YARN-9561. Add C changes for the new RuncContainerRuntime. Contributed by Eric Badger
This commit is contained in:
parent
ab2cc5ac92
commit
8dffd8dc89
23
LICENSE.txt
23
LICENSE.txt
@ -256,3 +256,26 @@ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/webapps/st
|
||||
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/webapps/static/jquery
|
||||
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/webapps/static/jt/jquery.jstree.js
|
||||
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/resources/TERMINAL
|
||||
|
||||
=======
|
||||
For hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/cJSON.[ch]:
|
||||
|
||||
Copyright (c) 2009-2017 Dave Gamble and cJSON contributors
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in
|
||||
all copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||
THE SOFTWARE.
|
||||
|
@ -16,12 +16,15 @@
|
||||
|
||||
cmake_minimum_required(VERSION 3.1 FATAL_ERROR)
|
||||
|
||||
list(APPEND CMAKE_MODULE_PATH ${CMAKE_SOURCE_DIR}/../../../../../hadoop-common-project/hadoop-common)
|
||||
set(HADOOP_COMMON_PATH ${CMAKE_SOURCE_DIR}/../../../../../hadoop-common-project/hadoop-common)
|
||||
list(APPEND CMAKE_MODULE_PATH ${HADOOP_COMMON_PATH})
|
||||
include(HadoopCommon)
|
||||
|
||||
# Set gtest path
|
||||
set(GTEST_SRC_DIR ${CMAKE_SOURCE_DIR}/../../../../../hadoop-common-project/hadoop-common/src/main/native/gtest)
|
||||
|
||||
set(HADOOP_COMMON_SEC_PATH ${HADOOP_COMMON_PATH}/src/main/native/src/org/apache/hadoop/security)
|
||||
|
||||
# determine if container-executor.conf.dir is an absolute
|
||||
# path in case the OS we're compiling on doesn't have
|
||||
# a hook in get_executable. We'll use this define
|
||||
@ -115,6 +118,7 @@ include_directories(
|
||||
main/native/container-executor
|
||||
main/native/container-executor/impl
|
||||
main/native/oom-listener/impl
|
||||
${HADOOP_COMMON_SEC_PATH}
|
||||
)
|
||||
# add gtest as system library to suppress gcc warnings
|
||||
include_directories(SYSTEM ${GTEST_SRC_DIR}/include)
|
||||
@ -129,6 +133,7 @@ add_library(container
|
||||
main/native/container-executor/impl/configuration.c
|
||||
main/native/container-executor/impl/container-executor.c
|
||||
main/native/container-executor/impl/get_executable.c
|
||||
main/native/container-executor/impl/utils/file-utils.c
|
||||
main/native/container-executor/impl/utils/string-utils.c
|
||||
main/native/container-executor/impl/utils/path-utils.c
|
||||
main/native/container-executor/impl/modules/cgroups/cgroups-operations.c
|
||||
@ -138,6 +143,14 @@ add_library(container
|
||||
main/native/container-executor/impl/modules/devices/devices-module.c
|
||||
main/native/container-executor/impl/utils/docker-util.c
|
||||
main/native/container-executor/impl/utils/mount-utils.c
|
||||
main/native/container-executor/impl/utils/cJSON/cJSON.c
|
||||
main/native/container-executor/impl/runc/runc.c
|
||||
main/native/container-executor/impl/runc/runc_base_ctx.c
|
||||
main/native/container-executor/impl/runc/runc_launch_cmd.c
|
||||
main/native/container-executor/impl/runc/runc_reap.c
|
||||
main/native/container-executor/impl/runc/runc_write_config.c
|
||||
${HADOOP_COMMON_SEC_PATH}/hadoop_user_info.c
|
||||
${HADOOP_COMMON_SEC_PATH}/hadoop_group_info.c
|
||||
)
|
||||
|
||||
add_executable(container-executor
|
||||
@ -146,6 +159,7 @@ add_executable(container-executor
|
||||
|
||||
target_link_libraries(container-executor
|
||||
container
|
||||
crypto
|
||||
)
|
||||
|
||||
output_directory(container-executor target/usr/local/bin)
|
||||
@ -155,7 +169,9 @@ add_executable(test-container-executor
|
||||
main/native/container-executor/test/test-container-executor.c
|
||||
)
|
||||
target_link_libraries(test-container-executor
|
||||
container ${EXTRA_LIBS}
|
||||
container
|
||||
${EXTRA_LIBS}
|
||||
crypto
|
||||
)
|
||||
|
||||
output_directory(test-container-executor target/usr/local/bin)
|
||||
@ -173,8 +189,15 @@ add_executable(cetest
|
||||
main/native/container-executor/test/modules/fpga/test-fpga-module.cc
|
||||
main/native/container-executor/test/modules/devices/test-devices-module.cc
|
||||
main/native/container-executor/test/test_util.cc
|
||||
main/native/container-executor/test/utils/test_docker_util.cc)
|
||||
target_link_libraries(cetest gtest container)
|
||||
main/native/container-executor/test/utils/test_docker_util.cc
|
||||
main/native/container-executor/test/utils/test_runc_util.cc
|
||||
)
|
||||
target_link_libraries(cetest
|
||||
gtest
|
||||
container
|
||||
crypto
|
||||
)
|
||||
|
||||
output_directory(cetest test)
|
||||
|
||||
# CGroup OOM listener
|
||||
|
@ -21,6 +21,7 @@
|
||||
#include "utils/docker-util.h"
|
||||
#include "utils/path-utils.h"
|
||||
#include "utils/string-utils.h"
|
||||
#include "runc/runc.h"
|
||||
#include "util.h"
|
||||
#include "config.h"
|
||||
|
||||
@ -78,6 +79,7 @@ static const int DEFAULT_DOCKER_SUPPORT_ENABLED = 0;
|
||||
static const int DEFAULT_TC_SUPPORT_ENABLED = 0;
|
||||
static const int DEFAULT_MOUNT_CGROUP_SUPPORT_ENABLED = 0;
|
||||
static const int DEFAULT_YARN_SYSFS_SUPPORT_ENABLED = 0;
|
||||
static const int DEFAULT_RUNC_SUPPORT_ENABLED = 0;
|
||||
|
||||
static const char* PROC_PATH = "/proc";
|
||||
|
||||
@ -191,7 +193,7 @@ int check_executor_permissions(char *executable_file) {
|
||||
/**
|
||||
* Change the effective user id to limit damage.
|
||||
*/
|
||||
static int change_effective_user(uid_t user, gid_t group) {
|
||||
int change_effective_user(uid_t user, gid_t group) {
|
||||
if (geteuid() == user) {
|
||||
return 0;
|
||||
}
|
||||
@ -211,6 +213,10 @@ static int change_effective_user(uid_t user, gid_t group) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
int change_effective_user_to_nm() {
|
||||
return change_effective_user(nm_uid, nm_gid);
|
||||
}
|
||||
|
||||
#ifdef __linux
|
||||
/**
|
||||
* Write the pid of the current process to the cgroup file.
|
||||
@ -408,7 +414,7 @@ static int wait_and_get_exit_code(pid_t pid) {
|
||||
* the exit code file.
|
||||
* Returns the exit code of the container process.
|
||||
*/
|
||||
static int wait_and_write_exit_code(pid_t pid, const char* exit_code_file) {
|
||||
int wait_and_write_exit_code(pid_t pid, const char* exit_code_file) {
|
||||
int exit_code = -1;
|
||||
|
||||
exit_code = wait_and_get_exit_code(pid);
|
||||
@ -510,6 +516,12 @@ int is_yarn_sysfs_support_enabled() {
|
||||
DEFAULT_YARN_SYSFS_SUPPORT_ENABLED, &executor_cfg);
|
||||
}
|
||||
|
||||
int is_runc_support_enabled() {
|
||||
return is_feature_enabled(RUNC_SUPPORT_ENABLED_KEY,
|
||||
DEFAULT_RUNC_SUPPORT_ENABLED, &executor_cfg)
|
||||
|| runc_module_enabled(&CFG);
|
||||
}
|
||||
|
||||
/**
|
||||
* Utility function to concatenate argB to argA using the concat_pattern.
|
||||
*/
|
||||
@ -642,6 +654,20 @@ char *get_tmp_directory(const char *work_dir) {
|
||||
return concatenate("%s/%s", "tmp dir", 2, work_dir, TMP_DIR);
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the private /tmp directory under the working directory
|
||||
*/
|
||||
char *get_privatetmp_directory(const char *work_dir) {
|
||||
return concatenate("%s/%s", "private /tmp dir", 2, work_dir, ROOT_TMP_DIR);
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the private /tmp directory under the working directory
|
||||
*/
|
||||
char *get_private_var_tmp_directory(const char *work_dir) {
|
||||
return concatenate("%s/%s", "private /var/tmp dir", 2, work_dir, ROOT_VAR_TMP_DIR);
|
||||
}
|
||||
|
||||
/**
|
||||
* Ensure that the given path and all of the parent directories are created
|
||||
* with the desired permissions.
|
||||
@ -810,17 +836,51 @@ static int create_container_directories(const char* user, const char *app_id,
|
||||
return result;
|
||||
}
|
||||
|
||||
result = COULD_NOT_CREATE_TMP_DIRECTORIES;
|
||||
// also make the tmp directory
|
||||
char *tmp_dir = get_tmp_directory(work_dir);
|
||||
char *private_tmp_dir = get_privatetmp_directory(work_dir);
|
||||
char *private_var_tmp_dir = get_private_var_tmp_directory(work_dir);
|
||||
|
||||
if (tmp_dir == NULL) {
|
||||
if (tmp_dir == NULL || private_tmp_dir == NULL || private_var_tmp_dir == NULL) {
|
||||
return OUT_OF_MEMORY;
|
||||
}
|
||||
if (mkdirs(tmp_dir, perms) == 0) {
|
||||
result = 0;
|
||||
|
||||
if (mkdirs(tmp_dir, perms) != 0) {
|
||||
fprintf(ERRORFILE, "Could not create tmp_dir: %s\n", tmp_dir);
|
||||
result = COULD_NOT_CREATE_TMP_DIRECTORIES;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
if (mkdirs(private_tmp_dir, perms) != 0) {
|
||||
fprintf(ERRORFILE, "Could not create private_tmp_dir: %s\n", private_tmp_dir);
|
||||
result = COULD_NOT_CREATE_TMP_DIRECTORIES;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
// clear group sticky bit on private_tmp_dir
|
||||
if (chmod(private_tmp_dir, perms) != 0) {
|
||||
fprintf(ERRORFILE, "Could not chmod private_tmp_dir: %s\n", private_tmp_dir);
|
||||
result = COULD_NOT_CREATE_TMP_DIRECTORIES;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
if (mkdirs(private_var_tmp_dir, perms) != 0) {
|
||||
fprintf(ERRORFILE, "Could not create private_var_tmp_dir: %s\n", private_var_tmp_dir);
|
||||
result = COULD_NOT_CREATE_TMP_DIRECTORIES;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
// clear group sticky bit on private_tmp_dir
|
||||
if (chmod(private_var_tmp_dir, perms) != 0) {
|
||||
fprintf(ERRORFILE, "Could not chmod private_var_tmp_dir: %s\n", private_var_tmp_dir);
|
||||
result = COULD_NOT_CREATE_TMP_DIRECTORIES;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
cleanup:
|
||||
free(tmp_dir);
|
||||
free(private_tmp_dir);
|
||||
free(private_var_tmp_dir);
|
||||
|
||||
return result;
|
||||
}
|
||||
@ -1051,6 +1111,36 @@ static int open_file_as_nm(const char* filename) {
|
||||
return result;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check the pidfile as the node manager. File should not exist.
|
||||
* Returns 0 on file doesn't exist and -1 on file does exist.
|
||||
*/
|
||||
int check_pidfile_as_nm(const char* pidfile) {
|
||||
int result = 0;
|
||||
uid_t user = geteuid();
|
||||
gid_t group = getegid();
|
||||
if (change_effective_user(nm_uid, nm_gid) != 0) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
struct stat statbuf;
|
||||
if (stat(pidfile, &statbuf) == 0) {
|
||||
fprintf(ERRORFILE, "pid file already exists: %s\n", pidfile);
|
||||
result = -1;
|
||||
}
|
||||
|
||||
if (errno != ENOENT) {
|
||||
fprintf(ERRORFILE, "Error accessing %s : %s\n", pidfile,
|
||||
strerror(errno));
|
||||
result = -1;
|
||||
}
|
||||
|
||||
if (change_effective_user(user, group)) {
|
||||
result = -1;
|
||||
}
|
||||
return result;
|
||||
}
|
||||
|
||||
/**
|
||||
* Copy a file from a fd to a given filename.
|
||||
* The new file must not exist and it is created with permissions perm.
|
||||
@ -1863,6 +1953,61 @@ int create_yarn_sysfs(const char* user, const char *app_id,
|
||||
return result;
|
||||
}
|
||||
|
||||
int setup_container_paths(const char* user, const char* app_id,
|
||||
const char *container_id, const char *work_dir, const char *script_name,
|
||||
const char *cred_file, int https, const char *keystore_file, const char *truststore_file,
|
||||
char* const* local_dirs, char* const* log_dirs) {
|
||||
char *script_file_dest = NULL;
|
||||
char *cred_file_dest = NULL;
|
||||
char *keystore_file_dest = NULL;
|
||||
char *truststore_file_dest = NULL;
|
||||
int container_file_source = -1;
|
||||
int cred_file_source = -1;
|
||||
int keystore_file_source = -1;
|
||||
int truststore_file_source = -1;
|
||||
|
||||
int result = initialize_user(user, local_dirs);
|
||||
if (result != 0) {
|
||||
return result;
|
||||
}
|
||||
|
||||
int rc = create_script_paths(
|
||||
work_dir, script_name, cred_file, https, keystore_file, truststore_file, &script_file_dest, &cred_file_dest,
|
||||
&keystore_file_dest, &truststore_file_dest, &container_file_source, &cred_file_source, &keystore_file_source, &truststore_file_source);
|
||||
|
||||
if (rc != 0) {
|
||||
fputs("Could not create script path\n", ERRORFILE);
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
rc = create_log_dirs(app_id, log_dirs);
|
||||
if (rc != 0) {
|
||||
fputs("Could not create log files and directories\n", ERRORFILE);
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
rc = create_local_dirs(user, app_id, container_id,
|
||||
work_dir, script_name, cred_file, https, keystore_file, truststore_file, local_dirs, log_dirs,
|
||||
1, script_file_dest, cred_file_dest, keystore_file_dest, truststore_file_dest,
|
||||
container_file_source, cred_file_source, keystore_file_source, truststore_file_source);
|
||||
|
||||
if (rc != 0) {
|
||||
fputs("Could not create local files and directories\n", ERRORFILE);
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
rc = create_yarn_sysfs(user, app_id, container_id, work_dir, local_dirs);
|
||||
if (rc != 0) {
|
||||
fputs("Could not create user yarn sysfs directory\n", ERRORFILE);
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
cleanup:
|
||||
free(script_file_dest);
|
||||
free(cred_file_dest);
|
||||
return rc;
|
||||
}
|
||||
|
||||
int launch_docker_container_as_user(const char * user, const char *app_id,
|
||||
const char *container_id, const char *work_dir,
|
||||
const char *script_name, const char *cred_file,
|
||||
|
@ -52,7 +52,9 @@ enum operations {
|
||||
REMOVE_DOCKER_CONTAINER = 13,
|
||||
INSPECT_DOCKER_CONTAINER = 14,
|
||||
RUN_AS_USER_SYNC_YARN_SYSFS = 15,
|
||||
EXEC_CONTAINER = 16
|
||||
EXEC_CONTAINER = 16,
|
||||
RUN_RUNC_CONTAINER = 17,
|
||||
REAP_RUNC_LAYER_MOUNTS = 18
|
||||
};
|
||||
|
||||
#define NM_GROUP_KEY "yarn.nodemanager.linux-container-executor.group"
|
||||
@ -72,10 +74,14 @@ enum operations {
|
||||
#define TC_SUPPORT_ENABLED_KEY "feature.tc.enabled"
|
||||
#define MOUNT_CGROUP_SUPPORT_ENABLED_KEY "feature.mount-cgroup.enabled"
|
||||
#define YARN_SYSFS_SUPPORT_ENABLED_KEY "feature.yarn.sysfs.enabled"
|
||||
#define RUNC_SUPPORT_ENABLED_KEY "feature.runc.enabled"
|
||||
#define TMP_DIR "tmp"
|
||||
#define ROOT_TMP_DIR "private_slash_tmp"
|
||||
#define ROOT_VAR_TMP_DIR "private_var_slash_tmp"
|
||||
#define COMMAND_FILE_SECTION "command-execution"
|
||||
|
||||
extern struct passwd *user_detail;
|
||||
extern struct section executor_cfg;
|
||||
|
||||
//function used to load the configurations present in the secure config
|
||||
void read_executor_config(const char* file_name);
|
||||
@ -175,6 +181,9 @@ int delete_as_user(const char *user,
|
||||
// assumed to be an absolute path.
|
||||
int list_as_user(const char *target_dir);
|
||||
|
||||
// Check the pidfile as the node manager. File should not exist.
|
||||
int check_pidfile_as_nm(const char* filename);
|
||||
|
||||
// set the uid and gid of the node manager. This is used when doing some
|
||||
// priviledged operations for setting the effective uid and gid.
|
||||
void set_nm_uid(uid_t user, gid_t group);
|
||||
@ -244,6 +253,10 @@ int create_directory_for_user(const char* path);
|
||||
|
||||
int change_user(uid_t user, gid_t group);
|
||||
|
||||
int change_effective_user(uid_t user, gid_t group);
|
||||
|
||||
int change_effective_user_to_nm();
|
||||
|
||||
int mount_cgroup(const char *pair, const char *hierarchy);
|
||||
|
||||
int check_dir(const char* npath, mode_t st_mode, mode_t desired,
|
||||
@ -255,6 +268,14 @@ int create_validate_dir(const char* npath, mode_t perm, const char* path,
|
||||
/** Check if a feature is enabled in the specified configuration. */
|
||||
int is_feature_enabled(const char* feature_key, int default_value,
|
||||
struct section *cfg);
|
||||
char* get_exit_code_file(const char* pid_file);
|
||||
|
||||
int wait_and_write_exit_code(pid_t pid, const char* exit_code_file);
|
||||
|
||||
int setup_container_paths(const char* user, const char* app_id,
|
||||
const char *container_id, const char* work_dir, const char* script_path,
|
||||
const char *cred_path, int https, const char *keystore_file, const char *truststore_file,
|
||||
char * const* local_dirs, char* const* log_dirs);
|
||||
|
||||
/** Check if tc (traffic control) support is enabled in configuration. */
|
||||
int is_tc_support_enabled();
|
||||
@ -341,3 +362,9 @@ int remove_docker_container(char **argv, int argc);
|
||||
* Check if terminal feature is enabled
|
||||
*/
|
||||
int is_terminal_support_enabled();
|
||||
|
||||
|
||||
/**
|
||||
* Check if runC feature is enabled
|
||||
*/
|
||||
int is_runc_support_enabled();
|
||||
|
@ -26,6 +26,8 @@
|
||||
#include "modules/cgroups/cgroups-operations.h"
|
||||
#include "modules/devices/devices-module.h"
|
||||
#include "utils/string-utils.h"
|
||||
#include "runc/runc.h"
|
||||
#include "runc/runc_reap.h"
|
||||
|
||||
#include <errno.h>
|
||||
#include <grp.h>
|
||||
@ -35,45 +37,33 @@
|
||||
#include <signal.h>
|
||||
|
||||
static void display_usage(FILE *stream) {
|
||||
const char* disabled = "[DISABLED]";
|
||||
const char* enabled = " ";
|
||||
|
||||
fputs("Usage: container-executor --checksetup\n"
|
||||
" container-executor --mount-cgroups <hierarchy> "
|
||||
"<controller=path>...\n", stream);
|
||||
|
||||
const char* de = is_tc_support_enabled() ? enabled : disabled;
|
||||
fprintf(stream,
|
||||
"Usage: container-executor --checksetup\n"
|
||||
" container-executor --mount-cgroups <hierarchy> "
|
||||
"<controller=path>\n" );
|
||||
"%s container-executor --tc-modify-state <command-file>\n"
|
||||
"%s container-executor --tc-read-state <command-file>\n"
|
||||
"%s container-executor --tc-read-stats <command-file>\n",
|
||||
de, de, de);
|
||||
|
||||
if(is_tc_support_enabled()) {
|
||||
fprintf(stream,
|
||||
" container-executor --tc-modify-state <command-file>\n"
|
||||
" container-executor --tc-read-state <command-file>\n"
|
||||
" container-executor --tc-read-stats <command-file>\n" );
|
||||
} else {
|
||||
fprintf(stream,
|
||||
"[DISABLED] container-executor --tc-modify-state <command-file>\n"
|
||||
"[DISABLED] container-executor --tc-read-state <command-file>\n"
|
||||
"[DISABLED] container-executor --tc-read-stats <command-file>\n");
|
||||
}
|
||||
de = is_terminal_support_enabled() ? enabled : disabled;
|
||||
fprintf(stream, "%s container-executor --exec-container <command-file>\n", de);
|
||||
|
||||
if(is_docker_support_enabled()) {
|
||||
fprintf(stream,
|
||||
" container-executor --run-docker <command-file>\n"
|
||||
" container-executor --remove-docker-container [hierarchy] "
|
||||
"<container_id>\n"
|
||||
" container-executor --inspect-docker-container <container_id>\n");
|
||||
} else {
|
||||
fprintf(stream,
|
||||
"[DISABLED] container-executor --run-docker <command-file>\n"
|
||||
"[DISABLED] container-executor --remove-docker-container [hierarchy] "
|
||||
"<container_id>\n"
|
||||
"[DISABLED] container-executor --inspect-docker-container "
|
||||
"<format> ... <container_id>\n");
|
||||
}
|
||||
de = is_docker_support_enabled() ? enabled : disabled;
|
||||
fprintf(stream, "%s container-executor --run-docker <command-file>\n", de);
|
||||
fprintf(stream, "%s container-executor --remove-docker-container [hierarchy] <container_id>\n", de);
|
||||
fprintf(stream, "%s container-executor --inspect-docker-container <container_id>\n", de);
|
||||
|
||||
if (is_terminal_support_enabled()) {
|
||||
fprintf(stream,
|
||||
" container-executor --exec-container <command-file>\n");
|
||||
} else {
|
||||
fprintf(stream,
|
||||
"[DISABLED] container-executor --exec-container <command-file>\n");
|
||||
}
|
||||
de = is_runc_support_enabled() ? enabled : disabled;
|
||||
fprintf(stream,
|
||||
"%s container-executor --run-runc-container <command-file>\n", de);
|
||||
fprintf(stream,
|
||||
"%s container-executor --reap-runc-layer-mounts <retain-count>\n", de);
|
||||
|
||||
fprintf(stream,
|
||||
" container-executor <user> <yarn-user> <command> <command-args>\n"
|
||||
@ -85,27 +75,21 @@ static void display_usage(FILE *stream) {
|
||||
INITIALIZE_CONTAINER, LAUNCH_CONTAINER);
|
||||
|
||||
if(is_tc_support_enabled()) {
|
||||
fprintf(stream, "optional-tc-command-file\n");
|
||||
fputs("optional-tc-command-file\n", stream);
|
||||
} else {
|
||||
fprintf(stream, "\n");
|
||||
fputs("\n", stream);
|
||||
}
|
||||
|
||||
if(is_docker_support_enabled()) {
|
||||
fprintf(stream,
|
||||
" launch docker container: %2d appid containerid workdir "
|
||||
de = is_docker_support_enabled() ? enabled : disabled;
|
||||
fprintf(stream,
|
||||
"%11s launch docker container: %2d appid containerid workdir "
|
||||
"container-script tokens pidfile nm-local-dirs nm-log-dirs "
|
||||
"docker-command-file resources ", LAUNCH_DOCKER_CONTAINER);
|
||||
} else {
|
||||
fprintf(stream,
|
||||
"[DISABLED] launch docker container: %2d appid containerid workdir "
|
||||
"container-script tokens pidfile nm-local-dirs nm-log-dirs "
|
||||
"docker-command-file resources ", LAUNCH_DOCKER_CONTAINER);
|
||||
}
|
||||
"docker-command-file resources ", de, LAUNCH_DOCKER_CONTAINER);
|
||||
|
||||
if(is_tc_support_enabled()) {
|
||||
fprintf(stream, "optional-tc-command-file\n");
|
||||
fputs("optional-tc-command-file\n", stream);
|
||||
} else {
|
||||
fprintf(stream, "\n");
|
||||
fputs("\n", stream);
|
||||
}
|
||||
|
||||
fprintf(stream,
|
||||
@ -244,7 +228,7 @@ static void display_feature_disabled_message(const char* name) {
|
||||
fprintf(ERRORFILE, "Feature disabled: %s\n", name);
|
||||
}
|
||||
|
||||
/* Use to store parsed input parmeters for various operations */
|
||||
/* Use to store parsed input parameters for various operations */
|
||||
static struct {
|
||||
char *cgroups_hierarchy;
|
||||
char *traffic_control_command_file;
|
||||
@ -267,6 +251,7 @@ static struct {
|
||||
const char *target_dir;
|
||||
int container_pid;
|
||||
int signal;
|
||||
int runc_layer_count;
|
||||
const char *command_file;
|
||||
} cmd_input;
|
||||
|
||||
@ -435,6 +420,44 @@ static int validate_arguments(int argc, char **argv , int *operation) {
|
||||
}
|
||||
}
|
||||
|
||||
if (strcmp("--run-runc-container", argv[1]) == 0) {
|
||||
if (is_runc_support_enabled()) {
|
||||
if (argc != 3) {
|
||||
display_usage(stdout);
|
||||
return INVALID_ARGUMENT_NUMBER;
|
||||
}
|
||||
optind++;
|
||||
cmd_input.command_file = argv[optind++];
|
||||
*operation = RUN_RUNC_CONTAINER;
|
||||
return 0;
|
||||
} else {
|
||||
display_feature_disabled_message("runc");
|
||||
return FEATURE_DISABLED;
|
||||
}
|
||||
}
|
||||
|
||||
if (strcmp("--reap-runc-layer-mounts", argv[1]) == 0) {
|
||||
if (is_runc_support_enabled()) {
|
||||
if (argc != 3) {
|
||||
display_usage(stdout);
|
||||
return INVALID_ARGUMENT_NUMBER;
|
||||
}
|
||||
optind++;
|
||||
const char* valstr = argv[optind++];
|
||||
if (sscanf(valstr, "%d", &cmd_input.runc_layer_count) != 1
|
||||
|| cmd_input.runc_layer_count < 0) {
|
||||
fprintf(ERRORFILE, "Bad runc layer count: %s\n", valstr);
|
||||
return INVALID_COMMAND_PROVIDED;
|
||||
}
|
||||
*operation = REAP_RUNC_LAYER_MOUNTS;
|
||||
return 0;
|
||||
} else {
|
||||
display_feature_disabled_message("runc");
|
||||
return FEATURE_DISABLED;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/* Now we have to validate 'run as user' operations that don't use
|
||||
a 'long option' - we should fix this at some point. The validation/argument
|
||||
parsing here is extensive enough that it done in a separate function */
|
||||
@ -786,6 +809,16 @@ int main(int argc, char **argv) {
|
||||
exit_code = FEATURE_DISABLED;
|
||||
}
|
||||
break;
|
||||
case RUN_RUNC_CONTAINER:
|
||||
exit_code = run_runc_container(cmd_input.command_file);
|
||||
break;
|
||||
case REAP_RUNC_LAYER_MOUNTS:
|
||||
exit_code = reap_runc_layer_mounts(cmd_input.runc_layer_count);
|
||||
break;
|
||||
default:
|
||||
fprintf(ERRORFILE, "Unexpected operation code: %d\n", operation);
|
||||
exit_code = INVALID_COMMAND_PROVIDED;
|
||||
break;
|
||||
}
|
||||
|
||||
if (exit_code) {
|
||||
|
@ -0,0 +1,910 @@
|
||||
/**
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
#include <linux/loop.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/mount.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/time.h>
|
||||
#include <dirent.h>
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
#include <stdbool.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <time.h>
|
||||
#include "../modules/common/module-configs.h"
|
||||
// TODO: Figure out how to address new openssl dependency for container-executor
|
||||
#include <openssl/evp.h>
|
||||
|
||||
// workaround for building on RHEL6 but running on RHEL7
|
||||
#ifndef LOOP_CTL_GET_FREE
|
||||
#define LOOP_CTL_GET_FREE 0x4C82
|
||||
#endif
|
||||
|
||||
#include "utils/string-utils.h"
|
||||
#include "util.h"
|
||||
#include "configuration.h"
|
||||
#include "container-executor.h"
|
||||
|
||||
#include "runc.h"
|
||||
#include "runc_base_ctx.h"
|
||||
#include "runc_config.h"
|
||||
#include "runc_launch_cmd.h"
|
||||
#include "runc_reap.h"
|
||||
#include "runc_write_config.h"
|
||||
|
||||
#define NUM_ROOTFS_UNMOUNT_ATTEMPTS 40
|
||||
#define MAX_ROOTFS_UNMOUNT_BACKOFF_MSEC 1000
|
||||
|
||||
// NOTE: Update init_runc_overlay_desc and destroy_runc_overlay_desc
|
||||
// when this is changed.
