YARN-7446. Remove --user flag when running privileged mode docker container. Contributed by Eric Yang
This commit is contained in:
parent
eea0b069e7
commit
727c033997
@ -805,6 +805,14 @@ static int set_group_add(const struct configuration *command_config, char *out,
|
||||
char **group_add = get_configuration_values_delimiter("group-add", DOCKER_COMMAND_FILE_SECTION, command_config, ",");
|
||||
size_t tmp_buffer_size = 4096;
|
||||
char *tmp_buffer = NULL;
|
||||
char *privileged = NULL;
|
||||
|
||||
privileged = get_configuration_value("privileged", DOCKER_COMMAND_FILE_SECTION, command_config);
|
||||
if (privileged != NULL && strcasecmp(privileged, "true") == 0 ) {
|
||||
free(privileged);
|
||||
return ret;
|
||||
}
|
||||
free(privileged);
|
||||
|
||||
if (group_add != NULL) {
|
||||
for (i = 0; group_add[i] != NULL; ++i) {
|
||||
@ -1211,6 +1219,7 @@ int get_docker_run_command(const char *command_file, const struct configuration
|
||||
size_t tmp_buffer_size = 1024;
|
||||
char *tmp_buffer = NULL;
|
||||
char **launch_command = NULL;
|
||||
char *privileged = NULL;
|
||||
struct configuration command_config = {0, NULL};
|
||||
ret = read_and_verify_command_file(command_file, DOCKER_RUN_COMMAND, &command_config);
|
||||
if (ret != 0) {
|
||||
@ -1250,12 +1259,17 @@ int get_docker_run_command(const char *command_file, const struct configuration
|
||||
}
|
||||
memset(tmp_buffer, 0, tmp_buffer_size);
|
||||
|
||||
privileged = get_configuration_value("privileged", DOCKER_COMMAND_FILE_SECTION, &command_config);
|
||||
|
||||
if (privileged == NULL || strcasecmp(privileged, "false") == 0) {
|
||||
quote_and_append_arg(&tmp_buffer, &tmp_buffer_size, "--user=", user);
|
||||
ret = add_to_buffer(out, outlen, tmp_buffer);
|
||||
if (ret != 0) {
|
||||
return BUFFER_TOO_SMALL;
|
||||
}
|
||||
memset(tmp_buffer, 0, tmp_buffer_size);
|
||||
}
|
||||
free(privileged);
|
||||
|
||||
ret = detach_container(&command_config, out, outlen);
|
||||
if (ret != 0) {
|
||||
|
@ -1063,6 +1063,7 @@ namespace ContainerExecutor {
|
||||
" launch-command=bash,test_script.sh,arg1,arg2",
|
||||
"run --name='container_e1_12312_11111_02_000001' --user='test' --cap-drop='ALL' 'hadoop/docker-image' 'bash' 'test_script.sh' 'arg1' 'arg2' "));
|
||||
|
||||
// Test non-privileged conatiner with launch command
|
||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||
"[docker-command-execution]\n"
|
||||
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n hostname=host-id\n"
|
||||
@ -1084,6 +1085,7 @@ namespace ContainerExecutor {
|
||||
"run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm"
|
||||
" --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --hostname='host-id' 'nothadoop/docker-image' "));
|
||||
|
||||
// Test non-privileged container and drop all privileges
|
||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||
"[docker-command-execution]\n"
|
||||
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n hostname=host-id\n"
|
||||
@ -1105,6 +1107,7 @@ namespace ContainerExecutor {
|
||||
"run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm --net='bridge'"
|
||||
" --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --hostname='host-id' 'nothadoop/docker-image' "));
|
||||
|
||||
// Test privileged container
|
||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||
"[docker-command-execution]\n"
|
||||
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n hostname=host-id\n"
|
||||
@ -1112,7 +1115,7 @@ namespace ContainerExecutor {
|
||||
" network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n privileged=true\n"
|
||||
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
||||
" launch-command=bash,test_script.sh,arg1,arg2",
|
||||
"run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm --net='bridge' -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'"
|
||||
"run --name='container_e1_12312_11111_02_000001' -d --rm --net='bridge' -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'"
|
||||
" -v '/usr/bin/cut:/usr/bin/cut:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --privileged --cap-drop='ALL' "
|
||||
"--cap-add='CHOWN' --cap-add='SETUID' --hostname='host-id' --device='/dev/test:/dev/test' 'hadoop/docker-image' "
|
||||
"'bash' 'test_script.sh' 'arg1' 'arg2' "));
|
||||
@ -1125,9 +1128,9 @@ namespace ContainerExecutor {
|
||||
" network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n privileged=true\n"
|
||||
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n group-add=1000,1001\n"
|
||||
" launch-command=bash,test_script.sh,arg1,arg2",
|
||||
"run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm --net='bridge' -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'"
|
||||
"run --name='container_e1_12312_11111_02_000001' -d --rm --net='bridge' -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'"
|
||||
" -v '/usr/bin/cut:/usr/bin/cut:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --privileged --cap-drop='ALL' "
|
||||
"--cap-add='CHOWN' --cap-add='SETUID' --hostname='host-id' --group-add '1000' --group-add '1001' "
|
||||
"--cap-add='CHOWN' --cap-add='SETUID' --hostname='host-id' "
|
||||
"--device='/dev/test:/dev/test' 'hadoop/docker-image' 'bash' 'test_script.sh' 'arg1' 'arg2' "));
|
||||
|
||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||
|
Loading…
Reference in New Issue
Block a user