YARN-8927. Added support for top level Dockerhub images to trusted registry using library keyword.
Contributed by Zhankun Tang
This commit is contained in:
parent
de934ba2dc
commit
7c1b561e33
@ -113,6 +113,7 @@ int check_trusted_image(const struct configuration *command_config, const struct
|
|||||||
int found = 0;
|
int found = 0;
|
||||||
int i = 0;
|
int i = 0;
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
|
int no_registry_prefix_in_image_name = 0;
|
||||||
char *image_name = get_configuration_value("image", DOCKER_COMMAND_FILE_SECTION, command_config);
|
char *image_name = get_configuration_value("image", DOCKER_COMMAND_FILE_SECTION, command_config);
|
||||||
char **privileged_registry = get_configuration_values_delimiter("docker.trusted.registries", CONTAINER_EXECUTOR_CFG_DOCKER_SECTION, conf, ",");
|
char **privileged_registry = get_configuration_values_delimiter("docker.trusted.registries", CONTAINER_EXECUTOR_CFG_DOCKER_SECTION, conf, ",");
|
||||||
char *registry_ptr = NULL;
|
char *registry_ptr = NULL;
|
||||||
@ -120,8 +121,20 @@ int check_trusted_image(const struct configuration *command_config, const struct
|
|||||||
ret = INVALID_DOCKER_IMAGE_NAME;
|
ret = INVALID_DOCKER_IMAGE_NAME;
|
||||||
goto free_and_exit;
|
goto free_and_exit;
|
||||||
}
|
}
|
||||||
|
if (strchr(image_name, '/') == NULL) {
|
||||||
|
no_registry_prefix_in_image_name = 1;
|
||||||
|
}
|
||||||
if (privileged_registry != NULL) {
|
if (privileged_registry != NULL) {
|
||||||
for (i = 0; privileged_registry[i] != NULL; i++) {
|
for (i = 0; privileged_registry[i] != NULL; i++) {
|
||||||
|
// "library" means we trust public top
|
||||||
|
if (strncmp(privileged_registry[i], "library", strlen("library")) == 0) {
|
||||||
|
if (no_registry_prefix_in_image_name) {
|
||||||
|
// if image doesn't exists, docker pull will automatically happen
|
||||||
|
found = 1;
|
||||||
|
fprintf(LOGFILE, "image: %s is a trusted top-level image.\n", image_name);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
int len = strlen(privileged_registry[i]);
|
int len = strlen(privileged_registry[i]);
|
||||||
if (privileged_registry[i][len - 1] != '/') {
|
if (privileged_registry[i][len - 1] != '/') {
|
||||||
registry_ptr = (char *) alloc_and_clear_memory(len + 2, sizeof(char));
|
registry_ptr = (char *) alloc_and_clear_memory(len + 2, sizeof(char));
|
||||||
|
@ -1921,4 +1921,45 @@ namespace ContainerExecutor {
|
|||||||
run_docker_command_test(file_cmd_vec, bad_file_cmd_vec, get_docker_exec_command);
|
run_docker_command_test(file_cmd_vec, bad_file_cmd_vec, get_docker_exec_command);
|
||||||
free_configuration(&container_executor_cfg);
|
free_configuration(&container_executor_cfg);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
TEST_F(TestDockerUtil, test_trusted_top_level_image) {
|
||||||
|
struct configuration container_cfg, cmd_cfg;
|
||||||
|
std::string container_executor_contents = "[docker]\n"
|
||||||
|
" docker.trusted.registries=library\n";
|
||||||
|
write_file(container_executor_cfg_file, container_executor_contents);
|
||||||
|
int ret = read_config(container_executor_cfg_file.c_str(), &container_cfg);
|
||||||
|
if (ret != 0) {
|
||||||
|
FAIL();
|
||||||
|
}
|
||||||
|
ret = create_ce_file();
|
||||||
|
if (ret != 0) {
|
||||||
|
std::cerr << "Could not create ce file, skipping test" << std::endl;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
std::vector<std::pair<std::string, std::string> > file_cmd_vec;
|
||||||
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
|
"[docker-command-execution]\n"
|
||||||
|
" image=centos",
|
||||||
|
"centos"));
|
||||||
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
|
"[docker-command-execution]\n"
|
||||||
|
" image=ubuntu:latest",
|
||||||
|
"centos"));
|
||||||
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
|
"[docker-command-execution]\n"
|
||||||
|
" image=library/centos",
|
||||||
|
"centos"));
|
||||||
|
std::vector<std::pair<std::string, std::string> >::const_iterator itr;
|
||||||
|
|
||||||
|
for (itr = file_cmd_vec.begin(); itr != file_cmd_vec.end(); ++itr) {
|
||||||
|
write_command_file(itr->first);
|
||||||
|
ret = read_config(docker_command_file.c_str(), &cmd_cfg);
|
||||||
|
if (ret != 0) {
|
||||||
|
FAIL();
|
||||||
|
}
|
||||||
|
ret = check_trusted_image(&cmd_cfg, &container_cfg);
|
||||||
|
ASSERT_EQ(0, ret);
|
||||||
|
}
|
||||||
|
free_configuration(&container_cfg);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user