|
||||
typedef struct runc_overlay_desc_struct {
|
||||
char* top_path; // top-level directory
|
||||
char* mount_path; // overlay mount point under top_path
|
||||
char* upper_path; // root path of upper layer under top_path
|
||||
char* work_path; // overlay work path under top_path
|
||||
} runc_overlay_desc;
|
||||
|
||||
// NOTE: Update init_runc_mount_context and destroy_runc_mount_context
|
||||
// when this is changed.
|
||||
typedef struct runc_mount_context_struct {
|
||||
char* src_path; // path to raw layer data
|
||||
char* layer_path; // path under layer database for this layer
|
||||
char* mount_path; // mount point of filesystem under layer_path
|
||||
int fd; // opened file descriptor or -1
|
||||
} runc_mount_ctx;
|
||||
|
||||
// NOTE: Update init_runc_launch_cmd_ctx and destroy_runc_launch_cmd_ctx
|
||||
// when this is changed.
|
||||
typedef struct runc_launch_cmd_context_struct {
|
||||
runc_base_ctx base_ctx; // run root and layer lock
|
||||
runc_overlay_desc upper; // writable upper layer descriptor
|
||||
runc_mount_ctx* layers; // layer mount info
|
||||
unsigned int num_layers; // number of layer mount contexts
|
||||
} runc_launch_cmd_ctx;
|
||||
|
||||
int runc_module_enabled(const struct configuration *conf) {
|
||||
struct section *section = get_configuration_section(CONTAINER_EXECUTOR_CFG_RUNC_SECTION, conf);
|
||||
if (section != NULL) {
|
||||
return module_enabled(section, CONTAINER_EXECUTOR_CFG_RUNC_SECTION);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
static void init_runc_overlay_desc(runc_overlay_desc* desc) {
|
||||
memset(desc, 0, sizeof(*desc));
|
||||
}
|
||||
|
||||
static void destroy_runc_overlay_desc(runc_overlay_desc* desc) {
|
||||
if (desc != NULL) {
|
||||
free(desc->top_path);
|
||||
free(desc->mount_path);
|
||||
free(desc->upper_path);
|
||||
free(desc->work_path);
|
||||
}
|
||||
}
|
||||
|
||||
static void init_runc_mount_ctx(runc_mount_ctx* ctx) {
|
||||
memset(ctx, 0, sizeof(*ctx));
|
||||
ctx->fd = -1;
|
||||
}
|
||||
|
||||
static void destroy_runc_mount_ctx(runc_mount_ctx* ctx) {
|
||||
if (ctx != NULL) {
|
||||
free(ctx->src_path);
|
||||
free(ctx->layer_path);
|
||||
free(ctx->mount_path);
|
||||
if (ctx->fd != -1) {
|
||||
close(ctx->fd);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static void init_runc_launch_cmd_ctx(runc_launch_cmd_ctx* ctx) {
|
||||
memset(ctx, 0, sizeof(*ctx));
|
||||
init_runc_base_ctx(&ctx->base_ctx);
|
||||
init_runc_overlay_desc(&ctx->upper);
|
||||
}
|
||||
|
||||
static void destroy_runc_launch_cmd_ctx(runc_launch_cmd_ctx* ctx) {
|
||||
if (ctx != NULL) {
|
||||
if (ctx->layers != NULL) {
|
||||
for (unsigned int i = 0; i < ctx->num_layers; ++i) {
|
||||
destroy_runc_mount_ctx(&ctx->layers[i]);
|
||||
}
|
||||
free(ctx->layers);
|
||||
}
|
||||
destroy_runc_overlay_desc(&ctx->upper);
|
||||
destroy_runc_base_ctx(&ctx->base_ctx);
|
||||
}
|
||||
}
|
||||
|
||||
static runc_launch_cmd_ctx* alloc_runc_launch_cmd_ctx() {
|
||||
runc_launch_cmd_ctx* ctx = malloc(sizeof(*ctx));
|
||||
if (ctx != NULL) {
|
||||
init_runc_launch_cmd_ctx(ctx);
|
||||
}
|
||||
return ctx;
|
||||
}
|
||||
|
||||
static void free_runc_launch_cmd_ctx(runc_launch_cmd_ctx* ctx) {
|
||||
if (ctx != NULL) {
|
||||
destroy_runc_launch_cmd_ctx(ctx);
|
||||
free(ctx);
|
||||
}
|
||||
}
|
||||
|
||||
static runc_launch_cmd_ctx* setup_runc_launch_cmd_ctx() {
|
||||
runc_launch_cmd_ctx* ctx = alloc_runc_launch_cmd_ctx();
|
||||
if (ctx == NULL) {
|
||||
fputs("Cannot allocate memory\n", ERRORFILE);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (!open_runc_base_ctx(&ctx->base_ctx)) {
|
||||
free_runc_launch_cmd_ctx(ctx);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
return ctx;
|
||||
}
|
||||
|
||||
/**
|
||||
* Compute a digest of a layer based on the layer's pathname.
|
||||
* Returns the malloc'd digest hexstring or NULL if there was an error.
|
||||
*/
|
||||
static char* compute_layer_hash(const char* path) {
|
||||
char* digest = NULL;
|
||||
EVP_MD_CTX* mdctx = EVP_MD_CTX_create();
|
||||
if (mdctx == NULL) {
|
||||
fputs("Unable to create EVP MD context\n", ERRORFILE);
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
if (!EVP_DigestInit_ex(mdctx, EVP_sha256(), NULL)) {
|
||||
fputs("Unable to initialize SHA256 digester\n", ERRORFILE);
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
if (!EVP_DigestUpdate(mdctx, path, strlen(path))) {
|
||||
fputs("Unable to compute layer path digest\n", ERRORFILE);
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
unsigned char raw_digest[EVP_MAX_MD_SIZE];
|
||||
unsigned int raw_digest_len = 0;
|
||||
if (!EVP_DigestFinal_ex(mdctx, raw_digest, &raw_digest_len)) {
|
||||
fputs("Unable to compute layer path digest\n", ERRORFILE);
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
digest = to_hexstring(raw_digest, raw_digest_len);
|
||||
|
||||
cleanup:
|
||||
if (mdctx != NULL) {
|
||||
EVP_MD_CTX_destroy(mdctx);
|
||||
}
|
||||
return digest;
|
||||
}
|
||||
|
||||
/**
|
||||
* Open the specified path which is expected to be a mount point.
|
||||
*
|
||||
* Returns an valid file descriptor when the path exists and is a mount point
|
||||
* or -1 if the path does not exist or is not a mount point.
|
||||
*
|
||||
* NOTE: The corresponding read lock must be acquired.
|
||||
*/
|
||||
static int open_mountpoint(const char* path) {
|
||||
int fd = open(path, O_RDONLY | O_CLOEXEC);
|
||||
if (fd == -1) {
|
||||
if (errno != ENOENT) {
|
||||
fprintf(ERRORFILE, "Error accessing mount point at %s : %s\n", path,
|
||||
strerror(errno));
|
||||
}
|
||||
return fd;
|
||||
}
|
||||
|
||||
struct stat mstat, pstat;
|
||||
if (fstat(fd, &mstat) == -1) {
|
||||
fprintf(ERRORFILE, "Error accessing mount point at %s : %s\n", path,
|
||||
strerror(errno));
|
||||
goto close_fail;
|
||||
}
|
||||
if (!S_ISDIR(mstat.st_mode)) {
|
||||
fprintf(ERRORFILE, "Mount point %s is not a directory\n", path);
|
||||
goto close_fail;
|
||||
}
|
||||
|
||||
if (fstatat(fd, "..", &pstat, 0) == -1) {
|
||||
fprintf(ERRORFILE, "Error accessing mount point parent of %s : %s\n", path,
|
||||
strerror(errno));
|
||||
goto close_fail;
|
||||
}
|
||||
|
||||
// If the parent directory's device matches the child directory's device
|
||||
// then we didn't cross a device boundary in the filesystem and therefore
|
||||
// this is likely not a mount point.
|
||||
// TODO: This assumption works for loopback mounts but would not work for
|
||||
// bind mounts or some other situations. Worst case would need to
|
||||
// walk the mount table and otherwise replicate the mountpoint(1) cmd.
|
||||
if (mstat.st_dev == pstat.st_dev) {
|
||||
goto close_fail;
|
||||
}
|
||||
|
||||
return fd;
|
||||
|
||||
close_fail:
|
||||
close(fd);
|
||||
return -1;
|
||||
}
|
||||
|
||||
static bool init_overlay_descriptor(runc_overlay_desc* desc,
|
||||
const char* run_root, const char* container_id) {
|
||||
if (asprintf(&desc->top_path, "%s/%s", run_root, container_id) == -1) {
|
||||
return false;
|
||||
}
|
||||
if (asprintf(&desc->mount_path, "%s/rootfs", desc->top_path) == -1) {
|
||||
return false;
|
||||
}
|
||||
if (asprintf(&desc->upper_path, "%s/upper", desc->top_path) == -1) {
|
||||
return false;
|
||||
}
|
||||
if (asprintf(&desc->work_path, "%s/work", desc->top_path) == -1) {
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool init_layer_mount_ctx(runc_mount_ctx* ctx, const rlc_layer_spec* spec,
|
||||
const char* run_root) {
|
||||
char* hash = compute_layer_hash(spec->path);
|
||||
if (hash == NULL) {
|
||||
return false;
|
||||
}
|
||||
|
||||
ctx->layer_path = get_runc_layer_path(run_root, hash);
|
||||
free(hash);
|
||||
if (ctx->layer_path == NULL) {
|
||||
return false;
|
||||
}
|
||||
|
||||
ctx->mount_path = get_runc_layer_mount_path(ctx->layer_path);
|
||||
if (ctx->mount_path == NULL) {
|
||||
return false;
|
||||
}
|
||||
|
||||
ctx->fd = open(spec->path, O_RDONLY | O_CLOEXEC);
|
||||
if (ctx->fd == -1) {
|
||||
fprintf(ERRORFILE, "Error opening layer image at %s : %s\n", spec->path,
|
||||
strerror(errno));
|
||||
return false;
|
||||
}
|
||||
|
||||
ctx->src_path = strdup(spec->path);
|
||||
return ctx->src_path != NULL;
|
||||
}
|
||||
|
||||
/**
|
||||
* Initialize the layers mount contexts and open each layer image as the user
|
||||
* to validate the user should be allowed to access the image composed of
|
||||
* these layers.
|
||||
*/
|
||||
static bool init_layer_mount_ctxs(runc_launch_cmd_ctx* ctx,
|
||||
const rlc_layer_spec* layer_specs, unsigned int num_layers) {
|
||||
ctx->layers = malloc(num_layers * sizeof(*ctx->layers));
|
||||
if (ctx->layers == NULL) {
|
||||
fputs("Unable to allocate memory\n", ERRORFILE);
|
||||
return false;
|
||||
}
|
||||
|
||||
for (unsigned int i = 0; i < num_layers; ++i) {
|
||||
init_runc_mount_ctx(&ctx->layers[i]);
|
||||
}
|
||||
ctx->num_layers = num_layers;
|
||||
|
||||
for (unsigned int i = 0; i < num_layers; ++i) {
|
||||
if (!init_layer_mount_ctx(&ctx->layers[i], &layer_specs[i],
|
||||
ctx->base_ctx.run_root)) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Allocate a loop device and assruncate it with a file descriptor.
|
||||
* Returns the file descriptor of the opened loop device or -1 on error.
|
||||
*/
|
||||
static int allocate_and_open_loop_device(char** loopdev_name_out, int src_fd) {
|
||||
*loopdev_name_out = NULL;
|
||||
int loopctl = open("/dev/loop-control", O_RDWR);
|
||||
if (loopctl == -1) {
|
||||
fprintf(ERRORFILE, "Error opening /dev/loop-control : %s\n",
|
||||
strerror(errno));
|
||||
return -1;
|
||||
}
|
||||
|
||||
char* loopdev_name = NULL;
|
||||
int loop_fd = -1;
|
||||
while (true) {
|
||||
int loop_num = ioctl(loopctl, LOOP_CTL_GET_FREE);
|
||||
if (loop_num < 0) {
|
||||
fprintf(ERRORFILE, "Error allocating a new loop device: %s\n",
|
||||
strerror(errno));
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if (asprintf(&loopdev_name, "/dev/loop%d", loop_num) == -1) {
|
||||
fputs("Unable to allocate memory\n", ERRORFILE);
|
||||
goto fail;
|
||||
}
|
||||
loop_fd = open(loopdev_name, O_RDWR | O_CLOEXEC);
|
||||
if (loop_fd == -1) {
|
||||
fprintf(ERRORFILE, "Unable to open loop device at %s : %s\n",
|
||||
loopdev_name, strerror(errno));
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if (ioctl(loop_fd, LOOP_SET_FD, src_fd) != -1) {
|
||||
break;
|
||||
}
|
||||
|
||||
// EBUSY indicates another process stole this loop device
|
||||
if (errno != EBUSY) {
|
||||
fprintf(ERRORFILE, "Error setting loop source file: %s\n",
|
||||
strerror(errno));
|
||||
goto fail;
|
||||
}
|
||||
|
||||
close(loop_fd);
|
||||
loop_fd = -1;
|
||||
free(loopdev_name);
|
||||
loopdev_name = NULL;
|
||||
}
|
||||
|
||||
struct loop_info64 loop_info;
|
||||
memset(&loop_info, 0, sizeof(loop_info));
|
||||
loop_info.lo_flags = LO_FLAGS_READ_ONLY | LO_FLAGS_AUTOCLEAR;
|
||||
if (ioctl(loop_fd, LOOP_SET_STATUS64, &loop_info) == -1) {
|
||||
fprintf(ERRORFILE, "Error setting loop flags: %s\n", strerror(errno));
|
||||
goto fail;
|
||||
}
|
||||
|
||||
close(loopctl);
|
||||
*loopdev_name_out = loopdev_name;
|
||||
return loop_fd;
|
||||
|
||||
fail:
|
||||
if (loop_fd != -1) {
|
||||
close(loop_fd);
|
||||
}
|
||||
close(loopctl);
|
||||
free(loopdev_name);
|
||||
return -1;
|
||||
}
|
||||
|
||||
/**
|
||||
* Mount a filesystem with the specified arguments, see the mount(2) manpage.
|
||||
* If the mount fails an error message is printed to ERRORFILE.
|
||||
* Returns true for success or false on failure.
|
||||
*/
|
||||
static bool do_mount(const char* src, const char* target,
|
||||
const char* fs_type, unsigned long mount_flags, const char* mount_options) {
|
||||
if (mount(src, target, fs_type, mount_flags, mount_options) == -1) {
|
||||
const char* nullstr = "NULL";
|
||||
src = (src != NULL) ? src : nullstr;
|
||||
fs_type = (fs_type != NULL) ? fs_type : nullstr;
|
||||
mount_options = (mount_options != NULL) ? mount_options : nullstr;
|
||||
fprintf(ERRORFILE, "Error mounting %s at %s type %s with options %s : %s\n",
|
||||
src, target, fs_type, mount_options, strerror(errno));
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Mount a filesystem and return a file descriptor opened to the mount point.
|
||||
* The mount point directory will be created if necessary.
|
||||
* Returns a file descriptor to the mount point or -1 if there was an error.
|
||||
*/
|
||||
static int mount_and_open(const char* src, const char* target,
|
||||
const char* fs_type, unsigned long mount_flags, const char* mount_options) {
|
||||
if (mkdir(target, S_IRWXU) == -1 && errno != EEXIST) {
|
||||
fprintf(ERRORFILE, "Error creating mountpoint directory at %s : %s\n",
|
||||
target, strerror(errno));
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (!do_mount(src, target, fs_type, mount_flags, mount_options)) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
return open_mountpoint(target);
|
||||
}
|
||||
|
||||
static int mount_layer_and_open(const runc_mount_ctx* layer) {
|
||||
if (mkdir(layer->layer_path, S_IRWXU) == -1) {
|
||||
if (errno != EEXIST) {
|
||||
fprintf(ERRORFILE, "Error creating layer directory at %s : %s\n",
|
||||
layer->layer_path, strerror(errno));
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
char *loopdev_name = NULL;
|
||||
int loopfd = allocate_and_open_loop_device(&loopdev_name, layer->fd);
|
||||
if (loopfd == -1) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
int mount_fd = mount_and_open(loopdev_name, layer->mount_path, "squashfs",
|
||||
MS_RDONLY, NULL);
|
||||
|
||||
// If the mount worked then the mount holds the loop device open. If the mount
|
||||
// failed then the loop device is no longer needed, so close it either way.
|
||||
close(loopfd);
|
||||
|
||||
free(loopdev_name);
|
||||
return mount_fd;
|
||||
}
|
||||
|
||||
static bool do_mount_layers_with_lock(runc_launch_cmd_ctx* ctx) {
|
||||
bool have_write_lock = false;
|
||||
for (unsigned int i = 0; i < ctx->num_layers; ++i) {
|
||||
int layer_mount_fd = open_mountpoint(ctx->layers[i].mount_path);
|
||||
if (layer_mount_fd != -1) {
|
||||
// Touch layer directory to show this existing layer was recently used.
|
||||
if (utimes(ctx->layers[i].layer_path, NULL) == -1) {
|
||||
// Error is not critical to container launch so just print a warning.
|
||||
fprintf(ERRORFILE, "Error updating timestamps of %s : %s\n",
|
||||
ctx->layers[i].layer_path, strerror(errno));
|
||||
}
|
||||
} else {
|
||||
if (!have_write_lock) {
|
||||
if (!acquire_runc_layers_write_lock(&ctx->base_ctx)) {
|
||||
return false;
|
||||
}
|
||||
have_write_lock = true;
|
||||
// Try to open the mount point again in case another process created it
|
||||
// while we were waiting for the write lock.
|
||||
layer_mount_fd = open_mountpoint(ctx->layers[i].mount_path);
|
||||
}
|
||||
if (layer_mount_fd == -1) {
|
||||
layer_mount_fd = mount_layer_and_open(&ctx->layers[i]);
|
||||
|
||||
if (layer_mount_fd == -1) {
|
||||
fprintf(ERRORFILE, "Unable to mount layer data from %s\n",
|
||||
ctx->layers[i].src_path);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Now that the layer is mounted we can start tracking the open mount point
|
||||
// for the layer rather than the descriptor to the layer image.
|
||||
// The mount point references the underlying image, so we no longer need
|
||||
// a direct reference to the layer image.
|
||||
close(ctx->layers[i].fd);
|
||||
ctx->layers[i].fd = layer_mount_fd;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool mount_layers(runc_launch_cmd_ctx* ctx) {
|
||||
if (!acquire_runc_layers_read_lock(&ctx->base_ctx)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
bool result = do_mount_layers_with_lock(ctx);
|
||||
|
||||
if (!release_runc_layers_lock(&ctx->base_ctx)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return result;
|
||||
}
|
||||
|
||||
static char* build_overlay_options(runc_mount_ctx* layers,
|
||||
unsigned int num_layers, const runc_overlay_desc* upper) {
|
||||
char* result = NULL;
|
||||
const int sb_incr = 16*1024;
|
||||
strbuf sb;
|
||||
if (!strbuf_init(&sb, sb_incr)) {
|
||||
fputs("Unable to allocate memory\n", ERRORFILE);
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
if (!strbuf_append_fmt(&sb, sb_incr, "upperdir=%s,workdir=%s,lowerdir=",
|
||||
upper->upper_path, upper->work_path)) {
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
// Overlay expects the base layer to be the last layer listed, but the
|
||||
// OCI image manifest specifies the base layer first.
|
||||
bool need_separator = false;
|
||||
for (int i = num_layers - 1; i >= 0; --i) {
|
||||
char* fmt = need_separator ? ":%s" : "%s";
|
||||
if (!strbuf_append_fmt(&sb, sb_incr, fmt, layers[i].mount_path)) {
|
||||
goto cleanup;
|
||||
}
|
||||
need_separator = true;
|
||||
}
|
||||
|
||||
result = strbuf_detach_buffer(&sb);
|
||||
|
||||
cleanup:
|
||||
strbuf_destroy(&sb);
|
||||
return result;
|
||||
}
|
||||
|
||||
static bool create_overlay_dirs(runc_overlay_desc* od) {
|
||||
if (mkdir(od->top_path, S_IRWXU) != 0) {
|
||||
fprintf(ERRORFILE, "Error creating %s : %s\n", od->top_path,
|
||||
strerror(errno));
|
||||
return false;
|
||||
}
|
||||
|
||||
if (mkdir(od->mount_path, S_IRWXU) != 0) {
|
||||
fprintf(ERRORFILE, "Error creating %s : %s\n", od->mount_path,
|
||||
strerror(errno));
|
||||
return false;
|
||||
}
|
||||
|
||||
mode_t upper_mode = S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH;
|
||||
if (mkdir(od->upper_path, upper_mode) != 0) {
|
||||
fprintf(ERRORFILE, "Error creating %s : %s\n", od->upper_path,
|
||||
strerror(errno));
|
||||
return false;
|
||||
}
|
||||
|
||||
if (mkdir(od->work_path, S_IRWXU) != 0) {
|
||||
fprintf(ERRORFILE, "Error creating %s : %s\n", od->work_path,
|
||||
strerror(errno));
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool mount_container_rootfs(runc_launch_cmd_ctx* ctx) {
|
||||
if (!create_overlay_dirs(&ctx->upper)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (!mount_layers(ctx)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
char* overlay_opts = build_overlay_options(ctx->layers, ctx->num_layers,
|
||||
&ctx->upper);
|
||||
if (overlay_opts == NULL) {
|
||||
return false;
|
||||
}
|
||||
|
||||
bool mount_ok = do_mount("overlay", ctx->upper.mount_path, "overlay", 0,
|
||||
overlay_opts);
|
||||
free(overlay_opts);
|
||||
if (!mount_ok) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// It would be tempting to close the layer file descriptors here since the
|
||||
// overlay should also be holding references to all the layers. However
|
||||
// overlay somehow does NOT hold a hard reference to underlying filesystems,
|
||||
// so the layer file descriptors need to be kept open in order to prevent
|
||||
// other containers from unmounting shared layers when they cleanup.
