatiner with launch command
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
"[docker-command-execution]\n"
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n hostname=host-id\n"
@ -1084,6 +1085,7 @@ namespace ContainerExecutor {
"run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm"
" --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --hostname='host-id' 'nothadoop/docker-image' "));
// Test non-privileged container and drop all privileges
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
"[docker-command-execution]\n"
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n hostname=host-id\n"
@ -1105,6 +1107,7 @@ namespace ContainerExecutor {
"run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm --net='bridge'"
" --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --hostname='host-id' 'nothadoop/docker-image' "));
// Test privileged container
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
"[docker-command-execution]\n"
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n hostname=host-id\n"
@ -1112,7 +1115,7 @@ namespace ContainerExecutor {
" network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n privileged=true\n"
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
" launch-command=bash,test_script.sh,arg1,arg2",
"run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm --net='bridge' -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'"
"run --name='container_e1_12312_11111_02_000001' -d --rm --net='bridge' -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'"
" -v '/usr/bin/cut:/usr/bin/cut:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --privileged --cap-drop='ALL' "
"--cap-add='CHOWN' --cap-add='SETUID' --hostname='host-id' --device='/dev/test:/dev/test' 'hadoop/docker-image' "
"'bash' 'test_script.sh' 'arg1' 'arg2' "));
@ -1125,9 +1128,9 @@ namespace ContainerExecutor {
" network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n privileged=true\n"
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n group-add=1000,1001\n"
" launch-command=bash,test_script.sh,arg1,arg2",
"run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm --net='bridge' -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'"
"run --name='container_e1_12312_11111_02_000001' -d --rm --net='bridge' -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'"
" -v '/usr/bin/cut:/usr/bin/cut:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --privileged --cap-drop='ALL' "
"--cap-add='CHOWN' --cap-add='SETUID' --hostname='host-id' --group-add '1000' --group-add '1001' "
"--cap-add='CHOWN' --cap-add='SETUID' --hostname='host-id' "
"--device='/dev/test:/dev/test' 'hadoop/docker-image' 'bash' 'test_script.sh' 'arg1' 'arg2' "));
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(