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool unmount_and_remove(const char* path) {
|
||||
if (umount(path) == -1 && errno != EINVAL && errno != ENOENT) {
|
||||
if (errno == EBUSY) {
|
||||
// Layer is in use by another container.
|
||||
return false;
|
||||
}
|
||||
fprintf(ERRORFILE, "Error unmounting %s : %s\n", path, strerror(errno));
|
||||
return false;
|
||||
}
|
||||
if (rmdir(path) == -1 && errno != ENOENT) {
|
||||
fprintf(ERRORFILE, "Error removing mount directory %s : %s\n", path,
|
||||
strerror(errno));
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool unmount_and_remove_with_retry(const char* path, int max_attempts,
|
||||
long max_backoff_msec) {
|
||||
long backoff_msec = 1;
|
||||
for (int i = 0; i < max_attempts - 1; ++i) {
|
||||
if (unmount_and_remove(path)) {
|
||||
return true;
|
||||
}
|
||||
struct timespec ts;
|
||||
memset(&ts, 0, sizeof(ts));
|
||||
ts.tv_sec = backoff_msec / 1000;
|
||||
ts.tv_nsec = (backoff_msec % 1000) * 1000 * 1000;
|
||||
nanosleep(&ts, NULL);
|
||||
backoff_msec *= 2;
|
||||
if (backoff_msec > max_backoff_msec) {
|
||||
backoff_msec = max_backoff_msec;
|
||||
}
|
||||
}
|
||||
|
||||
return unmount_and_remove(path);
|
||||
}
|
||||
|
||||
static bool rmdir_recursive_fd(int fd) {
|
||||
int dirfd = dup(fd);
|
||||
if (dirfd == -1) {
|
||||
fputs("Unable to duplicate file descriptor\n", ERRORFILE);
|
||||
return false;
|
||||
}
|
||||
|
||||
DIR* dir = fdopendir(dirfd);
|
||||
if (dir == NULL) {
|
||||
fprintf(ERRORFILE, "Error deleting directory: %s\n", strerror(errno));
|
||||
return false;
|
||||
}
|
||||
|
||||
bool result = false;
|
||||
struct dirent* de;
|
||||
while ((de = readdir(dir)) != NULL) {
|
||||
if (strcmp(".", de->d_name) == 0 || strcmp("..", de->d_name) == 0) {
|
||||
continue;
|
||||
}
|
||||
|
||||
struct stat statbuf;
|
||||
if (fstatat(dirfd, de->d_name, &statbuf, AT_SYMLINK_NOFOLLOW) == -1) {
|
||||
if (errno == ENOENT) {
|
||||
continue;
|
||||
}
|
||||
fprintf(ERRORFILE, "Error accessing %s : %s\n", de->d_name,
|
||||
strerror(errno));
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
int rmflags = 0;
|
||||
if (S_ISDIR(statbuf.st_mode)) {
|
||||
rmflags = AT_REMOVEDIR;
|
||||
int de_fd = openat(dirfd, de->d_name, O_RDONLY | O_NOFOLLOW);
|
||||
if (de_fd == -1) {
|
||||
if (errno == ENOENT) {
|
||||
continue;
|
||||
}
|
||||
fprintf(ERRORFILE, "Error opening %s for delete: %s\n", de->d_name,
|
||||
strerror(errno));
|
||||
goto cleanup;
|
||||
}
|
||||
bool ok = rmdir_recursive_fd(de_fd);
|
||||
close(de_fd);
|
||||
if (!ok) {
|
||||
goto cleanup;
|
||||
}
|
||||
}
|
||||
|
||||
if (unlinkat(dirfd, de->d_name, rmflags) == -1 && errno != ENOENT) {
|
||||
fprintf(ERRORFILE, "Error removing %s : %s\n", de->d_name,
|
||||
strerror(errno));
|
||||
goto cleanup;
|
||||
}
|
||||
}
|
||||
|
||||
result = true;
|
||||
|
||||
cleanup:
|
||||
closedir(dir);
|
||||
return result;
|
||||
}
|
||||
|
||||
static bool rmdir_recursive(const char* path) {
|
||||
int fd = open(path, O_RDONLY | O_NOFOLLOW);
|
||||
if (fd == -1) {
|
||||
if (errno == ENOENT) {
|
||||
return true;
|
||||
}
|
||||
fprintf(ERRORFILE, "Error opening %s for delete: %s\n", path,
|
||||
strerror(errno));
|
||||
return false;
|
||||
}
|
||||
bool result = rmdir_recursive_fd(fd);
|
||||
close(fd);
|
||||
if (rmdir(path) == -1) {
|
||||
fprintf(ERRORFILE, "Error deleting %s : %s\n", path, strerror(errno));
|
||||
result = false;
|
||||
}
|
||||
return result;
|
||||
}
|
||||
|
||||
static void close_layer_fds(runc_launch_cmd_ctx* ctx) {
|
||||
for (unsigned int i = 0; i < ctx->num_layers; ++i) {
|
||||
if (ctx->layers[i].fd != -1) {
|
||||
close(ctx->layers[i].fd);
|
||||
ctx->layers[i].fd = -1;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Unmounts the container rootfs directory and MAY unmount layers on the host
|
||||
* based on the specified number of total layer mounts on the host specified.
|
||||
*/
|
||||
static void cleanup_container_mounts(runc_launch_cmd_ctx* ctx,
|
||||
int num_reap_layers_keep) {
|
||||
unmount_and_remove_with_retry(ctx->upper.mount_path,
|
||||
NUM_ROOTFS_UNMOUNT_ATTEMPTS, MAX_ROOTFS_UNMOUNT_BACKOFF_MSEC);
|
||||
rmdir_recursive(ctx->upper.top_path);
|
||||
reap_runc_layer_mounts_with_ctx(&ctx->base_ctx, num_reap_layers_keep);
|
||||
}
|
||||
|
||||
/**
|
||||
* Unmounts the container rootfs directory and MAY unmount layers on the host
|
||||
* based on the specified number of total layer mounts on the host specified.
|
||||
*
|
||||
* IMPORTANT NOTE: This method may perform the unmount in a background process
|
||||
* and can return before that has completed!
|
||||
*/
|
||||
static void background_cleanup_container_mounts(runc_launch_cmd_ctx* ctx,
|
||||
int num_reap_layers_keep) {
|
||||
pid_t child_pid = fork();
|
||||
if (child_pid == -1) {
|
||||
fprintf(ERRORFILE, "Error forking child process: %s\n", strerror(errno));
|
||||
// try to clean it up in the foreground process
|
||||
child_pid = 0;
|
||||
}
|
||||
if (child_pid == 0) {
|
||||
cleanup_container_mounts(ctx, num_reap_layers_keep);
|
||||
}
|
||||
}
|
||||
|
||||
static void exec_runc(const char* container_id, const char* runc_config_path,
|
||||
const char* pid_file_path) {
|
||||
char* runc_path = get_configuration_value(RUNC_BINARY_KEY, CONTAINER_EXECUTOR_CFG_RUNC_SECTION, get_cfg());
|
||||
if (runc_path == NULL) {
|
||||
runc_path = strdup(DEFAULT_RUNC_BINARY);
|
||||
if (runc_path == NULL) {
|
||||
fputs("Unable to allocate memory\n", ERRORFILE);
|
||||
exit(1);
|
||||
}
|
||||
}
|
||||
|
||||
char* dir_end = strrchr(runc_config_path, '/');
|
||||
if (dir_end == NULL) {
|
||||
fprintf(ERRORFILE, "Error getting bundle path from config path %s\n",
|
||||
runc_config_path);
|
||||
exit(1);
|
||||
}
|
||||
char* bundle_path = strndup(runc_config_path, dir_end - runc_config_path);
|
||||
|
||||
const char* const runc_args[] = {
|
||||
runc_path, "run",
|
||||
"--pid-file", pid_file_path,
|
||||
"-b", bundle_path,
|
||||
container_id,
|
||||
NULL
|
||||
};
|
||||
const char* const runc_env[] = { NULL };
|
||||
|
||||
if (execve(runc_path, (char* const*)runc_args, (char* const*)runc_env) == -1) {
|
||||
char* errstr = strerror(errno);
|
||||
fputs("Failed to exec:", ERRORFILE);
|
||||
for (const char* const* argp = runc_args; *argp != NULL; ++argp) {
|
||||
fprintf(ERRORFILE, " %s", *argp);
|
||||
}
|
||||
fprintf(ERRORFILE, " : %s\n", errstr);
|
||||
}
|
||||
|
||||
exit(1);
|
||||
}
|
||||
|
||||
int run_runc_container(const char* command_file) {
|
||||
int rc = 0;
|
||||
char* exit_code_file = NULL;
|
||||
char* runc_config_path = NULL;
|
||||
runc_launch_cmd* rlc = NULL;
|
||||
runc_launch_cmd_ctx* ctx = setup_runc_launch_cmd_ctx();
|
||||
if (ctx == NULL) {
|
||||
rc = ERROR_RUNC_SETUP_FAILED;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
rlc = parse_runc_launch_cmd(command_file);
|
||||
if (rlc == NULL) {
|
||||
rc = ERROR_RUNC_SETUP_FAILED;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
rc = set_user(rlc->run_as_user);
|
||||
if (rc != 0) {
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
exit_code_file = get_exit_code_file(rlc->pid_file);
|
||||
if (exit_code_file == NULL) {
|
||||
rc = OUT_OF_MEMORY;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
const char* work_dir = rlc->config.process.cwd->valuestring;
|
||||
rc = setup_container_paths(rlc->username, rlc->app_id, rlc->container_id,
|
||||
work_dir, rlc->script_path, rlc->cred_path, rlc->https, rlc->keystore_path,
|
||||
rlc->truststore_path, rlc->local_dirs, rlc->log_dirs);
|
||||
if (rc != 0) {
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
rc = ERROR_RUNC_RUN_FAILED;
|
||||
if (!is_valid_runc_launch_cmd(rlc)) {
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
if (!init_layer_mount_ctxs(ctx, rlc->layers, rlc->num_layers)) {
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
if (!init_overlay_descriptor(&ctx->upper, ctx->base_ctx.run_root,
|
||||
rlc->container_id)) {
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
runc_config_path = write_runc_runc_config(rlc, ctx->upper.mount_path);
|
||||
if (runc_config_path == NULL) {
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
if (seteuid(0) != 0) {
|
||||
fputs("Unable to become root\n", ERRORFILE);
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
if (!mount_container_rootfs(ctx)) {
|
||||
goto umount_and_cleanup;
|
||||
}
|
||||
|
||||
pid_t child_pid = fork();
|
||||
if (child_pid == 0) {
|
||||
exec_runc(rlc->container_id, runc_config_path, rlc->pid_file);
|
||||
exit(1); // just in case exec_runc returns somehow
|
||||
} else if (child_pid == -1) {
|
||||
fprintf(ERRORFILE, "Error cannot fork: %s\n", strerror(errno));
|
||||
rc = OUT_OF_MEMORY;
|
||||
goto umount_and_cleanup;
|
||||
}
|
||||
|
||||
rc = wait_and_write_exit_code(child_pid, exit_code_file);
|
||||
|
||||
umount_and_cleanup:
|
||||
// Container is no longer running, so layer references are no longer desired.
|
||||
close_layer_fds(ctx);
|
||||
|
||||
// Cleanup mounts in a background process to keep it off the critical path.
|
||||
background_cleanup_container_mounts(ctx, rlc->num_reap_layers_keep);
|
||||
|
||||
cleanup:
|
||||
free(exit_code_file);
|
||||
free(runc_config_path);
|
||||
free_runc_launch_cmd(rlc);
|
||||
free_runc_launch_cmd_ctx(ctx);
|
||||
return rc;
|
||||
}
|
@ -0,0 +1,33 @@
|
||||
/*
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
#ifndef RUNC_RUNC_H
|
||||
#define RUNC_RUNC_H
|
||||
|
||||
#include <stdbool.h>
|
||||
|
||||
/**
|
||||
* Check to see if runC is enabled.
|
||||
*/
|
||||
int runc_module_enabled(const struct configuration *conf);
|
||||
|
||||
/**
|
||||
* Run a container via runC.
|
||||
*/
|
||||
int run_runc_container(const char* command_file);
|
||||
|
||||
#endif /* RUNC_RUNC_H */
|
@ -0,0 +1,307 @@
|
||||
/*
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
#include <stdbool.h>
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "configuration.h"
|
||||
#include "container-executor.h"
|
||||
#include "util.h"
|
||||
|
||||
#include "runc_base_ctx.h"
|
||||
#include "runc_config.h"
|
||||
|
||||
#define LAYER_MOUNT_SUFFIX "/mnt"
|
||||
#define LAYER_MOUNT_SUFFIX_LEN (sizeof(LAYER_MOUNT_SUFFIX) -1)
|
||||
|
||||
/**
|
||||
* Get the path to the runtime layers directory.
|
||||
*
|
||||
* Returns the heap-allocated path to the layers directory or NULL on error.
|
||||
*/
|
||||
char* get_runc_layers_path(const char* run_root) {
|
||||
char* layers_path = NULL;
|
||||
if (asprintf(&layers_path, "%s/layers", run_root) == -1) {
|
||||
layers_path = NULL;
|
||||
}
|
||||
return layers_path;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the path to a layer directory.
|
||||
*
|
||||
* Returns the heap-allocated path to the layer directory or NULL on error.
|
||||
*/
|
||||
char* get_runc_layer_path(const char* run_root, const char* layer_name) {
|
||||
char* layer_path = NULL;
|
||||
if (asprintf(&layer_path, "%s/layers/%s", run_root, layer_name) == -1) {
|
||||
layer_path = NULL;
|
||||
}
|
||||
return layer_path;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the path to a layer's mountpoint.
|
||||
*
|
||||
* Returns the heap-allocated path to the layer's mountpoint or NULL on error.
|
||||
*/
|
||||
char* get_runc_layer_mount_path(const char* layer_path) {
|
||||
char* mount_path = NULL;
|
||||
if (asprintf(&mount_path, "%s" LAYER_MOUNT_SUFFIX, layer_path) == -1) {
|
||||
mount_path = NULL;
|
||||
}
|
||||
return mount_path;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the layer path from a layer's mountpoint.
|
||||
*
|
||||
* Returns the heap-allocated path to the layer directory or NULL on error.
|
||||
*/
|
||||
char* get_runc_layer_path_from_mount_path(const char* mount_path) {
|
||||
size_t mount_path_len = strlen(mount_path);
|
||||
if (mount_path_len <= LAYER_MOUNT_SUFFIX_LEN) {
|
||||
return NULL;
|
||||
}
|
||||
size_t layer_path_len = mount_path_len - LAYER_MOUNT_SUFFIX_LEN;
|
||||
const char* suffix = mount_path + layer_path_len;
|
||||
if (strcmp(suffix, LAYER_MOUNT_SUFFIX)) {
|
||||
return NULL;
|
||||
}
|
||||
return strndup(mount_path, layer_path_len);
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates the run root directory and layers directory structure
|
||||
* underneath if necessary.
|
||||
* Returns the malloc'd run root path or NULL if there was an error.
|
||||
*/
|
||||
static char* setup_runc_run_root_directories() {
|
||||
char* layers_path = NULL;
|
||||
char* run_root = get_configuration_value(RUNC_RUN_ROOT_KEY,
|
||||
CONTAINER_EXECUTOR_CFG_RUNC_SECTION, get_cfg());
|
||||
if (run_root == NULL) {
|
||||
run_root = strdup(DEFAULT_RUNC_ROOT);
|
||||
if (run_root == NULL) {
|
||||
goto mem_fail;
|
||||
}
|
||||
}
|
||||
|
||||
if (mkdir(run_root, S_IRWXU) != 0 && errno != EEXIST) {
|
||||
fprintf(ERRORFILE, "Error creating runC run root at %s : %s\n", run_root,
|
||||
strerror(errno));
|
||||
goto fail;
|
||||
}
|
||||
|
||||
layers_path = get_runc_layers_path(run_root);
|
||||
if (layers_path == NULL) {
|
||||
goto mem_fail;
|
||||
}
|
||||
|
||||
if (mkdir(layers_path, S_IRWXU) != 0 && errno != EEXIST) {
|
||||
fprintf(ERRORFILE, "Error creating layers directory at %s : %s\n",
|
||||
layers_path, strerror(errno));
|
||||
goto fail;
|
||||
}
|
||||
|
||||
free(layers_path);
|
||||
return run_root;
|
||||
|
||||
fail:
|
||||
free(layers_path);
|
||||
free(run_root);
|
||||
return NULL;
|
||||
|
||||
mem_fail:
|
||||
fputs("Cannot allocate memory\n", ERRORFILE);
|
||||
goto fail;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Initialize an uninitialized runC base context.
|
||||
*/
|
||||
void init_runc_base_ctx(runc_base_ctx* ctx) {
|
||||
memset(ctx, 0, sizeof(*ctx));
|
||||
ctx->layers_lock_fd = -1;
|
||||
ctx->layers_lock_state = F_UNLCK;
|
||||
}
|
||||
|
||||
/**
|
||||
* Releases the resources underneath a runC base context but does NOT free the
|
||||
* structure itself. This is particularly useful for stack-allocated contexts
|
||||
* or structures that embed the context.
|
||||
* free_runc_base_ctx should be used for heap-allocated contexts.
|
||||
*/
|
||||
void destroy_runc_base_ctx(runc_base_ctx* ctx) {
|
||||
if (ctx != NULL) {
|
||||
free(ctx->run_root);
|
||||
if (ctx->layers_lock_fd != -1) {
|
||||
close(ctx->layers_lock_fd);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Allocates and initializes a runC base context.
|
||||
*
|
||||
* Returns a pointer to the allocated and initialized context or NULL on error.
|
||||
*/
|
||||
runc_base_ctx* alloc_runc_base_ctx() {
|
||||
runc_base_ctx* ctx = malloc(sizeof(*ctx));
|
||||
if (ctx != NULL) {
|
||||
init_runc_base_ctx(ctx);
|
||||
}
|
||||
return ctx;
|
||||
}
|
||||
|
||||
/**
|
||||
* Free a runC base context and all memory assruncated with it.
|
||||
*/
|
||||
void free_runc_base_ctx(runc_base_ctx* ctx) {
|
||||
destroy_runc_base_ctx(ctx);
|
||||
free(ctx);
|
||||
}
|
||||
|
||||
/**
|
||||
* Opens the base context for use. This will create the container runtime
|
||||
* root directory and layer lock files, if necessary.
|
||||
*
|
||||
* Returns true on success or false if there was an error.
|
||||
*/
|
||||
bool open_runc_base_ctx(runc_base_ctx* ctx) {
|
||||
ctx->run_root = setup_runc_run_root_directories();
|
||||
if (ctx->run_root == NULL) {
|
||||
return false;
|
||||
}
|
||||
|
||||
char* lock_path = get_runc_layer_path(ctx->run_root, "lock");
|
||||
if (lock_path == NULL) {
|
||||
fputs("Cannot allocate memory\n", ERRORFILE);
|
||||
return false;
|
||||
}
|
||||
|
||||
bool result = true;
|
||||
ctx->layers_lock_fd = open(lock_path, O_RDWR | O_CREAT | O_CLOEXEC, S_IRWXU);
|
||||
if (ctx->layers_lock_fd == -1) {
|
||||
fprintf(ERRORFILE, "Cannot open lock file %s : %s\n", lock_path,
|
||||
strerror(errno));
|
||||
result = false;
|
||||
}
|
||||
|
||||
free(lock_path);
|
||||
return result;
|
||||
}
|
||||
|
||||
/**
|
||||
* Allocates and opens a base context.
|
||||
*
|
||||
* Returns a pointer to the context or NULL on error.
|
||||
*/
|
||||
runc_base_ctx* setup_runc_base_ctx() {
|
||||
runc_base_ctx* ctx = alloc_runc_base_ctx();
|
||||
if (ctx != NULL) {
|
||||
if (!open_runc_base_ctx(ctx)) {
|
||||
free_runc_base_ctx(ctx);
|
||||
ctx = NULL;
|
||||
}
|
||||
}
|
||||
return ctx;
|
||||
}
|
||||
|
||||
|
||||
static bool do_lock_cmd(int fd, int lock_cmd) {
|
||||
struct flock fl;
|
||||
memset(&fl, 0, sizeof(fl));
|
||||
fl.l_type = lock_cmd;
|
||||
fl.l_whence = SEEK_SET;
|
||||
fl.l_start = 0;
|
||||
fl.l_len = 0;
|
||||
while (true) {
|
||||
int rc = fcntl(fd, F_SETLKW, &fl);
|
||||
if (rc == 0) {
|
||||
return true;
|
||||
}
|
||||
if (errno != EINTR) {
|
||||
fprintf(ERRORFILE, "Error updating lock: %s\n", strerror(errno));
|
||||
return false;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Acquire the layer read lock.
|
||||
*
|
||||
* Returns true on success or false on error.
|
||||
*/
|
||||
bool acquire_runc_layers_read_lock(runc_base_ctx* ctx) {
|
||||
if (ctx->layers_lock_state == F_RDLCK) {
|
||||
return true;
|
||||
}
|
||||
if (do_lock_cmd(ctx->layers_lock_fd, F_RDLCK)) {
|
||||
ctx->layers_lock_state = F_RDLCK;
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Acquire the layer write lock.
|
||||
*
|
||||
* Returns true on success or false on error.
|
||||
*/
|
||||
bool acquire_runc_layers_write_lock(runc_base_ctx* ctx) {
|
||||
if (ctx->layers_lock_state == F_WRLCK) {
|
||||
return true;
|
||||
}
|
||||
if (ctx->layers_lock_state == F_RDLCK) {
|
||||
// Release before trying to acquire write lock, otherwise two processes
|
||||
// attempting to upgrade from read lock to a write lock can deadlock.
|
||||
if (!release_runc_layers_lock(ctx)) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
if (do_lock_cmd(ctx->layers_lock_fd, F_WRLCK)) {
|
||||
ctx->layers_lock_state = F_WRLCK;
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Release the layer lock.
|
||||
*
|
||||
* Returns true on success or false on error.
|
||||
*/
|
||||
bool release_runc_layers_lock(runc_base_ctx* ctx) {
|
||||
if (ctx->layers_lock_state == F_UNLCK) {
|
||||
return true;
|
||||
}
|
||||
if (do_lock_cmd(ctx->layers_lock_fd, F_UNLCK)) {
|
||||
ctx->layers_lock_state = F_UNLCK;
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
@ -0,0 +1,123 @@
|
||||
/*
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
#ifndef RUNC_RUNC_BASE_CTX_H
|
||||
#define RUNC_RUNC_BASE_CTX_H
|
||||
|
||||
#include <stdbool.h>
|
||||
|
||||
// Length of layer basename, equal to the hexstring length of SHA256
|
||||
#define LAYER_NAME_LENGTH 64
|
||||
|
||||
// NOTE: Update init_runc_base_ctx and destroy_runc_base_ctx when this is changed.
|
||||
typedef struct runc_base_ctx_struct {
|
||||
char* run_root; // root directory of filesystem database
|
||||
int layers_lock_fd; // file descriptor for layers lock file
|
||||
int layers_lock_state; // lock state: F_RDLCK, F_WRLCK, or F_UNLCK
|
||||
} runc_base_ctx;
|
||||
|
||||
|
||||
/**
|
||||
* Allocates and initializes a runC base context.
|
||||
*
|
||||
* Returns a pointer to the allocated and initialized context or NULL on error.
|
||||
*/
|
||||
runc_base_ctx* alloc_runc_base_ctx();
|
||||
|
||||
/**
|
||||
* Free a runC base context and all memory assruncated with it.
|
||||
*/
|
||||
void free_runc_base_ctx(runc_base_ctx* ctx);
|
||||
|
||||
/**
|
||||
* Initialize an uninitialized runC base context.
|
||||
*/
|
||||
void init_runc_base_ctx(runc_base_ctx* ctx);
|
||||
|
||||
/**
|
||||
* Releases the resources underneath a runC base context but does NOT free the
|
||||
* structure itself. This is particularly useful for stack-allocated contexts
|
||||
* or structures that embed the context.
|
||||
* free_runc_base_ctx should be used for heap-allocated contexts.
|
||||
*/
|
||||
void destroy_runc_base_ctx(runc_base_ctx* ctx);
|
||||
|
||||
/**
|
||||
* Opens the base context for use. This will create the container runtime
|
||||
* root directory and layer lock files, if necessary.
|
||||
*
|
||||
* Returns true on success or false if there was an error.
|
||||
*/
|
||||
bool open_runc_base_ctx(runc_base_ctx* ctx);
|
||||
|
||||
/**
|
||||
* Allocates and opens a base context.
|
||||
*
|
||||
* Returns a pointer to the context or NULL on error.
|
||||
*/
|
||||
runc_base_ctx* setup_runc_base_ctx();
|
||||
|
||||
/**
|
||||
* Acquire the layers read lock.
|
||||
*
|
||||
* Returns true on success or false on error.
|
||||
*/
|
||||
bool acquire_runc_layers_read_lock(runc_base_ctx* ctx);
|
||||
|
||||
/**
|
||||
* Acquire the layers write lock.
|
||||
*
|
||||
* Returns true on success or false on error.
|
||||
*/
|
||||
bool acquire_runc_layers_write_lock(runc_base_ctx* ctx);
|
||||
|
||||
/**
|
||||
* Release the layers lock.
|
||||
*
|
||||
* Returns true on success or false on error.
|
||||
*/
|
||||
bool release_runc_layers_lock(runc_base_ctx* ctx);
|
||||
|
||||
/**
|
||||
* Get the path to the runtime layers directory.
|
||||
*
|
||||
* Returns the heap-allocated path to the layers directory or NULL on error.
|
||||
*/
|
||||
char* get_runc_layers_path(const char* run_root);
|
||||
|
||||
/**
|
||||
* Get the path to a layer directory.
|
||||
*
|
||||
* Returns the heap-allocated path to the layer directory or NULL on error.
|
||||
*/
|
||||
char* get_runc_layer_path(const char* run_root, const char* layer_name);
|
||||
|
||||
/**
|
||||
* Get the path to a layer's mountpoint.
|
||||
*
|
||||
* Returns the heap-allocated path to the layer's mountpoint or NULL on error.
|
||||
*/
|
||||
char* get_runc_layer_mount_path(const char* layer_path);
|
||||
|
||||
/**
|
||||
* Get the layer path from a layer's mountpoint.
|
||||
*
|
||||
* Returns the heap-allocated path to the layer directory or NULL on error.
|
||||
*/
|
||||
char* get_runc_layer_path_from_mount_path(const char* mount_path);
|
||||
|
||||
#endif /* RUNC_RUNC_BASE_CTX_H */
|
@ -0,0 +1,33 @@
|
||||
/*
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
#ifndef RUNC_RUNC_CONFIG_H
|
||||
#define RUNC_RUNC_CONFIG_H
|
||||
|
||||
// Section for all runC config keys
|
||||
#define CONTAINER_EXECUTOR_CFG_RUNC_SECTION "runc"
|
||||
|
||||
// Configuration for top-level directory of runtime database
|
||||
// Ideally this should be configured to a tmpfs or other RAM-based filesystem.
|
||||
#define RUNC_RUN_ROOT_KEY "runc.run-root"
|
||||
#define DEFAULT_RUNC_ROOT "/run/yarn-container-executor"
|
||||
|
||||
// Configuration for the path to the runC executable on the host
|
||||
#define RUNC_BINARY_KEY "runc.binary"
|
||||
#define DEFAULT_RUNC_BINARY "/usr/bin/runc"
|
||||
|
||||
#endif /* RUNC_RUNC_CONFIG_H */
|
@ -0,0 +1,765 @@
|
||||
/**
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
#include <errno.h>
|
||||
#include <stdbool.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "util.h"
|
||||
#include "utils/cJSON/cJSON.h"
|
||||
#include "utils/file-utils.h"
|
||||
#include "utils/string-utils.h"
|
||||
#include "utils/mount-utils.h"
|
||||
|
||||
#include "configuration.h"
|
||||
#include "container-executor.h"
|
||||
#include "runc_config.h"
|
||||
#include "runc_launch_cmd.h"
|
||||
|
||||
#define SQUASHFS_MEDIA_TYPE "application/vnd.squashfs"
|
||||
|
||||
static void free_rlc_layers(rlc_layer_spec* layers, unsigned int num_layers) {
|
||||
for (unsigned int i = 0; i < num_layers; ++i) {
|
||||
free(layers[i].media_type);
|
||||
free(layers[i].path);
|
||||
}
|
||||
free(layers);
|
||||
}
|
||||
|
||||
/**
|
||||
* Free a NULL-terminated array of pointers
|
||||
*/
|
||||
static void free_ntarray(char** parray) {
|
||||
if (parray != NULL) {
|
||||
for (char** p = parray; *p != NULL; ++p) {
|
||||
free(*p);
|
||||
}
|
||||
free(parray);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Free a runC launch command structure and all memory assruncated with it.
|
||||
*/
|
||||
void free_runc_launch_cmd(runc_launch_cmd* rlc) {
|
||||
if (rlc != NULL) {
|
||||
free(rlc->run_as_user);
|
||||
free(rlc->username);
|
||||
free(rlc->app_id);
|
||||
free(rlc->container_id);
|
||||
free(rlc->pid_file);
|
||||
free(rlc->script_path);
|
||||
free(rlc->cred_path);
|
||||
free_ntarray(rlc->local_dirs);
|
||||
free_ntarray(rlc->log_dirs);
|
||||
free_rlc_layers(rlc->layers, rlc->num_layers);
|
||||
cJSON_Delete(rlc->config.hostname);
|
||||
cJSON_Delete(rlc->config.linux_config);
|
||||
cJSON_Delete(rlc->config.mounts);
|
||||
cJSON_Delete(rlc->config.process.args);
|
||||
cJSON_Delete(rlc->config.process.cwd);
|
||||
cJSON_Delete(rlc->config.process.env);
|
||||
free(rlc);
|
||||
}
|
||||
}
|
||||
|
||||
static cJSON* parse_json_file(const char* filename) {
|
||||
char* data = read_file_to_string_as_nm_user(filename);
|
||||
if (data == NULL) {
|
||||
fprintf(ERRORFILE, "Cannot read command file %s\n", filename);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
const char* parse_error_location = NULL;
|
||||
cJSON* json = cJSON_ParseWithOpts(data, &parse_error_location, 1);
|
||||
if (json == NULL) {
|
||||
fprintf(ERRORFILE, "Error parsing command file %s at byte offset %ld\n",
|
||||
filename, parse_error_location - data);
|
||||
}
|
||||
|
||||
free(data);
|
||||
return json;
|
||||
}
|
||||
|
||||
static char** parse_dir_list(const cJSON* dirs_json) {
|
||||
if (!cJSON_IsArray(dirs_json)) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
int num_dirs = cJSON_GetArraySize(dirs_json);
|
||||
if (num_dirs <= 0) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
char** dirs = calloc(num_dirs + 1, sizeof(*dirs)); // +1 for terminating NULL
|
||||
int i = 0;
|
||||
const cJSON* e;
|
||||
cJSON_ArrayForEach(e, dirs_json) {
|
||||
if (!cJSON_IsString(e)) {
|
||||
free_ntarray(dirs);
|
||||
return NULL;
|
||||
}
|
||||
dirs[i++] = strdup(e->valuestring);
|
||||
}
|
||||
|
||||
return dirs;
|
||||
}
|
||||
|
||||
static bool parse_runc_launch_cmd_layer(rlc_layer_spec* layer_out,
|
||||
const cJSON* layer_json) {
|
||||
if (!cJSON_IsObject(layer_json)) {
|
||||
fputs("runC launch command layer is not an object\n", ERRORFILE);
|
||||
return false;
|
||||
}
|
||||
|
||||
const cJSON* media_type_json = cJSON_GetObjectItemCaseSensitive(layer_json,
|
||||
"mediaType");
|
||||
if (!cJSON_IsString(media_type_json)) {
|
||||
fputs("Bad/Missing media type for runC launch command layer\n", ERRORFILE);
|
||||
return false;
|
||||
}
|
||||
|
||||
const cJSON* path_json = cJSON_GetObjectItemCaseSensitive(layer_json, "path");
|
||||
if (!cJSON_IsString(path_json)) {
|
||||
fputs("Bad/Missing path for runC launch command layer\n", ERRORFILE);
|
||||
return false;
|
||||
}
|
||||
|
||||
layer_out->media_type = strdup(media_type_json->valuestring);
|
||||
layer_out->path = strdup(path_json->valuestring);
|
||||
return true;
|
||||
}
|
||||
|
||||
static rlc_layer_spec* parse_runc_launch_cmd_layers(unsigned int* num_layers_out,
|
||||
const cJSON* layers_json) {
|
||||
if (!cJSON_IsArray(layers_json)) {
|
||||
fputs("Bad/Missing runC launch command layers\n", ERRORFILE);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
unsigned int num_layers = (unsigned int) cJSON_GetArraySize(layers_json);
|
||||
if (num_layers <= 0) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
rlc_layer_spec* layers = calloc(num_layers, sizeof(*layers));
|
||||
if (layers == NULL) {
|
||||
fprintf(ERRORFILE, "Cannot allocate memory for %d layers\n",
|
||||
num_layers + 1);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
unsigned int layer_index = 0;
|
||||
const cJSON* e;
|
||||
cJSON_ArrayForEach(e, layers_json) {
|
||||
if (layer_index >= num_layers) {
|
||||
fputs("Iterating past end of layer array\n", ERRORFILE);
|
||||
free_rlc_layers(layers, layer_index);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (!parse_runc_launch_cmd_layer(&layers[layer_index], e)) {
|
||||
free_rlc_layers(layers, layer_index);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
++layer_index;
|
||||
}
|
||||
|
||||
*num_layers_out = layer_index;
|
||||
return layers;
|
||||
}
|
||||
|
||||
static int parse_json_int(cJSON* json) {
|
||||
if (!cJSON_IsNumber(json)) {
|
||||
fputs("Bad/Missing runC int\n", ERRORFILE);
|
||||
return -1;
|
||||
}
|
||||
return json->valueint;
|
||||
}
|
||||
|
||||
static int parse_runc_launch_cmd_runc_config(runc_config* rc, cJSON* rc_json) {
|
||||
if (!cJSON_IsObject(rc_json)) {
|
||||
fputs("Bad/Missing runC runtime config in launch command\n", ERRORFILE);
|
||||
return -1;
|
||||
}
|
||||
rc->hostname = cJSON_DetachItemFromObjectCaseSensitive(rc_json, "hostname");
|
||||
rc->linux_config = cJSON_DetachItemFromObjectCaseSensitive(rc_json, "linux");
|
||||
rc->mounts = cJSON_DetachItemFromObjectCaseSensitive(rc_json, "mounts");
|
||||
|
||||
cJSON* process_json = cJSON_GetObjectItemCaseSensitive(rc_json, "process");
|
||||
if (!cJSON_IsObject(process_json)) {
|
||||
fputs("Bad/Missing process section in runC config\n", ERRORFILE);
|
||||
return -1;
|
||||
}
|
||||
rc->process.args = cJSON_DetachItemFromObjectCaseSensitive(
|
||||
process_json, "args");
|
||||
rc->process.cwd = cJSON_DetachItemFromObjectCaseSensitive(
|
||||
process_json, "cwd");
|
||||
rc->process.env = cJSON_DetachItemFromObjectCaseSensitive(
|
||||
process_json, "env");
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static bool is_valid_layer_media_type(char* media_type) {
|
||||
if (media_type == NULL) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (strcmp(SQUASHFS_MEDIA_TYPE, media_type)) {
|
||||
fprintf(ERRORFILE, "Unrecognized layer media type: %s\n", media_type);
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool is_valid_runc_launch_cmd_layers(rlc_layer_spec* layers,
|
||||
unsigned int num_layers) {
|
||||
if (layers == NULL) {
|
||||
return false;
|
||||
}
|
||||
|
||||
for (unsigned int i = 0; i < num_layers; ++i) {
|
||||
if (!is_valid_layer_media_type(layers[i].media_type)) {
|
||||
return false;
|
||||
}
|
||||
if (layers[i].path == NULL) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool is_valid_runc_config_linux_resources(const cJSON* rclr) {
|
||||
if (!cJSON_IsObject(rclr)) {
|
||||
fputs("runC config linux resources missing or not an object\n", ERRORFILE);
|
||||
return false;
|
||||
}
|
||||
|
||||
bool all_sections_ok = true;
|
||||
const cJSON* e;
|
||||
cJSON_ArrayForEach(e, rclr) {
|
||||
if (strcmp("blockIO", e->string) == 0) {
|
||||
// block I/O settings allowed
|
||||
} else if (strcmp("cpu", e->string) == 0) {
|
||||
// cpu settings allowed
|
||||
} else {
|
||||
fprintf(ERRORFILE,
|
||||
"Unrecognized runC config linux resources element: %s\n", e->string);
|
||||
all_sections_ok = false;
|
||||
}
|
||||
}
|
||||
|
||||
return all_sections_ok;
|
||||
}
|
||||
|
||||
static bool is_valid_runc_config_linux_seccomp(const cJSON* rcls) {
|
||||
if (!cJSON_IsObject(rcls)) {
|
||||
fputs("runC config linux seccomp missing or not an object\n", ERRORFILE);
|
||||
return false;
|
||||
}
|
||||
|
||||
bool all_sections_ok = true;
|
||||
const cJSON* e;
|
||||
cJSON_ArrayForEach(e, rcls) {
|
||||
if (strcmp("defaultAction", e->string) == 0) {
|
||||
// defaultAction allowed
|
||||
} else if (strcmp("architectures", e->string) == 0) {
|
||||
// architecture settings allowed
|
||||
} else if (strcmp("flags", e->string) == 0) {
|
||||
// flags allowed
|
||||
} else if (strcmp("syscalls", e->string) == 0) {
|
||||
// syscalls allowed
|
||||
} else {
|
||||
fprintf(ERRORFILE,
|
||||
"Unrecognized runC config linux seccomp element: %s\n", e->string);
|
||||
all_sections_ok = false;
|
||||
}
|
||||
}
|
||||
|
||||
return all_sections_ok;
|
||||
|
||||
}
|
||||
|
||||
static bool is_valid_runc_config_linux(const cJSON* rcl) {
|
||||
if (!cJSON_IsObject(rcl)) {
|
||||
fputs("runC config linux section missing or not an object\n", ERRORFILE);
|
||||
return false;
|
||||
}
|
||||
|
||||
bool all_sections_ok = true;
|
||||
const cJSON* e;
|
||||
cJSON_ArrayForEach(e, rcl) {
|
||||
if (strcmp("cgroupsPath", e->string) == 0) {
|
||||
if (!cJSON_IsString(e)) {
|
||||
all_sections_ok = false;
|
||||
}
|
||||
} else if (strcmp("resources", e->string) == 0) {
|
||||
all_sections_ok &= is_valid_runc_config_linux_resources(e);
|
||||
} else if (strcmp("seccomp", e->string) == 0) {
|
||||
all_sections_ok &= is_valid_runc_config_linux_seccomp(e);
|
||||
} else {
|
||||
fprintf(ERRORFILE, "Unrecognized runC config linux element: %s\n",
|
||||
e->string);
|
||||
all_sections_ok = false;
|
||||
}
|
||||
}
|
||||
|
||||
return all_sections_ok;
|
||||
}
|
||||
|
||||
static bool is_valid_mount_type(const char *type) {
|
||||
if (strcmp("bind", type)) {
|
||||
fprintf(ERRORFILE, "Invalid runC mount type '%s'\n", type);
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
static mount_options* get_mount_options(const cJSON* mo) {
|
||||
if (!cJSON_IsArray(mo)) {
|
||||
fputs("runC config mount options not an array\n", ERRORFILE);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
unsigned int num_options = cJSON_GetArraySize(mo);
|
||||
|
||||
mount_options *options = (mount_options *) calloc(1, sizeof(*options));
|
||||
char **options_array = (char **) calloc(num_options + 1, sizeof(char*));
|
||||
|
||||
options->num_opts = num_options;
|
||||
options->opts = options_array;
|
||||
|
||||
bool has_rbind = false;
|
||||
bool has_rprivate = false;
|
||||
int i = 0;
|
||||
const cJSON* e;
|
||||
cJSON_ArrayForEach(e, mo) {
|
||||
if (!cJSON_IsString(e)) {
|
||||
fputs("runC config mount option is not a string\n", ERRORFILE);
|
||||
free_mount_options(options);
|
||||
return NULL;
|
||||
}
|
||||
if (strcmp("rbind", e->valuestring) == 0) {
|
||||
has_rbind = true;
|
||||
} else if (strcmp("rprivate", e->valuestring) == 0) {
|
||||
has_rprivate = true;
|
||||
} else if (strcmp("rw", e->valuestring) == 0) {
|
||||
options->rw = 1;
|
||||
} else if (strcmp("ro", e->valuestring) == 0) {
|
||||
options->rw = 0;
|
||||
}
|
||||
|
||||
options->opts[i] = strdup(e->valuestring);
|
||||
i++;
|
||||
}
|
||||
options->opts[i] = NULL;
|
||||
|
||||
if (!has_rbind) {
|
||||
fputs("runC config mount options missing rbind\n", ERRORFILE);
|
||||
free_mount_options(options);
|
||||
return NULL;
|
||||
}
|
||||
if (!has_rprivate) {
|
||||
fputs("runC config mount options missing rprivate\n", ERRORFILE);
|
||||
free_mount_options(options);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
return options;
|
||||
}
|
||||
|
||||
static int get_runc_mounts(mount* mounts, const cJSON* rcm) {
|
||||
if (!cJSON_IsArray(rcm)) {
|
||||
fputs("runC config mount entry is not an object\n", ERRORFILE);
|
||||
return INVALID_MOUNT;
|
||||
}
|
||||
|
||||
bool has_type = false;
|
||||
const cJSON *e;
|
||||
const cJSON *mount;
|
||||
int i = 0;
|
||||
int ret = 0;
|
||||
cJSON_ArrayForEach(mount, rcm) {
|
||||
cJSON_ArrayForEach(e, mount) {
|
||||
if (strcmp("type", e->string) == 0) {
|
||||
if (!cJSON_IsString(e) || !is_valid_mount_type(e->valuestring)) {
|
||||
ret = INVALID_MOUNT;
|
||||
goto free_and_exit;
|
||||
}
|
||||
has_type = true;
|
||||
} else if (strcmp("source", e->string) == 0) {
|
||||
if (!cJSON_IsString(e)) {
|
||||
ret = INVALID_MOUNT;
|
||||
goto free_and_exit;
|
||||
}
|
||||
mounts[i].src = strdup(e->valuestring);
|
||||
} else if (strcmp("destination", e->string) == 0) {
|
||||
if (!cJSON_IsString(e)) {
|
||||
ret = INVALID_MOUNT;
|
||||
goto free_and_exit;
|
||||
}
|
||||
mounts[i].dest = strdup(e->valuestring);
|
||||
} else if (strcmp("options", e->string) == 0) {
|
||||
if (!cJSON_IsArray(e)) {
|
||||
ret = INVALID_MOUNT;
|
||||
goto free_and_exit;
|
||||
}
|
||||
mounts[i].options = get_mount_options(e);
|
||||
} else {
|
||||
fprintf(ERRORFILE, "Unrecognized runC config mount parameter: %s\n",
|
||||
e->string);
|
||||
ret = INVALID_MOUNT;
|
||||
goto free_and_exit;
|
||||
}
|
||||
}
|
||||
|
||||
if (!has_type) {
|
||||
fputs("runC config mount missing mount type\n", ERRORFILE);
|
||||
ret = INVALID_MOUNT;
|
||||
goto free_and_exit;
|
||||
}
|
||||
|
||||
if (mounts[i].src == NULL) {
|
||||
fputs("runC config mount missing source\n", ERRORFILE);
|
||||
ret = INVALID_MOUNT;
|
||||
goto free_and_exit;
|
||||
}
|
||||
|
||||
if (mounts[i].dest == NULL) {
|
||||
fputs("runC config mount missing destination\n", ERRORFILE);
|
||||
ret = INVALID_MOUNT;
|
||||
goto free_and_exit;
|
||||
}
|
||||
|
||||
if (mounts[i].options == NULL) {
|
||||
fputs("runC config mount missing mount options\n", ERRORFILE);
|
||||
ret = INVALID_MOUNT;
|
||||
goto free_and_exit;
|
||||
}
|
||||
|
||||
i++;
|
||||
}
|
||||
|
||||
free_and_exit:
|
||||
return ret;
|
||||
}
|
||||
|
||||
static bool is_valid_runc_config_mounts(const cJSON* rcm) {
|
||||
mount *mounts = NULL;
|
||||
unsigned int num_mounts = 0;
|
||||
int ret = 0;
|
||||
bool all_mounts_ok = true;
|
||||
char **permitted_ro_mounts = NULL;
|
||||
char **permitted_rw_mounts = NULL;
|
||||
|
||||
if (rcm == NULL) {
|
||||
return true; // OK to have no extra mounts
|
||||
}
|
||||
if (!cJSON_IsArray(rcm)) {
|
||||
fputs("runC config mounts is not an array\n", ERRORFILE);
|
||||
return false;
|
||||
}
|
||||
|
||||
permitted_ro_mounts = get_configuration_values_delimiter("runc.allowed.ro-mounts",
|
||||
CONTAINER_EXECUTOR_CFG_RUNC_SECTION, get_cfg(), ",");
|
||||
permitted_rw_mounts = get_configuration_values_delimiter("runc.allowed.rw-mounts",
|
||||
CONTAINER_EXECUTOR_CFG_RUNC_SECTION, get_cfg(), ",");
|
||||
|
||||
num_mounts = cJSON_GetArraySize(rcm);
|
||||
|
||||
mounts = (mount *) calloc(num_mounts, sizeof(*mounts));
|
||||
if (mounts == NULL) {
|
||||
fprintf(ERRORFILE, "Unable to allocate %ld bytes\n", num_mounts * sizeof(*mounts));
|
||||
all_mounts_ok = false;
|
||||
goto free_and_exit;
|
||||
}
|
||||
|
||||
ret = get_runc_mounts(mounts, rcm);
|
||||
if (ret != 0) {
|
||||
all_mounts_ok = false;
|
||||
goto free_and_exit;
|
||||
}
|
||||
|
||||
ret = validate_mounts(permitted_ro_mounts, permitted_rw_mounts, mounts, num_mounts);
|
||||
if (ret != 0) {
|
||||
all_mounts_ok = false;
|
||||
goto free_and_exit;
|
||||
}
|
||||
|
||||
free_and_exit:
|
||||
free_values(permitted_ro_mounts);
|
||||
free_values(permitted_rw_mounts);
|
||||
free_mounts(mounts, num_mounts);
|
||||
return all_mounts_ok;
|
||||
}
|
||||
|
||||
static bool is_valid_runc_config_process(const runc_config_process* rcp) {
|
||||
if (rcp == NULL) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (!cJSON_IsArray(rcp->args)) {
|
||||
fputs("runC config process args is missing or not an array\n", ERRORFILE);
|
||||
return false;
|
||||
}
|
||||
|
||||
const cJSON* e;
|
||||
cJSON_ArrayForEach(e, rcp->args) {
|
||||
if (!cJSON_IsString(e)) {
|
||||
fputs("runC config process args has a non-string in array\n", ERRORFILE);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
if (!cJSON_IsString(rcp->cwd)) {
|
||||
fputs("Bad/Missing runC config process cwd\n", ERRORFILE);
|
||||
return false;
|
||||
}
|
||||
|
||||
if (!cJSON_IsArray(rcp->env)) {
|
||||
fputs("runC config process env is missing or not an array\n", ERRORFILE);
|
||||
return false;
|
||||
}
|
||||
cJSON_ArrayForEach(e, rcp->env) {
|
||||
if (!cJSON_IsString(e)) {
|
||||
fputs("runC config process env has a non-string in array\n", ERRORFILE);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool is_valid_runc_config(const runc_config* rc) {
|
||||
bool is_valid = true;
|
||||
if (rc->hostname != NULL && !cJSON_IsString(rc->hostname)) {
|
||||
fputs("runC config hostname is not a string\n", ERRORFILE);
|
||||
is_valid = false;
|
||||
}
|
||||
|
||||
is_valid &= is_valid_runc_config_linux(rc->linux_config);
|
||||
is_valid &= is_valid_runc_config_mounts(rc->mounts);
|
||||
is_valid &= is_valid_runc_config_process(&rc->process);
|
||||
return is_valid;
|
||||
}
|
||||
|
||||
bool is_valid_runc_launch_cmd(const runc_launch_cmd* rlc) {
|
||||
if (rlc == NULL) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (rlc->run_as_user == NULL) {
|
||||
fputs("runC command has bad/missing runAsUser\n", ERRORFILE);
|
||||
return false;
|
||||
}
|
||||
|
||||
if (rlc->username == NULL) {
|
||||
fputs("runC command has bad/missing username\n", ERRORFILE);
|
||||
return false;
|
||||
}
|
||||
|
||||
if (rlc->app_id == NULL) {
|
||||
fputs("runC command has bad/missing application ID\n", ERRORFILE);
|
||||
return false;
|
||||
}
|
||||
|
||||
if (rlc->container_id == NULL) {
|
||||
fputs("runC command has bad/missing container ID\n", ERRORFILE);
|
||||
return false;
|
||||
}
|
||||
if (!validate_container_id(rlc->container_id)) {
|
||||
fprintf(ERRORFILE, "Bad container id in runC command: %s\n",
|
||||
rlc->container_id);
|
||||
return false;
|
||||
}
|
||||
|
||||
if (rlc->pid_file == NULL) {
|
||||
fputs("runC command has bad/missing pid file\n", ERRORFILE);
|
||||
return false;
|
||||
}
|
||||
if (check_pidfile_as_nm(rlc->pid_file) != 0) {
|
||||
fprintf(ERRORFILE, "Bad pidfile %s : %s\n", rlc->pid_file,
|
||||
strerror(errno));
|
||||
return false;
|
||||
}
|
||||
|
||||
if (rlc->script_path == NULL) {
|
||||
fputs("runC command has bad/missing container script path\n", ERRORFILE);
|
||||
return false;
|
||||
}
|
||||
|
||||
if (rlc->cred_path == NULL) {
|
||||
fputs("runC command has bad/missing container credentials path\n",
|
||||
ERRORFILE);
|
||||
return false;
|
||||
}
|
||||
|
||||
if (rlc->local_dirs == NULL) {
|
||||
fputs("runC command has bad/missing local directories\n", ERRORFILE);
|
||||
return false;
|
||||
}
|
||||
|
||||
if (rlc->log_dirs == NULL) {
|
||||
fputs("runC command has bad/missing log directories\n", ERRORFILE);
|
||||
return false;
|
||||
}
|
||||
|
||||
if (!is_valid_runc_launch_cmd_layers(rlc->layers, rlc->num_layers)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (rlc->num_reap_layers_keep < 0) {
|
||||
fprintf(ERRORFILE, "Bad number of layers to preserve: %d\n",
|
||||
rlc->num_reap_layers_keep);
|
||||
return false;
|
||||
}
|
||||
|
||||
return is_valid_runc_config(&rlc->config);
|
||||
}
|
||||
|
||||
/**
|
||||
* Read, parse, and validate a runC container launch command.
|
||||
*
|
||||
* Returns a pointer to the launch command or NULL on error.
|
||||
*/
|
||||
runc_launch_cmd* parse_runc_launch_cmd(const char* command_filename) {
|
||||
int ret = 0;
|
||||
runc_launch_cmd* rlc = NULL;
|
||||
cJSON* rlc_json = NULL;
|
||||
|
||||
rlc_json = parse_json_file(command_filename);
|
||||
if (rlc_json == NULL) {
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
rlc = calloc(1, sizeof(*rlc));
|
||||
if (rlc == NULL) {
|
||||
fprintf(ERRORFILE, "Unable to allocate %ld bytes\n", sizeof(*rlc));
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
char* run_as_user = cJSON_GetStringValue(cJSON_GetObjectItemCaseSensitive(
|
||||
rlc_json, "runAsUser"));
|
||||
if (run_as_user== NULL) {
|
||||
goto fail_and_exit;
|
||||
}
|
||||
rlc->run_as_user= strdup(run_as_user);
|
||||
|
||||
char* username = cJSON_GetStringValue(cJSON_GetObjectItemCaseSensitive(
|
||||
rlc_json, "username"));
|
||||
if (username == NULL) {
|
||||
goto fail_and_exit;
|
||||
}
|
||||
rlc->username = strdup(username);
|
||||
|
||||
char* app_id = cJSON_GetStringValue(cJSON_GetObjectItemCaseSensitive(
|
||||
rlc_json, "applicationId"));
|
||||
if (app_id == NULL) {
|
||||
goto fail_and_exit;
|
||||
}
|
||||
rlc->app_id = strdup(app_id);
|
||||
|
||||
char* container_id = cJSON_GetStringValue(cJSON_GetObjectItemCaseSensitive(
|
||||
rlc_json, "containerId"));
|
||||
if (container_id == NULL) {
|
||||
goto fail_and_exit;
|
||||
}
|
||||
rlc->container_id = strdup(container_id);
|
||||
|
||||
char* pid_file = cJSON_GetStringValue(cJSON_GetObjectItemCaseSensitive(
|
||||
rlc_json, "pidFile"));
|
||||
if (pid_file == NULL) {
|
||||
goto fail_and_exit;
|
||||
}
|
||||
rlc->pid_file = strdup(pid_file);
|
||||
|
||||
char* script_path = cJSON_GetStringValue(cJSON_GetObjectItemCaseSensitive(
|
||||
rlc_json, "containerScriptPath"));
|
||||
if (script_path == NULL) {
|
||||
goto fail_and_exit;
|
||||
}
|
||||
rlc->script_path = strdup(script_path);
|
||||
|
||||
char* cred_path = cJSON_GetStringValue(cJSON_GetObjectItemCaseSensitive(
|
||||
rlc_json, "containerCredentialsPath"));
|
||||
if (cred_path == NULL) {
|
||||
goto fail_and_exit;
|
||||
}
|
||||
rlc->cred_path = strdup(cred_path);
|
||||
|
||||
rlc->https = parse_json_int(cJSON_GetObjectItemCaseSensitive(rlc_json, "https"));
|
||||
|
||||
char* keystore_path = cJSON_GetStringValue(cJSON_GetObjectItemCaseSensitive(
|
||||
rlc_json, "keystorePath"));
|
||||
if (keystore_path != NULL) {
|
||||
rlc->keystore_path = strdup(keystore_path);
|
||||
}
|
||||
|
||||
char* truststore_path = cJSON_GetStringValue(cJSON_GetObjectItemCaseSensitive(
|
||||
rlc_json, "truststorePath"));
|
||||
if (truststore_path != NULL) {
|
||||
rlc->truststore_path = strdup(truststore_path);
|
||||
}
|
||||
|
||||
char **local_dirs = parse_dir_list(cJSON_GetObjectItemCaseSensitive(
|
||||
rlc_json, "localDirs"));
|
||||
if (local_dirs == NULL) {
|
||||
goto fail_and_exit;
|
||||
}
|
||||
rlc->local_dirs = local_dirs;
|
||||
|
||||
char **log_dirs = parse_dir_list(cJSON_GetObjectItemCaseSensitive(
|
||||
rlc_json, "logDirs"));
|
||||
if (log_dirs == NULL) {
|
||||
goto fail_and_exit;
|
||||
}
|
||||
rlc->log_dirs = log_dirs;
|
||||
|
||||
rlc_layer_spec* layers = parse_runc_launch_cmd_layers(&rlc->num_layers,
|
||||
cJSON_GetObjectItemCaseSensitive(rlc_json,"layers"));
|
||||
if (layers == NULL) {
|
||||
goto fail_and_exit;
|
||||
}
|
||||
rlc->layers = layers;
|
||||
|
||||
rlc->num_reap_layers_keep = parse_json_int(
|
||||
cJSON_GetObjectItemCaseSensitive(rlc_json, "reapLayerKeepCount"));
|
||||
|
||||
ret = parse_runc_launch_cmd_runc_config(&rlc->config,
|
||||
cJSON_GetObjectItemCaseSensitive(rlc_json, "ociRuntimeConfig"));
|
||||
if (ret < 0) {
|
||||
goto fail_and_exit;
|
||||
}
|
||||
|
||||
cleanup:
|
||||
cJSON_Delete(rlc_json);
|
||||
return rlc;
|
||||
|
||||
fail_and_exit:
|
||||
cJSON_Delete(rlc_json);
|
||||
free_runc_launch_cmd(rlc);
|
||||
return NULL;
|
||||
}
|
||||
|
@ -0,0 +1,85 @@
|
||||
/**
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
#ifndef RUNC_RUNC_LAUNCH_CMD_H
|
||||
#define RUNC_RUNC_LAUNCH_CMD_H
|
||||
|
||||
#include "utils/cJSON/cJSON.h"
|
||||
|
||||
// NOTE: Update free_runc_launch_cmd when this is changed.
|
||||
typedef struct runc_launch_cmd_layer_spec {
|
||||
char* media_type; // MIME type for layer data
|
||||
char* path; // local filesystem location of layer data
|
||||
} rlc_layer_spec;
|
||||
|
||||
// NOTE: Update free_runc_launch_cmd when this is changed.
|
||||
typedef struct runc_config_process_struct {
|
||||
cJSON* args; // execve-style command and arguments
|
||||
cJSON* cwd; // working dir for container
|
||||
cJSON* env; // execve-style environment
|
||||
} runc_config_process;
|
||||
|
||||
// NOTE: Update free_runc_launch_cmd when this is changed.
|
||||
typedef struct runc_config_struct {
|
||||
cJSON* hostname; // hostname for the container
|
||||
cJSON* linux_config; // Linux section of the runC config
|
||||
cJSON* mounts; // bind-mounts for the container
|
||||
runc_config_process process; // process config for the container
|
||||
} runc_config;
|
||||
|
||||
// NOTE: Update free_runc_launch_cmd when this is changed.
|
||||
typedef struct runc_launch_cmd_struct {
|
||||
char* run_as_user; // user name of the runAs user
|
||||
char* username; // user name of the container user
|
||||
char* app_id; // YARN application ID
|
||||
char* container_id; // YARN container ID
|
||||
char* pid_file; // pid file path to create
|
||||
char* script_path; // path to container launch script
|
||||
char* cred_path; // path to container credentials file
|
||||
int https; // whether or not https is enabled
|
||||
char* keystore_path; // path to keystore file
|
||||
char* truststore_path; // path to truststore file
|
||||
char** local_dirs; // NULL-terminated array of local dirs
|
||||
char** log_dirs; // NULL-terminated array of log dirs
|
||||
rlc_layer_spec* layers; // array of layers
|
||||
unsigned int num_layers; // number of entries in the layers array
|
||||
int num_reap_layers_keep; // number of total layer mounts to preserve
|
||||
runc_config config; // runC config for the container
|
||||
} runc_launch_cmd;
|
||||
|
||||
|
||||
/**
|
||||
* Free a runC launch command structure and all memory assruncated with it.
|
||||
*/
|
||||
void free_runc_launch_cmd(runc_launch_cmd* rlc);
|
||||
|
||||
|
||||
/**
|
||||
*
|
||||
* Valildate runC container launch command.
|
||||
* Returns true on valid and false on invalid.
|
||||
*/
|
||||
bool is_valid_runc_launch_cmd(const runc_launch_cmd* rlc);
|
||||
|
||||
/**
|
||||
* Read, parse, and validate a runC container launch command.
|
||||
*
|
||||
* Returns a pointer to the launch command or NULL on error.
|
||||
*/
|
||||
runc_launch_cmd* parse_runc_launch_cmd(const char* command_filename);
|
||||
|
||||
#endif /* RUNC_RUNC_LAUNCH_CMD_H */
|
@ -0,0 +1,622 @@
|
||||
/*
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
#include <sys/types.h>
|
||||
#include <sys/mount.h>
|
||||
#include <sys/stat.h>
|
||||
#include <dirent.h>
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
#include <mntent.h>
|
||||
#include <stdbool.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "container-executor.h"
|
||||
|
||||
#include "runc_base_ctx.h"
|
||||
#include "runc_reap.h"
|
||||
|
||||
#include "util.h"
|
||||
|
||||
#define DEV_LOOP_PREFIX "/dev/loop"
|
||||
#define DEV_LOOP_PREFIX_LEN (sizeof(DEV_LOOP_PREFIX) - 1)
|
||||
#define DELETED_SUFFIX " (deleted)\n"
|
||||
#define DELETED_SUFFIX_LEN (sizeof(DELETED_SUFFIX) - 1)
|
||||
|
||||
// The size of the buffer to use when reading the mount table. This should be
|
||||
// large enough so ideally the mount table is read all at once.
|
||||
// Otherwise the mount table could change in-between underlying read() calls
|
||||
// and result in a table with missing or corrupted entries.
|
||||
#define MOUNT_TABLE_BUFFER_SIZE (1024*1024)
|
||||
|
||||
// NOTE: Update destroy_dent_stat when this is updated.
|
||||
typedef struct dent_stat_struct {
|
||||
char* basename; // basename of directory entry
|
||||
struct timespec mtime; // modification time
|
||||
} dent_stat;
|
||||
|
||||
// NOTE: Update init_dent_stats and destroy_dent_stats when this is changed.
|
||||
typedef struct dent_stats_array_struct {
|
||||
dent_stat* stats; // array of dent_stat structures
|
||||
size_t capacity; // capacity of the stats array
|
||||
size_t length; // number of valid entries in the stats array
|
||||
} dent_stats_array;
|
||||
|
||||
|
||||
/**
|
||||
* Releases the resources assruncated with a dent_stat structure but
|
||||
* does NOT free the structure itself. This is particularly useful for
|
||||
* stack-allocated structures or other structures that embed this structure.
|
||||
*/
|
||||
static void destroy_dent_stat(dent_stat* ds) {
|
||||
if (ds != NULL) {
|
||||
free(ds->basename);
|
||||
ds->basename = NULL;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Initialize an uninitialized dent_stats_array with the specified
|
||||
* number of entries as its initial capacity.
|
||||
*
|
||||
* Returns true on success or false on error.
|
||||
*/
|
||||
static bool init_dent_stats(dent_stats_array* dsa, size_t initial_size) {
|
||||
memset(dsa, 0, sizeof(*dsa));
|
||||
dsa->stats = malloc(sizeof(*dsa->stats) * initial_size);
|
||||
if (dsa->stats == NULL) {
|
||||
return false;
|
||||
}
|
||||
dsa->capacity = initial_size;
|
||||
dsa->length = 0;
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Allocates and initializes a dent_stats_array with the specified
|
||||
* number of entries as its initial capacity.
|
||||
*
|
||||
* Returns a pointer to the dent_stats_array or NULL on error.
|
||||
*/
|
||||
static dent_stats_array* alloc_dent_stats(size_t initial_size) {
|
||||
dent_stats_array* dsa = malloc(sizeof(*dsa));
|
||||
if (dsa != NULL) {
|
||||
if (!init_dent_stats(dsa, initial_size)) {
|
||||
free(dsa);
|
||||
dsa = NULL;
|
||||
}
|
||||
}
|
||||
return dsa;
|
||||
}
|
||||
|
||||
/**
|
||||
* Grows the capacity of a dent_stats_array to the new specified number of
|
||||
* elements.
|
||||
*
|
||||
* Returns true on success or false on error.
|
||||
*/
|
||||
static bool realloc_dent_stats(dent_stats_array* dsa, size_t new_size) {
|
||||
if (new_size < dsa->length) {
|
||||
// New capacity would result in a truncation.
|
||||
return false;
|
||||
}
|
||||
|
||||
dent_stat* new_stats = realloc(dsa->stats, new_size * sizeof(*dsa->stats));
|
||||
if (new_stats == NULL) {
|
||||
return false;
|
||||
}
|
||||
|
||||
dsa->stats = new_stats;
|
||||
dsa->capacity = new_size;
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Append a new dent_stat entry to a dent_stats_array, reallocating the
|
||||
* array if necessary with the specified increase in capacity.
|
||||
*
|
||||
* Returns true on success or false on error.
|
||||
*/
|
||||
static bool append_dent_stat(dent_stats_array* dsa, size_t stats_size_incr,
|
||||
const char* basename, const struct timespec* mtime) {
|
||||
if (dsa->length == dsa->capacity) {
|
||||
if (!realloc_dent_stats(dsa, dsa->capacity + stats_size_incr)) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
char* ds_name = strdup(basename);
|
||||
if (ds_name == NULL) {
|
||||
return false;
|
||||
}
|
||||
|
||||
dent_stat* ds = &dsa->stats[dsa->length++];
|
||||
ds->basename = ds_name;
|
||||
ds->mtime = *mtime;
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Releases the resources assruncated with a dent_stats_array structure but
|
||||
* does NOT free the structure itself. This is particularly useful for
|
||||
* stack-allocated contexts or other structures that embed this structure.
|
||||
*/
|
||||
static void destroy_dent_stats(dent_stats_array* dsa) {
|
||||
if (dsa != NULL ) {
|
||||
for (size_t i = 0; i < dsa->length; ++i) {
|
||||
destroy_dent_stat(&dsa->stats[i]);
|
||||
}
|
||||
free(dsa->stats);
|
||||
dsa->capacity = 0;
|
||||
dsa->length = 0;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Frees a dent_stats_array structure and all memory assruncted with it.
|
||||
*/
|
||||
static void free_dent_stats(dent_stats_array* dsa) {
|
||||
destroy_dent_stats(dsa);
|
||||
free(dsa);
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the array of dent_stats for the layers directory.
|
||||
* Only directory entries that look like layers will be returned.
|
||||
*
|
||||
* Returns the array of dent_stats or NULL on error.
|
||||
*/
|
||||
static dent_stats_array* get_dent_stats(int layers_fd) {
|
||||
DIR* layers_dir = NULL;
|
||||
// number of stat buffers to allocate each time we run out
|
||||
const size_t stats_size_incr = 8192;
|
||||
dent_stats_array* dsa = alloc_dent_stats(stats_size_incr);
|
||||
if (dsa == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
int dir_fd = dup(layers_fd);
|
||||
if (dir_fd == -1) {
|
||||
fprintf(ERRORFILE, "Unable to duplicate layer dir fd: %s\n",
|
||||
strerror(errno));
|
||||
goto fail;
|
||||
}
|
||||
|
||||
layers_dir = fdopendir(dir_fd);
|
||||
if (layers_dir == NULL) {
|
||||
fprintf(ERRORFILE, "Cannot open layers directory: %s\n", strerror(errno));
|
||||
goto fail;
|
||||
}
|
||||
|
||||
struct dirent* de;
|
||||
while ((de = readdir(layers_dir)) != NULL) {
|
||||
// skip entries that don't look like layers
|
||||
if (strlen(de->d_name) != LAYER_NAME_LENGTH) {
|
||||
continue;
|
||||
}
|
||||
|
||||
struct stat statbuf;
|
||||
if (fstatat(layers_fd, de->d_name, &statbuf, AT_SYMLINK_NOFOLLOW) == -1) {
|
||||
if (errno == ENOENT) {
|
||||
continue;
|
||||
}
|
||||
fprintf(ERRORFILE, "Error getting stats for layer %s : %s\n", de->d_name,
|
||||
strerror(errno));
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if (!append_dent_stat(dsa, stats_size_incr, de->d_name,
|
||||
&statbuf.st_mtim)) {
|
||||
fputs("Unable to allocate memory\n", ERRORFILE);
|
||||
goto fail;
|
||||
}
|
||||
}
|
||||
|
||||
cleanup:
|
||||
if (layers_dir != NULL) {
|
||||
closedir(layers_dir);
|
||||
}
|
||||
return dsa;
|
||||
|
||||
fail:
|
||||
free_dent_stats(dsa);
|
||||
dsa = NULL;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
/**
|
||||
* Umount a layer and remove the directories assruncated with the layer mount.
|
||||
*
|
||||
* Returns true on success or false on error.
|
||||
*/
|
||||
static bool unmount_layer(const char* layer_dir_path) {
|
||||
char* mount_path = get_runc_layer_mount_path(layer_dir_path);
|
||||
if (mount_path == NULL) {
|
||||
fputs("Unable to allocate memory\n", ERRORFILE);
|
||||
return false;
|
||||
}
|
||||
|
||||
bool result = false;
|
||||
if (umount(mount_path) == -1) {
|
||||
if (errno == EBUSY) {
|
||||
// Layer is in use by another container.
|
||||
goto cleanup;
|
||||
} else if (errno != ENOENT && errno != EINVAL) {
|
||||
fprintf(ERRORFILE, "Error unmounting %s : %s\n", mount_path,
|
||||
strerror(errno));
|
||||
goto cleanup;
|
||||
}
|
||||
} else {
|
||||
// unmount was successful so report success even if directory removals
|
||||
// fail after this.
|
||||
result = true;
|
||||
}
|
||||
|
||||
if (rmdir(mount_path) == -1 && errno != ENOENT) {
|
||||
fprintf(ERRORFILE, "Error removing %s : %s\n", mount_path,
|
||||
strerror(errno));
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
if (rmdir(layer_dir_path) == -1 && errno != ENOENT) {
|
||||
fprintf(ERRORFILE, "Error removing %s : %s\n", layer_dir_path,
|
||||
strerror(errno));
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
result = true;
|
||||
|
||||
cleanup:
|
||||
free(mount_path);
|
||||
return result;
|
||||
}
|
||||
|
||||
/**
|
||||
* Order directory entries by increasing modification time.
|
||||
*/
|
||||
static int compare_dent_stats_mtime(const void* va, const void* vb) {
|
||||
const dent_stat* a = (const dent_stat*)va;
|
||||
const dent_stat* b = (const dent_stat*)vb;
|
||||
if (a->mtime.tv_sec < b->mtime.tv_sec) {
|
||||
return -1;
|
||||
} else if (a->mtime.tv_sec > b->mtime.tv_sec) {
|
||||
return 1;
|
||||
}
|
||||
return a->mtime.tv_nsec - b->mtime.tv_nsec;
|
||||
}
|
||||
|
||||
static bool do_reap_layer_mounts_with_lock(runc_base_ctx* ctx,
|
||||
int layers_fd, int num_preserve) {
|
||||
dent_stats_array* dsa = get_dent_stats(layers_fd);
|
||||
if (dsa == NULL) {
|
||||
return false;
|
||||
}
|
||||
|
||||
qsort(&dsa->stats[0], dsa->length, sizeof(*dsa->stats),
|
||||
compare_dent_stats_mtime);
|
||||
|
||||
bool result = false;
|
||||
size_t num_remain = dsa->length;
|
||||
if (num_remain <= num_preserve) {
|
||||
result = true;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
if (!acquire_runc_layers_write_lock(ctx)) {
|
||||
fputs("Unable to acquire layer write lock\n", ERRORFILE);
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
for (size_t i = 0; i < dsa->length && num_remain > num_preserve; ++i) {
|
||||
char* layer_dir_path = get_runc_layer_path(ctx->run_root,
|
||||
dsa->stats[i].basename);
|
||||
if (layer_dir_path == NULL) {
|
||||
fputs("Unable to allocate memory\n", ERRORFILE);
|
||||
goto cleanup;
|
||||
}
|
||||
if (unmount_layer(layer_dir_path)) {
|
||||
--num_remain;
|
||||
printf("Unmounted layer %s\n", dsa->stats[i].basename);
|
||||
}
|
||||
free(layer_dir_path);
|
||||
}
|
||||
|
||||
result = true;
|
||||
|
||||
cleanup:
|
||||
free_dent_stats(dsa);
|
||||
return result;
|
||||
}
|
||||
|
||||
/**
|
||||
* Determine if the specified loopback device is assruncated with a file that
|
||||
* has been deleted.
|
||||
*
|
||||
* Returns true if the loopback file is deleted or false otherwise or on error.
|
||||
*/
|
||||
bool is_loop_file_deleted(const char* loopdev) {
|
||||
bool result = false;
|
||||
FILE* f = NULL;
|
||||
char* path = NULL;
|
||||
char* linebuf = NULL;
|
||||
|
||||
// locate the numeric part of the loop device
|
||||
const char* loop_num_str = loopdev + DEV_LOOP_PREFIX_LEN;
|
||||
|
||||
if (asprintf(&path, "/sys/devices/virtual/block/loop%s/loop/backing_file",
|
||||
loop_num_str) == -1) {
|
||||
return false;
|
||||
}
|
||||
|
||||
f = fopen(path, "r");
|
||||
if (f == NULL) {
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
size_t linebuf_len = 0;
|
||||
ssize_t len = getline(&linebuf, &linebuf_len, f);
|
||||
if (len <= DELETED_SUFFIX_LEN) {
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
result = !strcmp(DELETED_SUFFIX, linebuf + len - DELETED_SUFFIX_LEN);
|
||||
|
||||
cleanup:
|
||||
if (f != NULL) {
|
||||
fclose(f);
|
||||
}
|
||||
free(linebuf);
|
||||
free(path);
|
||||
return result;
|
||||
}
|
||||
|
||||
static bool copy_mntent(struct mntent* dest, const struct mntent* src) {
|
||||
memset(dest, 0, sizeof(*dest));
|
||||
if (src->mnt_fsname != NULL) {
|
||||
dest->mnt_fsname = strdup(src->mnt_fsname);
|
||||
if (dest->mnt_fsname == NULL) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
if (src->mnt_dir != NULL) {
|
||||
dest->mnt_dir = strdup(src->mnt_dir);
|
||||
if (dest->mnt_dir == NULL) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
if (src->mnt_type != NULL) {
|
||||
dest->mnt_type = strdup(src->mnt_type);
|
||||
if (dest->mnt_type == NULL) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
if (src->mnt_opts != NULL) {
|
||||
dest->mnt_opts = strdup(src->mnt_opts);
|
||||
if (dest->mnt_opts == NULL) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
dest->mnt_freq = src->mnt_freq;
|
||||
dest->mnt_passno = src->mnt_passno;
|
||||
return true;
|
||||
}
|
||||
|
||||
static void free_mntent_array(struct mntent* entries, size_t num_entries) {
|
||||
if (entries != NULL) {
|
||||
for (size_t i = 0; i < num_entries; ++i) {
|
||||
struct mntent* me = entries + i;
|
||||
free(me->mnt_fsname);
|
||||
free(me->mnt_dir);
|
||||
free(me->mnt_type);
|
||||
free(me->mnt_opts);
|
||||
}
|
||||
free(entries);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the array of mount table entries that are layer mounts.
|
||||
*
|
||||
* Returns the heap-allocated array of mount entries or NULL on error.
|
||||
* The num_entries argument is updated to the number of elements in the array.
|
||||
*/
|
||||
static struct mntent* get_layer_mounts(size_t* num_entries_out,
|
||||
const char* layers_path) {
|
||||
const size_t layers_path_len = strlen(layers_path);
|
||||
char* read_buffer = NULL;
|
||||
FILE* f = NULL;
|
||||
const size_t num_entries_per_alloc = 8192;
|
||||
size_t num_entries = 0;
|
||||
size_t entries_capacity = num_entries_per_alloc;
|
||||
struct mntent* entries = malloc(sizeof(*entries) * entries_capacity);
|
||||
if (entries == NULL) {
|
||||
fputs("Unable to allocate memory\n", ERRORFILE);
|
||||
goto fail;
|
||||
}
|
||||
|
||||
read_buffer = malloc(MOUNT_TABLE_BUFFER_SIZE);
|
||||
if (read_buffer == NULL) {
|
||||
fprintf(ERRORFILE, "Unable to allocate read buffer of %d bytes\n",
|
||||
MOUNT_TABLE_BUFFER_SIZE);
|
||||
goto fail;
|
||||
}
|
||||
|
||||
f = fopen("/proc/mounts", "r");
|
||||
if (f == NULL) {
|
||||
fprintf(ERRORFILE, "Unable to open /proc/mounts : %s\n", strerror(errno));
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if (setvbuf(f, read_buffer, _IOFBF, MOUNT_TABLE_BUFFER_SIZE) != 0) {
|
||||
fprintf(ERRORFILE, "Unable to set mount table buffer to %d\n",
|
||||
MOUNT_TABLE_BUFFER_SIZE);
|
||||
goto fail;
|
||||
}
|
||||
|
||||
struct mntent* me;
|
||||
while ((me = getmntent(f)) != NULL) {
|
||||
// Skip mounts that are not loopback mounts
|
||||
if (strncmp(me->mnt_fsname, DEV_LOOP_PREFIX, DEV_LOOP_PREFIX_LEN)) {
|
||||
continue;
|
||||
}
|
||||
|
||||
// skip destinations that are not under the layers mount area
|
||||
if (strncmp(layers_path, me->mnt_dir, layers_path_len)) {
|
||||
continue;
|
||||
}
|
||||
|
||||
if (num_entries == entries_capacity) {
|
||||
entries_capacity += num_entries_per_alloc;
|
||||
entries = realloc(entries, sizeof(*entries) * entries_capacity);
|
||||
if (entries == NULL) {
|
||||
fputs("Unable to allocate memory\n", ERRORFILE);
|
||||
goto fail;
|
||||
}
|
||||
}
|
||||
|
||||
if (!copy_mntent(entries + num_entries, me)) {
|
||||
goto fail;
|
||||
}
|
||||
++num_entries;
|
||||
}
|
||||
|
||||
cleanup:
|
||||
if (f != NULL) {
|
||||
fclose(f);
|
||||
}
|
||||
free(read_buffer);
|
||||
*num_entries_out = num_entries;
|
||||
return entries;
|
||||
|
||||
fail:
|
||||
free_mntent_array(entries, num_entries);
|
||||
entries = NULL;
|
||||
num_entries = 0;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
/**
|
||||
* Search for layer mounts that correspond with deleted files and unmount them.
|
||||
*/
|
||||
static bool reap_deleted_mounts_with_lock(runc_base_ctx* ctx) {
|
||||
const char* layers_path = get_runc_layers_path(ctx->run_root);
|
||||
if (layers_path == NULL) {
|
||||
fputs("Unable to allocate memory\n", ERRORFILE);
|
||||
return false;
|
||||
}
|
||||
|
||||
bool result = false;
|
||||
size_t num_mnt_entries = 0;
|
||||
struct mntent* mnt_entries = get_layer_mounts(&num_mnt_entries, layers_path);
|
||||
if (mnt_entries == NULL) {
|
||||
fputs("Error parsing mount table\n", ERRORFILE);
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
bool have_write_lock = false;
|
||||
for (size_t i = 0; i < num_mnt_entries; ++i) {
|
||||
const struct mntent* me = mnt_entries + i;
|
||||
if (is_loop_file_deleted(me->mnt_fsname)) {
|
||||
if (!have_write_lock) {
|
||||
if (!acquire_runc_layers_write_lock(ctx)) {
|
||||
goto cleanup;
|
||||
}
|
||||
have_write_lock = true;
|
||||
}
|
||||
|
||||
char* layer_dir = get_runc_layer_path_from_mount_path(me->mnt_dir);
|
||||
if (layer_dir != NULL) {
|
||||
if (unmount_layer(layer_dir)) {
|
||||
printf("Unmounted layer %s (deleted)\n", basename(layer_dir));
|
||||
}
|
||||
free(layer_dir);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
result = true;
|
||||
|
||||
cleanup:
|
||||
free_mntent_array(mnt_entries, num_mnt_entries);
|
||||
return result;
|
||||
}
|
||||
|
||||
/**
|
||||
* Equivalent to reap_runc_layer_mounts but avoids the need to re-create the
|
||||
* runC base context.
|
||||
*/
|
||||
int reap_runc_layer_mounts_with_ctx(runc_base_ctx* ctx, int num_preserve) {
|
||||
int rc = ERROR_RUNC_REAP_LAYER_MOUNTS_FAILED;
|
||||
int layers_fd = -1;
|
||||
char* layers_path = get_runc_layers_path(ctx->run_root);
|
||||
if (layers_path == NULL) {
|
||||
fputs("Unable to allocate memory\n", ERRORFILE);
|
||||
rc = OUT_OF_MEMORY;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
layers_fd = open(layers_path, O_RDONLY | O_NOFOLLOW);
|
||||
if (layers_fd == -1) {
|
||||
fprintf(ERRORFILE, "Unable to open layers directory at %s : %s\n",
|
||||
layers_path, strerror(errno));
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
if (!acquire_runc_layers_read_lock(ctx)) {
|
||||
fputs("Unable to obtain layer lock\n", ERRORFILE);
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
bool reap_deleted_ok = reap_deleted_mounts_with_lock(ctx);
|
||||
bool reap_layers_ok = do_reap_layer_mounts_with_lock(ctx, layers_fd,
|
||||
num_preserve);
|
||||
if (reap_deleted_ok && reap_layers_ok) {
|
||||
rc = 0;
|
||||
}
|
||||
|
||||
release_runc_layers_lock(ctx);
|
||||
|
||||
cleanup:
|
||||
if (layers_fd != -1) {
|
||||
close(layers_fd);
|
||||
}
|
||||
free(layers_path);
|
||||
return rc;
|
||||
}
|
||||
|
||||
/**
|
||||
* Attempt to trim the number of layer mounts to the specified target number to
|
||||
* preserve. Layers are unmounted in a least-recently-used fashion. Layers that
|
||||
* are still in use by containers are preserved, so the number of layers mounts
|
||||
* after trimming may exceed the target number.
|
||||
*
|
||||
* Returns 0 on success or a non-zero error code on failure.
|
||||
*/
|
||||
int reap_runc_layer_mounts(int num_preserve) {
|
||||
int rc = ERROR_RUNC_REAP_LAYER_MOUNTS_FAILED;
|
||||
runc_base_ctx* ctx = setup_runc_base_ctx();
|
||||
if (ctx == NULL) {
|
||||
return rc;
|
||||
}
|
||||
|
||||
rc = reap_runc_layer_mounts_with_ctx(ctx, num_preserve);
|
||||
free_runc_base_ctx(ctx);
|
||||
return rc;
|
||||
}
|
@ -0,0 +1,39 @@
|
||||
/*
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
#ifndef RUNC_RUNC_REAP_H
|
||||
#define RUNC_RUNC_REAP_H
|
||||
|
||||
#include "runc_base_ctx.h"
|
||||
|
||||
/**
|
||||
* Attempt to trim the number of layer mounts to the specified target number to
|
||||
* preserve. Layers are unmounted in a least-recently-used fashion. Layers that
|
||||
* are still in use by containers are preserved, so the number of layers mounts
|
||||
* after trimming may exceed the target number.
|
||||
*
|
||||
* Returns 0 on success or a non-zero error code on failure.
|
||||
*/
|
||||
int reap_runc_layer_mounts(int num_preserve);
|
||||
|
||||
/**
|
||||
* Equivalent to reap_runc_layer_mounts but avoids the need to re-create the
|
||||
* runC base context.
|
||||
*/
|
||||
int reap_runc_layer_mounts_with_ctx(runc_base_ctx* ctx, int num_preserve);
|
||||
|
||||
#endif /* RUNC_RUNC_REAP_H */
|
@ -0,0 +1,497 @@
|
||||
/*
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
#include <sys/utsname.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdbool.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "hadoop_user_info.h"
|
||||
|
||||
#include "container-executor.h"
|
||||
#include "utils/cJSON/cJSON.h"
|
||||
#include "utils/file-utils.h"
|
||||
#include "util.h"
|
||||
|
||||
#include "runc_launch_cmd.h"
|
||||
#include "runc_write_config.h"
|
||||
|
||||
#define RUNC_CONFIG_FILENAME "config.json"
|
||||
#define STARTING_JSON_BUFFER_SIZE (128*1024)
|
||||
|
||||
|
||||
static cJSON* build_runc_config_root(const char* rootfs_path) {
|
||||
cJSON* root = cJSON_CreateObject();
|
||||
if (cJSON_AddStringToObject(root, "path", rootfs_path) == NULL) {
|
||||
goto fail;
|
||||
}
|
||||
if (cJSON_AddTrueToObject(root, "readonly") == NULL) {
|
||||
goto fail;
|
||||
}
|
||||
return root;
|
||||
|
||||
fail:
|
||||
cJSON_Delete(root);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static cJSON* build_runc_config_process_user(const char* username) {
|
||||
cJSON* user_json = cJSON_CreateObject();
|
||||
struct hadoop_user_info* hui = hadoop_user_info_alloc();
|
||||
if (hui == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
int rc = hadoop_user_info_fetch(hui, username);
|
||||
if (rc != 0) {
|
||||
fprintf(ERRORFILE, "Error looking up user %s : %s\n", username,
|
||||
strerror(rc));
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if (cJSON_AddNumberToObject(user_json, "uid", hui->pwd.pw_uid) == NULL) {
|
||||
goto fail;
|
||||
}
|
||||
if (cJSON_AddNumberToObject(user_json, "gid", hui->pwd.pw_gid) == NULL) {
|
||||
goto fail;
|
||||
}
|
||||
|
||||
rc = hadoop_user_info_getgroups(hui);
|
||||
if (rc != 0) {
|
||||
fprintf(ERRORFILE, "Error getting groups for user %s : %s\n", username,
|
||||
strerror(rc));
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if (hui->num_gids > 1) {
|
||||
cJSON* garray = cJSON_AddArrayToObject(user_json, "additionalGids");
|
||||
if (garray == NULL) {
|
||||
goto fail;
|
||||
}
|
||||
|
||||
// first gid entry is the primary group which is accounted for above
|
||||
for (int i = 1; i < hui->num_gids; ++i) {
|
||||
cJSON* g = cJSON_CreateNumber(hui->gids[i]);
|
||||
if (g == NULL) {
|
||||
goto fail;
|
||||
}
|
||||
cJSON_AddItemToArray(garray, g);
|
||||
}
|
||||
}
|
||||
|
||||
return user_json;
|
||||
|
||||
fail:
|
||||
hadoop_user_info_free(hui);
|
||||
cJSON_Delete(user_json);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static cJSON* build_runc_config_process(const runc_launch_cmd* rlc) {
|
||||
cJSON* process = cJSON_CreateObject();
|
||||
if (process == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
cJSON_AddItemReferenceToObject(process, "args", rlc->config.process.args);
|
||||
cJSON_AddItemReferenceToObject(process, "cwd", rlc->config.process.cwd);
|
||||
cJSON_AddItemReferenceToObject(process, "env", rlc->config.process.env);
|
||||
if (cJSON_AddTrueToObject(process, "noNewPrivileges") == NULL) {
|
||||
goto fail;
|
||||
}
|
||||
|
||||
cJSON* user_json = build_runc_config_process_user(rlc->run_as_user);
|
||||
if (user_json == NULL) {
|
||||
goto fail;
|
||||
}
|
||||
cJSON_AddItemToObjectCS(process, "user", user_json);
|
||||
|
||||
return process;
|
||||
|
||||
fail:
|
||||
cJSON_Delete(process);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static bool add_mount_opts(cJSON* mount_json, va_list opts) {
|
||||
const char* opt = va_arg(opts, const char*);
|
||||
if (opt == NULL) {
|
||||
return true;
|
||||
}
|
||||
|
||||
cJSON* opts_array = cJSON_AddArrayToObject(mount_json, "options");
|
||||
if (opts_array == NULL) {
|
||||
return false;
|
||||
}
|
||||
|
||||
do {
|
||||
cJSON* opt_json = cJSON_CreateString(opt);
|
||||
if (opt_json == NULL) {
|
||||
return false;
|
||||
}
|
||||
cJSON_AddItemToArray(opts_array, opt_json);
|
||||
opt = va_arg(opts, const char*);
|
||||
} while (opt != NULL);
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool add_mount_json(cJSON* mounts_array, const char* src,
|
||||
const char* dest, const char* fstype, ...) {
|
||||
bool result = false;
|
||||
cJSON* m = cJSON_CreateObject();
|
||||
if (cJSON_AddStringToObject(m, "source", src) == NULL) {
|
||||
goto cleanup;
|
||||
}
|
||||
if (cJSON_AddStringToObject(m, "destination", dest) == NULL) {
|
||||
goto cleanup;
|
||||
}
|
||||
if (cJSON_AddStringToObject(m, "type", fstype) == NULL) {
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
va_list vargs;
|
||||
va_start(vargs, fstype);
|
||||
result = add_mount_opts(m, vargs);
|
||||
va_end(vargs);
|
||||
|
||||
if (result) {
|
||||
cJSON_AddItemToArray(mounts_array, m);
|
||||
}
|
||||
|
||||
cleanup:
|
||||
if (!result) {
|
||||
cJSON_Delete(m);
|
||||
}
|
||||
return result;
|
||||
}
|
||||
|
||||
static bool add_std_mounts_json(cJSON* mounts_array) {
|
||||
bool result = true;
|
||||
result &= add_mount_json(mounts_array, "proc", "/proc", "proc", NULL);
|
||||
result &= add_mount_json(mounts_array, "tmpfs", "/dev", "tmpfs",
|
||||
"nosuid", "strictatime", "mode=755", "size=65536k", NULL);
|
||||
result &= add_mount_json(mounts_array, "devpts", "/dev/pts", "devpts",
|
||||
"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5",
|
||||
NULL);
|
||||
result &= add_mount_json(mounts_array, "shm", "/dev/shm", "tmpfs",
|
||||
"nosuid", "noexec", "nodev", "mode=1777", "size=8g", NULL);
|
||||
result &= add_mount_json(mounts_array, "mqueue", "/dev/mqueue", "mqueue",
|
||||
"nosuid", "noexec", "nodev", NULL);
|
||||
result &= add_mount_json(mounts_array, "sysfs", "/sys", "sysfs",
|
||||
"nosuid", "noexec", "nodev", "ro", NULL);
|
||||
result &= add_mount_json(mounts_array, "cgroup", "/sys/fs/cgroup", "cgroup",
|
||||
"nosuid", "noexec", "nodev", "relatime", "ro", NULL);
|
||||
return result;
|
||||
}
|
||||
|
||||
static cJSON* build_runc_config_mounts(const runc_launch_cmd* rlc) {
|
||||
cJSON* mjson = cJSON_CreateArray();
|
||||
if (!add_std_mounts_json(mjson)) {
|
||||
goto fail;
|
||||
}
|
||||
|
||||
cJSON* e;
|
||||
cJSON_ArrayForEach(e, rlc->config.mounts) {
|
||||
cJSON_AddItemReferenceToArray(mjson, e);
|
||||
}
|
||||
|
||||
return mjson;
|
||||
|
||||
fail:
|
||||
cJSON_Delete(mjson);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static cJSON* get_default_linux_devices_json() {
|
||||
cJSON* devs = cJSON_CreateArray();
|
||||
if (devs == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
cJSON* o = cJSON_CreateObject();
|
||||
if (o == NULL) {
|
||||
goto fail;
|
||||
}
|
||||
cJSON_AddItemToArray(devs, o);
|
||||
|
||||
if (cJSON_AddStringToObject(o, "access", "rwm") == NULL) {
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if (cJSON_AddFalseToObject(o, "allow") == NULL) {
|
||||
goto fail;
|
||||
}
|
||||
|
||||
return devs;
|
||||
|
||||
fail:
|
||||
cJSON_Delete(devs);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static bool add_linux_cgroups_json(cJSON* ljson, const runc_launch_cmd* rlc) {
|
||||
cJSON* cj = cJSON_GetObjectItemCaseSensitive(rlc->config.linux_config,
|
||||
"cgroupsPath");
|
||||
if (cj != NULL) {
|
||||
cJSON_AddItemReferenceToObject(ljson, "cgroupsPath", cj);
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool add_linux_resources_json(cJSON* ljson, const runc_launch_cmd* rlc) {
|
||||
cJSON* robj = cJSON_AddObjectToObject(ljson, "resources");
|
||||
if (robj == NULL) {
|
||||
return false;
|
||||
}
|
||||
|
||||
cJSON* devs = get_default_linux_devices_json();
|
||||
if (devs == NULL) {
|
||||
return false;
|
||||
}
|
||||
cJSON_AddItemToObjectCS(robj, "devices", devs);
|
||||
|
||||
const cJSON* rlc_rsrc = cJSON_GetObjectItemCaseSensitive(
|
||||
rlc->config.linux_config, "resources");
|
||||
cJSON* e;
|
||||
cJSON_ArrayForEach(e, rlc_rsrc) {
|
||||
if (strcmp("devices", e->string) == 0) {
|
||||
cJSON* dev_e;
|
||||
cJSON_ArrayForEach(dev_e, e) {
|
||||
cJSON_AddItemReferenceToArray(devs, dev_e);
|
||||
}
|
||||
} else {
|
||||
cJSON_AddItemReferenceToObject(robj, e->string, e);
|
||||
}
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool add_linux_namespace_json(cJSON* ljson, const char* ns_type) {
|
||||
cJSON* ns = cJSON_CreateObject();
|
||||
if (ns == NULL) {
|
||||
return false;
|
||||
}
|
||||
cJSON_AddItemToArray(ljson, ns);
|
||||
return (cJSON_AddStringToObject(ns, "type", ns_type) != NULL);
|
||||
}
|
||||
|
||||
static bool add_linux_namespaces_json(cJSON* ljson) {
|
||||
cJSON* ns_array = cJSON_AddArrayToObject(ljson, "namespaces");
|
||||
if (ns_array == NULL) {
|
||||
return false;
|
||||
}
|
||||
bool result = add_linux_namespace_json(ns_array, "pid");
|
||||
result &= add_linux_namespace_json(ns_array, "ipc");
|
||||
result &= add_linux_namespace_json(ns_array, "uts");
|
||||
result &= add_linux_namespace_json(ns_array, "mount");
|
||||
return result;
|
||||
}
|
||||
|
||||
static const char* runc_masked_paths[] = {
|
||||
"/proc/kcore",
|
||||
"/proc/latency_stats",
|
||||
"/proc/timer_list",
|
||||
"/proc/timer_stats",
|
||||
"/proc/sched_debug",
|
||||
"/proc/scsi",
|
||||
"/sys/firmware"
|
||||
};
|
||||
|
||||
static bool add_linux_masked_paths_json(cJSON* ljson) {
|
||||
size_t num_paths = sizeof(runc_masked_paths) / sizeof(runc_masked_paths[0]);
|
||||
cJSON* paths = cJSON_CreateStringArray(runc_masked_paths, num_paths);
|
||||
if (paths == NULL) {
|
||||
return false;
|
||||
}
|
||||
cJSON_AddItemToObject(ljson, "maskedPaths", paths);
|
||||
return true;
|
||||
}
|
||||
|
||||
static const char* runc_readonly_paths[] = {
|
||||
"/proc/asound",
|
||||
"/proc/bus",
|
||||
"/proc/fs",
|
||||
"/proc/irq",
|
||||
"/proc/sys",
|
||||
"/proc/sysrq-trigger"
|
||||
};
|
||||
|
||||
static bool add_linux_readonly_paths_json(cJSON* ljson) {
|
||||
size_t num_paths = sizeof(runc_readonly_paths) / sizeof(runc_readonly_paths[0]);
|
||||
cJSON* paths = cJSON_CreateStringArray(runc_readonly_paths, num_paths);
|
||||
if (paths == NULL) {
|
||||
return false;
|
||||
}
|
||||
cJSON_AddItemToObject(ljson, "readonlyPaths", paths);
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool add_linux_seccomp_json(cJSON* ljson, const runc_launch_cmd* rlc) {
|
||||
cJSON* sj = cJSON_GetObjectItemCaseSensitive(rlc->config.linux_config,
|
||||
"seccomp");
|
||||
if (sj != NULL) {
|
||||
cJSON_AddItemReferenceToObject(ljson, "seccomp", sj);
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
static cJSON* build_runc_config_linux(const runc_launch_cmd* rlc) {
|
||||
cJSON* ljson = cJSON_CreateObject();
|
||||
if (ljson == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (!add_linux_cgroups_json(ljson, rlc)) {
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if (!add_linux_resources_json(ljson, rlc)) {
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if (!add_linux_namespaces_json(ljson)) {
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if (!add_linux_masked_paths_json(ljson)) {
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if (!add_linux_readonly_paths_json(ljson)) {
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if (!add_linux_seccomp_json(ljson, rlc)) {
|
||||
goto fail;
|
||||
}
|
||||
|
||||
return ljson;
|
||||
|
||||
fail:
|
||||
cJSON_Delete(ljson);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static char* build_runc_config(const runc_launch_cmd* rlc,
|
||||
const char* rootfs_path) {
|
||||
char* json_data = NULL;
|
||||
|
||||
cJSON* rcj = build_runc_config_json(rlc, rootfs_path);
|
||||
|
||||
json_data = cJSON_PrintBuffered(rcj, STARTING_JSON_BUFFER_SIZE, false);
|
||||
|
||||
return json_data;
|
||||
}
|
||||
|
||||
cJSON* build_runc_config_json(const runc_launch_cmd* rlc,
|
||||
const char* rootfs_path) {
|
||||
cJSON* rcj = cJSON_CreateObject();
|
||||
if (rcj == NULL) {
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if (cJSON_AddStringToObject(rcj, "runcVersion", "1.0.0") == NULL) {
|
||||
goto fail;
|
||||
}
|
||||
|
||||
struct utsname uts;
|
||||
uname(&uts);
|
||||
if (cJSON_AddStringToObject(rcj, "hostname", uts.nodename) == NULL) {
|
||||
goto fail;
|
||||
}
|
||||
|
||||
cJSON* item = build_runc_config_root(rootfs_path);
|
||||
if (item == NULL) {
|
||||
goto fail;
|
||||
}
|
||||
cJSON_AddItemToObjectCS(rcj, "root", item);
|
||||
|
||||
item = build_runc_config_process(rlc);
|
||||
if (item == NULL) {
|
||||
goto fail;
|
||||
}
|
||||
cJSON_AddItemToObjectCS(rcj, "process", item);
|
||||
|
||||
item = build_runc_config_mounts(rlc);
|
||||
if (item == NULL) {
|
||||
goto fail;
|
||||
}
|
||||
cJSON_AddItemToObjectCS(rcj, "mounts", item);
|
||||
|
||||
item = build_runc_config_linux(rlc);
|
||||
if (item == NULL) {
|
||||
goto fail;
|
||||
}
|
||||
cJSON_AddItemToObjectCS(rcj, "linux", item);
|
||||
return rcj;
|
||||
|
||||
fail:
|
||||
cJSON_Delete(rcj);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static char* get_runc_config_path(const char* pid_file) {
|
||||
char* dir_end = strrchr(pid_file, '/');
|
||||
if (dir_end == NULL) {
|
||||
fprintf(ERRORFILE, "Error pid file %s has no parent directory\n", pid_file);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
int dir_len = (dir_end + 1) - pid_file; // include trailing slash
|
||||
char* config_path = malloc(dir_len + strlen(RUNC_CONFIG_FILENAME) + 1);
|
||||
if (config_path == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
char* cp = stpncpy(config_path, pid_file, dir_len);
|
||||
stpcpy(cp, RUNC_CONFIG_FILENAME);
|
||||
return config_path;
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates the runC runtime configuration file for a container.
|
||||
*
|
||||
* Returns the path to the written configuration file or NULL on error.
|
||||
*/
|
||||
char* write_runc_runc_config(const runc_launch_cmd* rlc,
|
||||
const char* rootfs_path) {
|
||||
char* config_data = build_runc_config(rlc, rootfs_path);
|
||||
if (config_data == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
char* runc_config_path = get_runc_config_path(rlc->pid_file);
|
||||
if (runc_config_path == NULL) {
|
||||
fputs("Unable to generate runc config path\n", ERRORFILE);
|
||||
free(config_data);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
bool write_ok = write_file_as_nm(runc_config_path, config_data,
|
||||
strlen(config_data));
|
||||
free(config_data);
|
||||
if (!write_ok) {
|
||||
free(runc_config_path);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
return runc_config_path;
|
||||
}
|
@ -0,0 +1,36 @@
|
||||
/*
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
#ifndef RUNC_RUNC_WRITE_CONFIG_H
|
||||
#define RUNC_RUNC_WRITE_CONFIG_H
|
||||
|
||||
/**
|
||||
* * Creates a runC runtime configuration JSON
|
||||
* *
|
||||
* * Returns the config JSON or NULL on error
|
||||
* */
|
||||
cJSON* build_runc_config_json(const runc_launch_cmd* rlc,
|
||||
const char* rootfs_path);
|
||||
|
||||
/**
|
||||
* Creates the runC runtime configuration file for a container.
|
||||
*
|
||||
* Returns the path to the written configuration file or NULL on error.
|
||||
*/
|
||||
char* write_runc_runc_config(const runc_launch_cmd* rlc, const char* rootfs_path);
|
||||
|
||||
#endif /* RUNC_RUNC_WRITE_CONFIG_H */
|
@ -323,6 +323,12 @@ const char *get_error_message(const int error_code) {
|
||||
return "Invalid docker runtime";
|
||||
case DOCKER_SERVICE_MODE_DISABLED:
|
||||
return "Docker service mode disabled";
|
||||
case ERROR_RUNC_SETUP_FAILED:
|
||||
return "runC setup failed";
|
||||
case ERROR_RUNC_RUN_FAILED:
|
||||
return "runC run failed";
|
||||
case ERROR_RUNC_REAP_LAYER_MOUNTS_FAILED:
|
||||
return "runC reap layer mounts failed";
|
||||
default:
|
||||
return "Unknown error code";
|
||||
}
|
||||
|
@ -100,7 +100,10 @@ enum errorcodes {
|
||||
INVALID_DOCKER_IMAGE_TRUST = 72,
|
||||
INVALID_DOCKER_TMPFS_MOUNT = 73,
|
||||
INVALID_DOCKER_RUNTIME = 74,
|
||||
DOCKER_SERVICE_MODE_DISABLED = 75
|
||||
DOCKER_SERVICE_MODE_DISABLED = 75,
|
||||
ERROR_RUNC_SETUP_FAILED = 76,
|
||||
ERROR_RUNC_RUN_FAILED = 77,
|
||||
ERROR_RUNC_REAP_LAYER_MOUNTS_FAILED = 78
|
||||
};
|
||||
|
||||
/* Macros for min/max. */
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,285 @@
|
||||
/*
|
||||
Copyright (c) 2009-2017 Dave Gamble and cJSON contributors
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in
|
||||
all copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||
THE SOFTWARE.
|
||||
*/
|
||||
|
||||
#ifndef cJSON__h
|
||||
#define cJSON__h
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C"
|
||||
{
|
||||
#endif
|
||||
|
||||
#if !defined(__WINDOWS__) && (defined(WIN32) || defined(WIN64) || defined(_MSC_VER) || defined(_WIN32))
|
||||
#define __WINDOWS__
|
||||
#endif
|
||||
|
||||
#ifdef __WINDOWS__
|
||||
|
||||
/* When compiling for windows, we specify a specific calling convention to avoid issues where we are being called from a project with a different default calling convention. For windows you have 3 define options:
|
||||
|
||||
CJSON_HIDE_SYMBOLS - Define this in the case where you don't want to ever dllexport symbols
|
||||
CJSON_EXPORT_SYMBOLS - Define this on library build when you want to dllexport symbols (default)
|
||||
CJSON_IMPORT_SYMBOLS - Define this if you want to dllimport symbol
|
||||
|
||||
For *nix builds that support visibility attribute, you can define similar behavior by
|
||||
|
||||
setting default visibility to hidden by adding
|
||||
-fvisibility=hidden (for gcc)
|
||||
or
|
||||
-xldscope=hidden (for sun cc)
|
||||
to CFLAGS
|
||||
|
||||
then using the CJSON_API_VISIBILITY flag to "export" the same symbols the way CJSON_EXPORT_SYMBOLS does
|
||||
|
||||
*/
|
||||
|
||||
#define CJSON_CDECL __cdecl
|
||||
#define CJSON_STDCALL __stdcall
|
||||
|
||||
/* export symbols by default, this is necessary for copy pasting the C and header file */
|
||||
#if !defined(CJSON_HIDE_SYMBOLS) && !defined(CJSON_IMPORT_SYMBOLS) && !defined(CJSON_EXPORT_SYMBOLS)
|
||||
#define CJSON_EXPORT_SYMBOLS
|
||||
#endif
|
||||
|
||||
#if defined(CJSON_HIDE_SYMBOLS)
|
||||
#define CJSON_PUBLIC(type) type CJSON_STDCALL
|
||||
#elif defined(CJSON_EXPORT_SYMBOLS)
|
||||
#define CJSON_PUBLIC(type) __declspec(dllexport) type CJSON_STDCALL
|
||||
#elif defined(CJSON_IMPORT_SYMBOLS)
|
||||
#define CJSON_PUBLIC(type) __declspec(dllimport) type CJSON_STDCALL
|
||||
#endif
|
||||
#else /* !__WINDOWS__ */
|
||||
#define CJSON_CDECL
|
||||
#define CJSON_STDCALL
|
||||
|
||||
#if (defined(__GNUC__) || defined(__SUNPRO_CC) || defined (__SUNPRO_C)) && defined(CJSON_API_VISIBILITY)
|
||||
#define CJSON_PUBLIC(type) __attribute__((visibility("default"))) type
|
||||
#else
|
||||
#define CJSON_PUBLIC(type) type
|
||||
#endif
|
||||
#endif
|
||||
|
||||
/* project version */
|
||||
#define CJSON_VERSION_MAJOR 1
|
||||
#define CJSON_VERSION_MINOR 7
|
||||
#define CJSON_VERSION_PATCH 8
|
||||
|
||||
#include <stddef.h>
|
||||
|
||||
/* cJSON Types: */
|
||||
#define cJSON_Invalid (0)
|
||||
#define cJSON_False (1 << 0)
|
||||
#define cJSON_True (1 << 1)
|
||||
#define cJSON_NULL (1 << 2)
|
||||
#define cJSON_Number (1 << 3)
|
||||
#define cJSON_String (1 << 4)
|
||||
#define cJSON_Array (1 << 5)
|
||||
#define cJSON_Object (1 << 6)
|
||||
#define cJSON_Raw (1 << 7) /* raw json */
|
||||
|
||||
#define cJSON_IsReference 256
|
||||
#define cJSON_StringIsConst 512
|
||||
|
||||
/* The cJSON structure: */
|
||||
typedef struct cJSON
|
||||
{
|
||||
/* next/prev allow you to walk array/object chains. Alternatively, use GetArraySize/GetArrayItem/GetObjectItem */
|
||||
struct cJSON *next;
|
||||
struct cJSON *prev;
|
||||
/* An array or object item will have a child pointer pointing to a chain of the items in the array/object. */
|
||||
struct cJSON *child;
|
||||
|
||||
/* The type of the item, as above. */
|
||||
int type;
|
||||
|
||||
/* The item's string, if type==cJSON_String and type == cJSON_Raw */
|
||||
char *valuestring;
|
||||
/* writing to valueint is DEPRECATED, use cJSON_SetNumberValue instead */
|
||||
int valueint;
|
||||
/* The item's number, if type==cJSON_Number */
|
||||
double valuedouble;
|
||||
|
||||
/* The item's name string, if this item is the child of, or is in the list of subitems of an object. */
|
||||
char *string;
|
||||
} cJSON;
|
||||
|
||||
typedef struct cJSON_Hooks
|
||||
{
|
||||
/* malloc/free are CDECL on Windows regardless of the default calling convention of the compiler, so ensure the hooks allow passing those functions directly. */
|
||||
void *(CJSON_CDECL *malloc_fn)(size_t sz);
|
||||
void (CJSON_CDECL *free_fn)(void *ptr);
|
||||
} cJSON_Hooks;
|
||||
|
||||
typedef int cJSON_bool;
|
||||
|
||||
/* Limits how deeply nested arrays/objects can be before cJSON rejects to parse them.
|
||||
* This is to prevent stack overflows. */
|
||||
#ifndef CJSON_NESTING_LIMIT
|
||||
#define CJSON_NESTING_LIMIT 1000
|
||||
#endif
|
||||
|
||||
/* returns the version of cJSON as a string */
|
||||
CJSON_PUBLIC(const char*) cJSON_Version(void);
|
||||
|
||||
/* Supply malloc, realloc and free functions to cJSON */
|
||||
CJSON_PUBLIC(void) cJSON_InitHooks(cJSON_Hooks* hooks);
|
||||
|
||||
/* Memory Management: the caller is always responsible to free the results from all variants of cJSON_Parse (with cJSON_Delete) and cJSON_Print (with stdlib free, cJSON_Hooks.free_fn, or cJSON_free as appropriate). The exception is cJSON_PrintPreallocated, where the caller has full responsibility of the buffer. */
|
||||
/* Supply a block of JSON, and this returns a cJSON object you can interrogate. */
|
||||
CJSON_PUBLIC(cJSON *) cJSON_Parse(const char *value);
|
||||
/* ParseWithOpts allows you to require (and check) that the JSON is null terminated, and to retrieve the pointer to the final byte parsed. */
|
||||
/* If you supply a ptr in return_parse_end and parsing fails, then return_parse_end will contain a pointer to the error so will match cJSON_GetErrorPtr(). */
|
||||
CJSON_PUBLIC(cJSON *) cJSON_ParseWithOpts(const char *value, const char **return_parse_end, cJSON_bool require_null_terminated);
|
||||
|
||||
/* Render a cJSON entity to text for transfer/storage. */
|
||||
CJSON_PUBLIC(char *) cJSON_Print(const cJSON *item);
|
||||
/* Render a cJSON entity to text for transfer/storage without any formatting. */
|
||||
CJSON_PUBLIC(char *) cJSON_PrintUnformatted(const cJSON *item);
|
||||
/* Render a cJSON entity to text using a buffered strategy. prebuffer is a guess at the final size. guessing well reduces reallocation. fmt=0 gives unformatted, =1 gives formatted */
|
||||
CJSON_PUBLIC(char *) cJSON_PrintBuffered(const cJSON *item, int prebuffer, cJSON_bool fmt);
|
||||
/* Render a cJSON entity to text using a buffer already allocated in memory with given length. Returns 1 on success and 0 on failure. */
|
||||
/* NOTE: cJSON is not always 100% accurate in estimating how much memory it will use, so to be safe allocate 5 bytes more than you actually need */
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_PrintPreallocated(cJSON *item, char *buffer, const int length, const cJSON_bool format);
|
||||
/* Delete a cJSON entity and all subentities. */
|
||||
CJSON_PUBLIC(void) cJSON_Delete(cJSON *c);
|
||||
|
||||
/* Returns the number of items in an array (or object). */
|
||||
CJSON_PUBLIC(int) cJSON_GetArraySize(const cJSON *array);
|
||||
/* Retrieve item number "index" from array "array". Returns NULL if unsuccessful. */
|
||||
CJSON_PUBLIC(cJSON *) cJSON_GetArrayItem(const cJSON *array, int index);
|
||||
/* Get item "string" from object. Case insensitive. */
|
||||
CJSON_PUBLIC(cJSON *) cJSON_GetObjectItem(const cJSON * const object, const char * const string);
|
||||
CJSON_PUBLIC(cJSON *) cJSON_GetObjectItemCaseSensitive(const cJSON * const object, const char * const string);
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_HasObjectItem(const cJSON *object, const char *string);
|
||||
/* For analysing failed parses. This returns a pointer to the parse error. You'll probably need to look a few chars back to make sense of it. Defined when cJSON_Parse() returns 0. 0 when cJSON_Parse() succeeds. */
|
||||
CJSON_PUBLIC(const char *) cJSON_GetErrorPtr(void);
|
||||
|
||||
/* Check if the item is a string and return its valuestring */
|
||||
CJSON_PUBLIC(char *) cJSON_GetStringValue(cJSON *item);
|
||||
|
||||
/* These functions check the type of an item */
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_IsInvalid(const cJSON * const item);
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_IsFalse(const cJSON * const item);
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_IsTrue(const cJSON * const item);
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_IsBool(const cJSON * const item);
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_IsNull(const cJSON * const item);
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_IsNumber(const cJSON * const item);
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_IsString(const cJSON * const item);
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_IsArray(const cJSON * const item);
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_IsObject(const cJSON * const item);
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_IsRaw(const cJSON * const item);
|
||||
|
||||
/* These calls create a cJSON item of the appropriate type. */
|
||||
CJSON_PUBLIC(cJSON *) cJSON_CreateNull(void);
|
||||
CJSON_PUBLIC(cJSON *) cJSON_CreateTrue(void);
|
||||
CJSON_PUBLIC(cJSON *) cJSON_CreateFalse(void);
|
||||
CJSON_PUBLIC(cJSON *) cJSON_CreateBool(cJSON_bool boolean);
|
||||
CJSON_PUBLIC(cJSON *) cJSON_CreateNumber(double num);
|
||||
CJSON_PUBLIC(cJSON *) cJSON_CreateString(const char *string);
|
||||
/* raw json */
|
||||
CJSON_PUBLIC(cJSON *) cJSON_CreateRaw(const char *raw);
|
||||
CJSON_PUBLIC(cJSON *) cJSON_CreateArray(void);
|
||||
CJSON_PUBLIC(cJSON *) cJSON_CreateObject(void);
|
||||
|
||||
/* Create a string where valuestring references a string so
|
||||
* it will not be freed by cJSON_Delete */
|
||||
CJSON_PUBLIC(cJSON *) cJSON_CreateStringReference(const char *string);
|
||||
/* Create an object/arrray that only references it's elements so
|
||||
* they will not be freed by cJSON_Delete */
|
||||
CJSON_PUBLIC(cJSON *) cJSON_CreateObjectReference(const cJSON *child);
|
||||
CJSON_PUBLIC(cJSON *) cJSON_CreateArrayReference(const cJSON *child);
|
||||
|
||||
/* These utilities create an Array of count items. */
|
||||
CJSON_PUBLIC(cJSON *) cJSON_CreateIntArray(const int *numbers, int count);
|
||||
CJSON_PUBLIC(cJSON *) cJSON_CreateFloatArray(const float *numbers, int count);
|
||||
CJSON_PUBLIC(cJSON *) cJSON_CreateDoubleArray(const double *numbers, int count);
|
||||
CJSON_PUBLIC(cJSON *) cJSON_CreateStringArray(const char **strings, int count);
|
||||
|
||||
/* Append item to the specified array/object. */
|
||||
CJSON_PUBLIC(void) cJSON_AddItemToArray(cJSON *array, cJSON *item);
|
||||
CJSON_PUBLIC(void) cJSON_AddItemToObject(cJSON *object, const char *string, cJSON *item);
|
||||
/* Use this when string is definitely const (i.e. a literal, or as good as), and will definitely survive the cJSON object.
|
||||
* WARNING: When this function was used, make sure to always check that (item->type & cJSON_StringIsConst) is zero before
|
||||
* writing to `item->string` */
|
||||
CJSON_PUBLIC(void) cJSON_AddItemToObjectCS(cJSON *object, const char *string, cJSON *item);
|
||||
/* Append reference to item to the specified array/object. Use this when you want to add an existing cJSON to a new cJSON, but don't want to corrupt your existing cJSON. */
|
||||
CJSON_PUBLIC(void) cJSON_AddItemReferenceToArray(cJSON *array, cJSON *item);
|
||||
CJSON_PUBLIC(void) cJSON_AddItemReferenceToObject(cJSON *object, const char *string, cJSON *item);
|
||||
|
||||
/* Remove/Detatch items from Arrays/Objects. */
|
||||
CJSON_PUBLIC(cJSON *) cJSON_DetachItemViaPointer(cJSON *parent, cJSON * const item);
|
||||
CJSON_PUBLIC(cJSON *) cJSON_DetachItemFromArray(cJSON *array, int which);
|
||||
CJSON_PUBLIC(void) cJSON_DeleteItemFromArray(cJSON *array, int which);
|
||||
CJSON_PUBLIC(cJSON *) cJSON_DetachItemFromObject(cJSON *object, const char *string);
|
||||
CJSON_PUBLIC(cJSON *) cJSON_DetachItemFromObjectCaseSensitive(cJSON *object, const char *string);
|
||||
CJSON_PUBLIC(void) cJSON_DeleteItemFromObject(cJSON *object, const char *string);
|
||||
CJSON_PUBLIC(void) cJSON_DeleteItemFromObjectCaseSensitive(cJSON *object, const char *string);
|
||||
|
||||
/* Update array items. */
|
||||
CJSON_PUBLIC(void) cJSON_InsertItemInArray(cJSON *array, int which, cJSON *newitem); /* Shifts pre-existing items to the right. */
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_ReplaceItemViaPointer(cJSON * const parent, cJSON * const item, cJSON * replacement);
|
||||
CJSON_PUBLIC(void) cJSON_ReplaceItemInArray(cJSON *array, int which, cJSON *newitem);
|
||||
CJSON_PUBLIC(void) cJSON_ReplaceItemInObject(cJSON *object,const char *string,cJSON *newitem);
|
||||
CJSON_PUBLIC(void) cJSON_ReplaceItemInObjectCaseSensitive(cJSON *object,const char *string,cJSON *newitem);
|
||||
|
||||
/* Duplicate a cJSON item */
|
||||
CJSON_PUBLIC(cJSON *) cJSON_Duplicate(const cJSON *item, cJSON_bool recurse);
|
||||
/* Duplicate will create a new, identical cJSON item to the one you pass, in new memory that will
|
||||
need to be released. With recurse!=0, it will duplicate any children connected to the item.
|
||||
The item->next and ->prev pointers are always zero on return from Duplicate. */
|
||||
/* Recursively compare two cJSON items for equality. If either a or b is NULL or invalid, they will be considered unequal.
|
||||
* case_sensitive determines if object keys are treated case sensitive (1) or case insensitive (0) */
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_Compare(const cJSON * const a, const cJSON * const b, const cJSON_bool case_sensitive);
|
||||
|
||||
|
||||
CJSON_PUBLIC(void) cJSON_Minify(char *json);
|
||||
|
||||
/* Helper functions for creating and adding items to an object at the same time.
|
||||
* They return the added item or NULL on failure. */
|
||||
CJSON_PUBLIC(cJSON*) cJSON_AddNullToObject(cJSON * const object, const char * const name);
|
||||
CJSON_PUBLIC(cJSON*) cJSON_AddTrueToObject(cJSON * const object, const char * const name);
|
||||
CJSON_PUBLIC(cJSON*) cJSON_AddFalseToObject(cJSON * const object, const char * const name);
|
||||
CJSON_PUBLIC(cJSON*) cJSON_AddBoolToObject(cJSON * const object, const char * const name, const cJSON_bool boolean);
|
||||
CJSON_PUBLIC(cJSON*) cJSON_AddNumberToObject(cJSON * const object, const char * const name, const double number);
|
||||
CJSON_PUBLIC(cJSON*) cJSON_AddStringToObject(cJSON * const object, const char * const name, const char * const string);
|
||||
CJSON_PUBLIC(cJSON*) cJSON_AddRawToObject(cJSON * const object, const char * const name, const char * const raw);
|
||||
CJSON_PUBLIC(cJSON*) cJSON_AddObjectToObject(cJSON * const object, const char * const name);
|
||||
CJSON_PUBLIC(cJSON*) cJSON_AddArrayToObject(cJSON * const object, const char * const name);
|
||||
|
||||
/* When assigning an integer value, it needs to be propagated to valuedouble too. */
|
||||
#define cJSON_SetIntValue(object, number) ((object) ? (object)->valueint = (object)->valuedouble = (number) : (number))
|
||||
/* helper for the cJSON_SetNumberValue macro */
|
||||
CJSON_PUBLIC(double) cJSON_SetNumberHelper(cJSON *object, double number);
|
||||
#define cJSON_SetNumberValue(object, number) ((object != NULL) ? cJSON_SetNumberHelper(object, (double)number) : (number))
|
||||
|
||||
/* Macro for iterating over an array or object */
|
||||
#define cJSON_ArrayForEach(element, array) for(element = (array != NULL) ? (array)->child : NULL; element != NULL; element = element->next)
|
||||
|
||||
/* malloc/free objects using the malloc/free functions that have been set with cJSON_InitHooks */
|
||||
CJSON_PUBLIC(void *) cJSON_malloc(size_t size);
|
||||
CJSON_PUBLIC(void) cJSON_free(void *object);
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
||||
#endif
|
@ -0,0 +1,173 @@
|
||||
/**
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#define FILE_BUFFER_INCREMENT (128*1024)
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
#include <stdint.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "container-executor.h"
|
||||
#include "file-utils.h"
|
||||
#include "util.h"
|
||||
|
||||
/**
|
||||
* Read the contents of the specified file into an allocated buffer and return
|
||||
* the contents as a NUL-terminated string. NOTE: The file contents must not
|
||||
* contain a NUL character or the result will appear to be truncated.
|
||||
*
|
||||
* Returns a pointer to the allocated, NUL-terminated string or NULL on error.
|
||||
*/
|
||||
char* read_file_to_string(const char* filename) {
|
||||
char* buff = NULL;
|
||||
int rc = -1;
|
||||
int fd = open(filename, O_RDONLY);
|
||||
if (fd < 0) {
|
||||
fprintf(ERRORFILE, "Error opening %s : %s\n", filename, strerror(errno));
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
struct stat filestat;
|
||||
if (fstat(fd, &filestat) != 0) {
|
||||
fprintf(ERRORFILE, "Error examining %s : %s\n", filename, strerror(errno));
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
size_t buff_size = FILE_BUFFER_INCREMENT;
|
||||
if (S_ISREG(filestat.st_mode)) {
|
||||
buff_size = filestat.st_size + 1; // +1 for terminating NUL
|
||||
}
|
||||
buff = malloc(buff_size);
|
||||
if (buff == NULL) {
|
||||
fprintf(ERRORFILE, "Unable to allocate %ld bytes\n", buff_size);
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
int bytes_left = buff_size;
|
||||
char* cp = buff;
|
||||
int bytes_read;
|
||||
while ((bytes_read = read(fd, cp, bytes_left)) > 0) {
|
||||
cp += bytes_read;
|
||||
bytes_left -= bytes_read;
|
||||
if (bytes_left == 0) {
|
||||
buff_size += FILE_BUFFER_INCREMENT;
|
||||
bytes_left += FILE_BUFFER_INCREMENT;
|
||||
buff = realloc(buff, buff_size);
|
||||
if (buff == NULL) {
|
||||
fprintf(ERRORFILE, "Unable to allocate %ld bytes\n", buff_size);
|
||||
goto cleanup;
|
||||
}
|
||||
}
|
||||
}
|
||||
if (bytes_left < 0) {
|
||||
fprintf(ERRORFILE, "Error reading %s : %s\n", filename, strerror(errno));
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
*cp = '\0';
|
||||
rc = 0;
|
||||
|
||||
cleanup:
|
||||
if (fd != -1) {
|
||||
close(fd);
|
||||
}
|
||||
if (rc != 0) {
|
||||
free(buff);
|
||||
buff = NULL;
|
||||
}
|
||||
return buff;
|
||||
}
|
||||
|
||||
/**
|
||||
* Read a file to a string as the YARN nodemanager user and returns the
|
||||
* result as a string. See read_file_to_string for more details.
|
||||
*
|
||||
* Returns a pointer to the allocated, NUL-terminated string or NULL on error.
|
||||
*/
|
||||
char* read_file_to_string_as_nm_user(const char* filename) {
|
||||
uid_t user = geteuid();
|
||||
gid_t group = getegid();
|
||||
if (change_effective_user_to_nm() != 0) {
|
||||
fputs("Cannot change to nm user\n", ERRORFILE);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
char* buff = read_file_to_string(filename);
|
||||
if (change_effective_user(user, group) != 0) {
|
||||
fputs("Cannot revert to previous user\n", ERRORFILE);
|
||||
free(buff);
|
||||
return NULL;
|
||||
}
|
||||
return buff;
|
||||
}
|
||||
|
||||
/**
|
||||
* Write a sequence of bytes to a new file as the YARN nodemanager user.
|
||||
*
|
||||
* Returns true on success or false on error.
|
||||
*/
|
||||
bool write_file_as_nm(const char* path, const void* data, size_t count) {
|
||||
bool result = false;
|
||||
int fd = -1;
|
||||
uid_t orig_user = geteuid();
|
||||
gid_t orig_group = getegid();
|
||||
if (change_effective_user_to_nm() != 0) {
|
||||
fputs("Error changing to NM user and group\n", ERRORFILE);
|
||||
return false;
|
||||
}
|
||||
|
||||
fd = open(path, O_CREAT | O_EXCL | O_WRONLY, S_IRUSR | S_IWUSR);
|
||||
if (fd == -1) {
|
||||
fprintf(ERRORFILE, "Error creating %s : %s\n", path, strerror(errno));
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
const uint8_t* bp = (const uint8_t*)data;
|
||||
while (count > 0) {
|
||||
ssize_t bytes_written = write(fd, bp, count);
|
||||
if (bytes_written == -1) {
|
||||
fprintf(ERRORFILE, "Error writing to %s : %s\n", path, strerror(errno));
|
||||
goto cleanup;
|
||||
}
|
||||
bp += bytes_written;
|
||||
count -= bytes_written;
|
||||
}
|
||||
|
||||
result = true;
|
||||
|
||||
cleanup:
|
||||
if (fd != -1) {
|
||||
if (close(fd) == -1) {
|
||||
fprintf(ERRORFILE, "Error writing to %s : %s\n", path, strerror(errno));
|
||||
result = false;
|
||||
}
|
||||
}
|
||||
|
||||
if (change_effective_user(orig_user, orig_group) != 0) {
|
||||
fputs("Cannot restore original user/group\n", ERRORFILE);
|
||||
result = false;
|
||||
}
|
||||
|
||||
return result;
|
||||
}
|
@ -0,0 +1,47 @@
|
||||
/**
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
#ifndef UTILS_FILE_UTILS_H
|
||||
#define UTILS_FILE_UTILS_H
|
||||
|
||||
#include <stdbool.h>
|
||||
|
||||
/**
|
||||
* Read the contents of the specified file into an allocated buffer and return
|
||||
* the contents as a NUL-terminated string. NOTE: The file contents must not
|
||||
* contain a NUL character or the result will appear to be truncated.
|
||||
*
|
||||
* Returns a pointer to the allocated, NUL-terminated string or NULL on error.
|
||||
*/
|
||||
char* read_file_to_string(const char* filename);
|
||||
|
||||
/**
|
||||
* Read a file to a string as the YARN nodemanager user and returns the
|
||||
* result as a string. See read_file_to_string for more details.
|
||||
*
|
||||
* Returns a pointer to the allocated, NUL-terminated string or NULL on error.
|
||||
*/
|
||||
char* read_file_to_string_as_nm_user(const char* filename);
|
||||
|
||||
/**
|
||||
* Write a sequence of bytes to a new file as the YARN nodemanager user.
|
||||
*
|
||||
* Returns true on success or false on error.
|
||||
*/
|
||||
bool write_file_as_nm(const char* path, const void* data, size_t count);
|
||||
|
||||
#endif /* UTILS_FILE_UTILS_H */
|
@ -22,11 +22,14 @@
|
||||
#include <dirent.h>
|
||||
#include <limits.h>
|
||||
#include <errno.h>
|
||||
#include <stdarg.h>
|
||||
#include <strings.h>
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
#include <stdarg.h>
|
||||
|
||||
#include "string-utils.h"
|
||||
|
||||
/*
|
||||
* if all chars in the input str are numbers
|
||||
* return true/false
|
||||
@ -189,3 +192,172 @@ int str_ends_with(const char *s, const char *suffix) {
|
||||
size_t suffix_len = strlen(suffix);
|
||||
return suffix_len <= slen && !strcmp(s + slen - suffix_len, suffix);
|
||||
}
|
||||
|
||||
/* Returns the corresponding hexadecimal character for a nibble. */
|
||||
static char nibble_to_hex(unsigned char nib) {
|
||||
return nib < 10 ? '0' + nib : 'a' + nib - 10;
|
||||
}
|
||||
|
||||
/**
|
||||
* Converts a sequence of bytes into a hexadecimal string.
|
||||
*
|
||||
* Returns a pointer to the allocated string on success or NULL on error.
|
||||
*/
|
||||
char* to_hexstring(unsigned char* bytes, unsigned int len) {
|
||||
char* hexstr = malloc(len * 2 + 1);
|
||||
if (hexstr == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
unsigned char* src = bytes;
|
||||
char* dest = hexstr;
|
||||
for (unsigned int i = 0; i < len; ++i) {
|
||||
unsigned char val = *src++;
|
||||
*dest++ = nibble_to_hex((val >> 4) & 0xF);
|
||||
*dest++ = nibble_to_hex(val & 0xF);
|
||||
}
|
||||
*dest = '\0';
|
||||
return hexstr;
|
||||
}
|
||||
|
||||
/**
|
||||
* Initialize an uninitialized strbuf with the specified initial capacity.
|
||||
*
|
||||
* Returns true on success or false if memory could not be allocated.
|
||||
*/
|
||||
bool strbuf_init(strbuf* sb, size_t initial_capacity) {
|
||||
memset(sb, 0, sizeof(*sb));
|
||||
char* new_buffer = malloc(initial_capacity);
|
||||
if (new_buffer == NULL) {
|
||||
return false;
|
||||
}
|
||||
sb->buffer = new_buffer;
|
||||
sb->capacity = initial_capacity;
|
||||
sb->length = 0;
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Allocate and initialize a strbuf with the specified initial capacity.
|
||||
*
|
||||
* Returns a pointer to the allocated and initialized strbuf or NULL on error.
|
||||
*/
|
||||
strbuf* strbuf_alloc(size_t initial_capacity) {
|
||||
strbuf* sb = malloc(sizeof(*sb));
|
||||
if (sb != NULL) {
|
||||
if (!strbuf_init(sb, initial_capacity)) {
|
||||
free(sb);
|
||||
sb = NULL;
|
||||
}
|
||||
}
|
||||
return sb;
|
||||
}
|
||||
|
||||
/**
|
||||
* Detach the underlying character buffer from a string buffer.
|
||||
*
|
||||
* Returns the heap-allocated, NULL-terminated character buffer.
|
||||
* NOTE: The caller is responsible for freeing the result.
|
||||
*/
|
||||
char* strbuf_detach_buffer(strbuf* sb) {
|
||||
char* result = NULL;
|
||||
if (sb != NULL) {
|
||||
result = sb->buffer;
|
||||
sb->buffer = NULL;
|
||||
sb->length = 0;
|
||||
sb->capacity = 0;
|
||||
}
|
||||
return result;
|
||||
}
|
||||
|
||||
/**
|
||||
* Release memory associated with a strbuf but not the strbuf structure itself.
|
||||
* Useful for stack-allocated strbuf objects or structures that embed a strbuf.
|
||||
* Use strbuf_free for heap-allocated string buffers.
|
||||
*/
|
||||
void strbuf_destroy(strbuf* sb) {
|
||||
if (sb != NULL) {
|
||||
free(sb->buffer);
|
||||
sb->buffer = NULL;
|
||||
sb->capacity = 0;
|
||||
sb->length = 0;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Free a strbuf and all memory associated with it.
|
||||
*/
|
||||
void strbuf_free(strbuf* sb) {
|
||||
if (sb != NULL) {
|
||||
strbuf_destroy(sb);
|
||||
free(sb);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Resize a strbuf to the specified new capacity.
|
||||
*
|
||||
* Returns true on success or false if there was an error.
|
||||
*/
|
||||
bool strbuf_realloc(strbuf* sb, size_t new_capacity) {
|
||||
if (new_capacity < sb->length + 1) {
|
||||
// New capacity would result in a truncation of the existing string.
|
||||
return false;
|
||||
}
|
||||
|
||||
char* new_buffer = realloc(sb->buffer, new_capacity);
|
||||
if (!new_buffer) {
|
||||
return false;
|
||||
}
|
||||
|
||||
sb->buffer = new_buffer;
|
||||
sb->capacity = new_capacity;
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Append a formatted string to the current contents of a strbuf.
|
||||
*
|
||||
* Returns true on success or false if there was an error.
|
||||
*/
|
||||
bool strbuf_append_fmt(strbuf* sb, size_t realloc_extra,
|
||||
const char* fmt, ...) {
|
||||
if (sb->length > sb->capacity) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (sb->length == sb->capacity) {
|
||||
size_t incr = (realloc_extra == 0) ? 1024 : realloc_extra;
|
||||
if (!strbuf_realloc(sb, sb->capacity + incr)) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
size_t remain = sb->capacity - sb->length;
|
||||
va_list vargs;
|
||||
va_start(vargs, fmt);
|
||||
int needed = vsnprintf(sb->buffer + sb->length, remain, fmt, vargs);
|
||||
va_end(vargs);
|
||||
if (needed == -1) {
|
||||
return false;
|
||||
}
|
||||
|
||||
needed += 1; // vsnprintf result does NOT include terminating NUL
|
||||
if (needed > remain) {
|
||||
// result was truncated so need to realloc and reprint
|
||||
size_t new_size = sb->length + needed + realloc_extra;
|
||||
if (!strbuf_realloc(sb, new_size)) {
|
||||
return false;
|
||||
}
|
||||
remain = sb->capacity - sb->length;
|
||||
va_start(vargs, fmt);
|
||||
needed = vsnprintf(sb->buffer + sb->length, remain, fmt, vargs);
|
||||
va_end(vargs);
|
||||
if (needed == -1) {
|
||||
return false;
|
||||
}
|
||||
needed += 1; // vsnprintf result does NOT include terminating NUL
|
||||
}
|
||||
|
||||
sb->length += needed - 1; // length does not include terminating NUL
|
||||
return true;
|
||||
}
|
||||
|
@ -23,6 +23,16 @@
|
||||
#ifndef _UTILS_STRING_UTILS_H_
|
||||
#define _UTILS_STRING_UTILS_H_
|
||||
|
||||
#include <stdbool.h>
|
||||
#include <stddef.h>
|
||||
|
||||
typedef struct strbuf_struct {
|
||||
char* buffer; // points to beginning of the string
|
||||
size_t length; // strlen of buffer (sans trailing NUL)
|
||||
size_t capacity; // capacity of the buffer
|
||||
} strbuf;
|
||||
|
||||
|
||||
/*
|
||||
* Get numbers split by comma from a input string
|
||||
* return false/true
|
||||
@ -44,4 +54,61 @@ char *make_string(const char *fmt, ...);
|
||||
* return 1 if succeeded
|
||||
*/
|
||||
int str_ends_with(const char *s, const char *suffix);
|
||||
|
||||
/**
|
||||
* Converts a sequence of bytes into a hexadecimal string.
|
||||
*
|
||||
* Returns a pointer to the allocated string on success or NULL on error.
|
||||
*/
|
||||
char* to_hexstring(unsigned char* bytes, unsigned int len);
|
||||
|
||||
/**
|
||||
* Allocate and initialize a strbuf with the specified initial capacity.
|
||||
*
|
||||
* Returns a pointer to the allocated and initialized strbuf or NULL on error.
|
||||
*/
|
||||
strbuf* strbuf_alloc(size_t initial_capacity);
|
||||
|
||||
/**
|
||||
* Initialize an uninitialized strbuf with the specified initial capacity.
|
||||
*
|
||||
* Returns true on success or false if memory could not be allocated.
|
||||
*/
|
||||
bool strbuf_init(strbuf* sb, size_t initial_capacity);
|
||||
|
||||
/**
|
||||
* Resize a strbuf to the specified new capacity.
|
||||
*
|
||||
* Returns true on success or false if there was an error.
|
||||
*/
|
||||
bool strbuf_realloc(strbuf* sb, size_t new_capacity);
|
||||
|
||||
/**
|
||||
* Detach the underlying character buffer from a string buffer.
|
||||
*
|
||||
* Returns the heap-allocated, NULL-terminated character buffer.
|
||||
* NOTE: The caller is responsible for freeing the result.
|
||||
*/
|
||||
char* strbuf_detach_buffer(strbuf* sb);
|
||||
|
||||
/**
|
||||
* Releases the memory underneath a string buffer but does NOT free the
|
||||
* strbuf structure itself. This is particularly useful for stack-allocated
|
||||
* strbuf objects or structures that embed a strbuf structure.
|
||||
* strbuf_free should be used for heap-allocated string buffers.
|
||||
*/
|
||||
void strbuf_destroy(strbuf* sb);
|
||||
|
||||
/**
|
||||
* Free a strbuf and all memory associated with it.
|
||||
*/
|
||||
void strbuf_free(strbuf* sb);
|
||||
|
||||
/**
|
||||
* Append a formatted string to the current contents of a strbuf.
|
||||
*
|
||||
* Returns true on success or false if there was an error.
|
||||
*/
|
||||
bool strbuf_append_fmt(strbuf* sb, size_t realloc_extra, const char* fmt, ...);
|
||||
|
||||
#endif
|
||||
|
@ -17,16 +17,86 @@
|
||||
*/
|
||||
|
||||
#include <gtest/gtest.h>
|
||||
#include <main/native/container-executor/impl/util.h>
|
||||
#include <cstdio>
|
||||
#include <pwd.h>
|
||||
|
||||
extern "C" {
|
||||
#include "util.h"
|
||||
#include "container-executor.h"
|
||||
}
|
||||
|
||||
#define TMPDIR "/tmp"
|
||||
#define TEST_ROOT TMPDIR "/test-container-executor"
|
||||
|
||||
int write_config_file(const char *file_name, int banned) {
|
||||
FILE *file;
|
||||
file = fopen(file_name, "w");
|
||||
if (file == NULL) {
|
||||
printf("Failed to open %s.\n", file_name);
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
if (banned != 0) {
|
||||
fprintf(file, "banned.users=bannedUser\n");
|
||||
fprintf(file, "min.user.id=500\n");
|
||||
} else {
|
||||
fprintf(file, "min.user.id=0\n");
|
||||
}
|
||||
fprintf(file, "allowed.system.users=allowedUser,daemon\n");
|
||||
fprintf(file, "feature.yarn.sysfs.enabled=1\n");
|
||||
fclose(file);
|
||||
return 0;
|
||||
}
|
||||
|
||||
int main(int argc, char **argv) {
|
||||
ERRORFILE = stderr;
|
||||
LOGFILE = stdout;
|
||||
|
||||
printf("\nMaking test dir\n");
|
||||
if (mkdirs(TEST_ROOT, 0755) != 0) {
|
||||
exit(1);
|
||||
}
|
||||
if (chmod(TEST_ROOT, 0755) != 0) { // in case of umask
|
||||
exit(1);
|
||||
}
|
||||
|
||||
// We need a valid config before the test really starts for the check_user
|
||||
// and set_user calls
|
||||
printf("\nCreating test.cfg\n");
|
||||
if (write_config_file(TEST_ROOT "/test.cfg", 1) != 0) {
|
||||
exit(1);
|
||||
}
|
||||
printf("\nLoading test.cfg\n");
|
||||
read_executor_config(TEST_ROOT "/test.cfg");
|
||||
|
||||
printf("\nDetermining user details\n");
|
||||
char* username = strdup(getpwuid(getuid())->pw_name);
|
||||
struct passwd *username_info = check_user(username);
|
||||
printf("\nSetting NM UID\n");
|
||||
set_nm_uid(username_info->pw_uid, username_info->pw_gid);
|
||||
|
||||
// Make sure that username owns all the files now
|
||||
printf("\nEnsuring ownership of test dir\n");
|
||||
if (chown(TEST_ROOT, username_info->pw_uid, username_info->pw_gid) != 0) {
|
||||
exit(1);
|
||||
}
|
||||
if (chown(TEST_ROOT "/test.cfg",
|
||||
username_info->pw_uid, username_info->pw_gid) != 0) {
|
||||
exit(1);
|
||||
}
|
||||
|
||||
printf("\nSetting effective user\n");
|
||||
if (set_user(username)) {
|
||||
exit(1);
|
||||
}
|
||||
|
||||
testing::InitGoogleTest(&argc, argv);
|
||||
return RUN_ALL_TESTS();
|
||||
int rc = RUN_ALL_TESTS();
|
||||
|
||||
printf("Attempting to clean up from any previous runs\n");
|
||||
// clean up any junk from previous run
|
||||
if (system("chmod -R u=rwx " TEST_ROOT "; rm -fr " TEST_ROOT)) {
|
||||
exit(1);
|
||||
|
||||
return rc;
|
||||
}
|
||||
}
|
||||
|
@ -29,6 +29,7 @@
|
||||
|
||||
#include <gtest/gtest.h>
|
||||
#include <sstream>
|
||||
#include <openssl/evp.h>
|
||||
|
||||
extern "C" {
|
||||
#include "utils/string-utils.h"
|
||||
@ -36,97 +37,230 @@
|
||||
|
||||
namespace ContainerExecutor {
|
||||
|
||||
class TestStringUtils : public ::testing::Test {
|
||||
protected:
|
||||
virtual void SetUp() {
|
||||
class TestStringUtils : public ::testing::Test {
|
||||
protected:
|
||||
virtual void SetUp() {
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
virtual void TearDown() {
|
||||
virtual void TearDown() {
|
||||
|
||||
}
|
||||
};
|
||||
}
|
||||
};
|
||||
|
||||
TEST_F(TestStringUtils, test_get_numbers_split_by_comma) {
|
||||
const char* input = ",1,2,3,-1,,1,,0,";
|
||||
int* numbers;
|
||||
size_t n_numbers;
|
||||
int rc = get_numbers_split_by_comma(input, &numbers, &n_numbers);
|
||||
TEST_F(TestStringUtils, test_get_numbers_split_by_comma) {
|
||||
const char* input = ",1,2,3,-1,,1,,0,";
|
||||
int* numbers;
|
||||
size_t n_numbers;
|
||||
int rc = get_numbers_split_by_comma(input, &numbers, &n_numbers);
|
||||
|
||||
std::cout << "Testing input=" << input << "\n";
|
||||
ASSERT_EQ(0, rc) << "Should succeeded\n";
|
||||
ASSERT_EQ(6, n_numbers);
|
||||
ASSERT_EQ(1, numbers[0]);
|
||||
ASSERT_EQ(-1, numbers[3]);
|
||||
ASSERT_EQ(0, numbers[5]);
|
||||
free(numbers);
|
||||
std::cout << "Testing input=" << input << "\n";
|
||||
ASSERT_EQ(0, rc) << "Should succeeded\n";
|
||||
ASSERT_EQ(6, n_numbers);
|
||||
ASSERT_EQ(1, numbers[0]);
|
||||
ASSERT_EQ(-1, numbers[3]);
|
||||
ASSERT_EQ(0, numbers[5]);
|
||||
free(numbers);
|
||||
|
||||
input = "3";
|
||||
rc = get_numbers_split_by_comma(input, &numbers, &n_numbers);
|
||||
std::cout << "Testing input=" << input << "\n";
|
||||
ASSERT_EQ(0, rc) << "Should succeeded\n";
|
||||
ASSERT_EQ(1, n_numbers);
|
||||
ASSERT_EQ(3, numbers[0]);
|
||||
free(numbers);
|
||||
input = "3";
|
||||
rc = get_numbers_split_by_comma(input, &numbers, &n_numbers);
|
||||
std::cout << "Testing input=" << input << "\n";
|
||||
ASSERT_EQ(0, rc) << "Should succeeded\n";
|
||||
ASSERT_EQ(1, n_numbers);
|
||||
ASSERT_EQ(3, numbers[0]);
|
||||
free(numbers);
|
||||
|
||||
input = "";
|
||||
rc = get_numbers_split_by_comma(input, &numbers, &n_numbers);
|
||||
std::cout << "Testing input=" << input << "\n";
|
||||
ASSERT_EQ(0, rc) << "Should succeeded\n";
|
||||
ASSERT_EQ(0, n_numbers);
|
||||
free(numbers);
|
||||
input = "";
|
||||
rc = get_numbers_split_by_comma(input, &numbers, &n_numbers);
|
||||
std::cout << "Testing input=" << input << "\n";
|
||||
ASSERT_EQ(0, rc) << "Should succeeded\n";
|
||||
ASSERT_EQ(0, n_numbers);
|
||||
free(numbers);
|
||||
|
||||
input = ",,";
|
||||
rc = get_numbers_split_by_comma(input, &numbers, &n_numbers);
|
||||
std::cout << "Testing input=" << input << "\n";
|
||||
ASSERT_EQ(0, rc) << "Should succeeded\n";
|
||||
ASSERT_EQ(0, n_numbers);
|
||||
free(numbers);
|
||||
input = ",,";
|
||||
rc = get_numbers_split_by_comma(input, &numbers, &n_numbers);
|
||||
std::cout << "Testing input=" << input << "\n";
|
||||
ASSERT_EQ(0, rc) << "Should succeeded\n";
|
||||
ASSERT_EQ(0, n_numbers);
|
||||
free(numbers);
|
||||
|
||||
input = "1,2,aa,bb";
|
||||
rc = get_numbers_split_by_comma(input, &numbers, &n_numbers);
|
||||
std::cout << "Testing input=" << input << "\n";
|
||||
ASSERT_TRUE(0 != rc) << "Should failed\n";
|
||||
free(numbers);
|
||||
input = "1,2,aa,bb";
|
||||
rc = get_numbers_split_by_comma(input, &numbers, &n_numbers);
|
||||
std::cout << "Testing input=" << input << "\n";
|
||||
ASSERT_TRUE(0 != rc) << "Should failed\n";
|
||||
free(numbers);
|
||||
|
||||
input = "1,2,3,-12312312312312312312321311231231231";
|
||||
rc = get_numbers_split_by_comma(input, &numbers, &n_numbers);
|
||||
std::cout << "Testing input=" << input << "\n";
|
||||
ASSERT_TRUE(0 != rc) << "Should failed\n";
|
||||
free(numbers);
|
||||
}
|
||||
input = "1,2,3,-12312312312312312312321311231231231";
|
||||
rc = get_numbers_split_by_comma(input, &numbers, &n_numbers);
|
||||
std::cout << "Testing input=" << input << "\n";
|
||||
ASSERT_TRUE(0 != rc) << "Should failed\n";
|
||||
free(numbers);
|
||||
}
|
||||
|
||||
TEST_F(TestStringUtils, test_validate_container_id) {
|
||||
TEST_F(TestStringUtils, test_validate_container_id) {
|
||||
|
||||
const char *good_input[] = {
|
||||
"container_e134_1499953498516_50875_01_000007",
|
||||
"container_1499953498516_50875_01_000007",
|
||||
"container_e1_12312_11111_02_000001"
|
||||
};
|
||||
const char *good_input[] = {
|
||||
"container_e134_1499953498516_50875_01_000007",
|
||||
"container_1499953498516_50875_01_000007",
|
||||
"container_e1_12312_11111_02_000001"
|
||||
};
|
||||
|
||||
const char *bad_input[] = {
|
||||
"CONTAINER",
|
||||
"container_e1_12312_11111_02_000001 | /tmp/file"
|
||||
"container_e1_12312_11111_02_000001 || # /tmp/file",
|
||||
"container_e1_12312_11111_02_000001 # /tmp/file",
|
||||
"container_e1_12312_11111_02_000001' || touch /tmp/file #",
|
||||
"ubuntu || touch /tmp/file #",
|
||||
"''''''''"
|
||||
};
|
||||
const char *bad_input[] = {
|
||||
"CONTAINER",
|
||||
"container_e1_12312_11111_02_000001 | /tmp/file"
|
||||
"container_e1_12312_11111_02_000001 || # /tmp/file",
|
||||
"container_e1_12312_11111_02_000001 # /tmp/file",
|
||||
"container_e1_12312_11111_02_000001' || touch /tmp/file #",
|
||||
"ubuntu || touch /tmp/file #",
|
||||
"''''''''"
|
||||
};
|
||||
|
||||
int good_input_size = sizeof(good_input) / sizeof(char *);
|
||||
int i = 0;
|
||||
for (i = 0; i < good_input_size; i++) {
|
||||
int op = validate_container_id(good_input[i]);
|
||||
ASSERT_EQ(1, op);
|
||||
}
|
||||
int good_input_size = sizeof(good_input) / sizeof(char *);
|
||||
int i = 0;
|
||||
for (i = 0; i < good_input_size; i++) {
|
||||
int op = validate_container_id(good_input[i]);
|
||||
ASSERT_EQ(1, op);
|
||||
}
|
||||
|
||||
int bad_input_size = sizeof(bad_input) / sizeof(char *);
|
||||
int j = 0;
|
||||
for (j = 0; j < bad_input_size; j++) {
|
||||
int op = validate_container_id(bad_input[j]);
|
||||
ASSERT_EQ(0, op);
|
||||
}
|
||||
}
|
||||
int bad_input_size = sizeof(bad_input) / sizeof(char *);
|
||||
int j = 0;
|
||||
for (j = 0; j < bad_input_size; j++) {
|
||||
int op = validate_container_id(bad_input[j]);
|
||||
ASSERT_EQ(0, op);
|
||||
}
|
||||
}
|
||||
|
||||
TEST_F(TestStringUtils, test_to_hexstring) {
|
||||
const char* input = "hello";
|
||||
char* digest = NULL;
|
||||
unsigned char raw_digest[EVP_MAX_MD_SIZE];
|
||||
unsigned int raw_digest_len = 0;
|
||||
int rc = 0;
|
||||
|
||||
EVP_MD_CTX* mdctx = EVP_MD_CTX_create();
|
||||
ASSERT_NE(nullptr, mdctx) << "Unable to create EVP MD context\n";
|
||||
|
||||
rc = EVP_DigestInit_ex(mdctx, EVP_sha256(), NULL);
|
||||
ASSERT_EQ(1, rc) << "Unable to initialize SHA256 digester\n";
|
||||
|
||||
rc = EVP_DigestFinal_ex(mdctx, raw_digest, &raw_digest_len);
|
||||
ASSERT_EQ(1, rc) << "Unable to compute digest\n";
|
||||
|
||||
rc = EVP_DigestUpdate(mdctx, input, strlen(input));
|
||||
ASSERT_EQ(1, rc) << "Unable to compute digest\n";
|
||||
|
||||
digest = to_hexstring(raw_digest, raw_digest_len);
|
||||
|
||||
ASSERT_STREQ("e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
|
||||
digest) << "Digest is not equal to expected hash\n";
|
||||
|
||||
EVP_MD_CTX_destroy(mdctx);
|
||||
free(digest);
|
||||
}
|
||||
|
||||
TEST_F(TestStringUtils, test_strbuf_on_stack) {
|
||||
const int sb_incr = 16;
|
||||
strbuf sb;
|
||||
bool rc;
|
||||
|
||||
rc = strbuf_init(&sb, sb_incr);
|
||||
ASSERT_EQ(true, rc) << "Unable to init strbuf\n";
|
||||
|
||||
rc = strbuf_append_fmt(&sb, sb_incr, "%s%s%s", "hello", "foo", "bar");
|
||||
ASSERT_EQ(true, rc) << "Unable to append format to strbuf\n";
|
||||
|
||||
ASSERT_STREQ("hellofoobar", sb.buffer);
|
||||
|
||||
rc = strbuf_append_fmt(&sb, sb_incr, "%s%s%s", "some longer strings",
|
||||
" that will cause the strbuf", " to have to realloc");
|
||||
ASSERT_EQ(true, rc) << "Unable to append format to strbuf\n";
|
||||
|
||||
ASSERT_STREQ("hellofoobarsome longer strings that will cause the strbuf to have to realloc", sb.buffer);
|
||||
|
||||
strbuf_destroy(&sb);
|
||||
}
|
||||
|
||||
TEST_F(TestStringUtils, test_strbuf_in_heap) {
|
||||
const int sb_incr = 16;
|
||||
strbuf *sb = NULL;
|
||||
bool rc;
|
||||
|
||||
sb = strbuf_alloc(sb_incr);
|
||||
ASSERT_NE(nullptr, sb) << "Unable to init strbuf\n";
|
||||
|
||||
rc = strbuf_append_fmt(sb, sb_incr, "%s%s%s", "hello", "foo", "bar");
|
||||
ASSERT_EQ(true, rc) << "Unable to append format to strbuf";
|
||||
|
||||
ASSERT_STREQ("hellofoobar", sb->buffer);
|
||||
|
||||
rc = strbuf_append_fmt(sb, sb_incr, "%s%s%s", "some longer strings",
|
||||
" that will cause the strbuf", " to have to realloc");
|
||||
ASSERT_EQ(true, rc) << "Unable to append format to strbuf\n";
|
||||
|
||||
ASSERT_STREQ("hellofoobarsome longer strings that will cause the strbuf to have to realloc", sb->buffer);
|
||||
|
||||
strbuf_free(sb);
|
||||
}
|
||||
|
||||
TEST_F(TestStringUtils, test_strbuf_detach) {
|
||||
const int sb_incr = 16;
|
||||
strbuf sb;
|
||||
char *buf;
|
||||
bool rc;
|
||||
|
||||
rc = strbuf_init(&sb, sb_incr);
|
||||
ASSERT_EQ(true, rc) << "Unable to init strbuf\n";
|
||||
|
||||
rc = strbuf_append_fmt(&sb, sb_incr, "%s%s%s", "hello", "foo", "bar");
|
||||
ASSERT_EQ(true, rc) << "Unable to append format to strbuf\n";
|
||||
|
||||
ASSERT_STREQ("hellofoobar", sb.buffer);
|
||||
|
||||
rc = strbuf_append_fmt(&sb, sb_incr, "%s%s%s", "some longer strings",
|
||||
" that will cause the strbuf", " to have to realloc");
|
||||
ASSERT_EQ(true, rc) << "Unable to append format to strbuf\n";
|
||||
|
||||
ASSERT_STREQ("hellofoobarsome longer strings that will cause the strbuf to have to realloc", sb.buffer);
|
||||
|
||||
buf = strbuf_detach_buffer(&sb);
|
||||
ASSERT_NE(nullptr, buf) << "Unable to detach char buf from strbuf\n";
|
||||
|
||||
|
||||
rc = strbuf_append_fmt(&sb, sb_incr, "%s%s%s", "Buffer detached",
|
||||
" so this should allocate", " a new buffer in strbuf");
|
||||
ASSERT_EQ(true, rc) << "Unable to append format to strbuf\n";
|
||||
|
||||
ASSERT_STREQ("Buffer detached so this should allocate a new buffer in strbuf", sb.buffer);
|
||||
ASSERT_STREQ("hellofoobarsome longer strings that will cause the strbuf to have to realloc", buf);
|
||||
|
||||
free(buf);
|
||||
strbuf_destroy(&sb);
|
||||
}
|
||||
|
||||
TEST_F(TestStringUtils, test_strbuf_realloc) {
|
||||
const int sb_incr = 5;
|
||||
strbuf sb;
|
||||
char buf[] = "1234567890";
|
||||
bool rc;
|
||||
|
||||
int len = strlen(buf);
|
||||
|
||||
rc = strbuf_init(&sb, sb_incr);
|
||||
ASSERT_EQ(true, rc) << "Unable to init strbuf\n";
|
||||
ASSERT_NE(nullptr, sb.buffer) << "Unable to init strbuf buffer\n";
|
||||
ASSERT_EQ(5, sb.capacity) << "Unable to init strbuf capacity\n";
|
||||
ASSERT_EQ(0, sb.length) << "Unable to init strbuf length\n";
|
||||
|
||||
rc = strbuf_append_fmt(&sb, sb_incr, "%s", buf);
|
||||
ASSERT_EQ(true, rc) << "Unable to append format to strbuf\n";
|
||||
ASSERT_NE(nullptr, sb.buffer) << "Unable to append strbuf buffer\n";
|
||||
ASSERT_EQ(len + sb_incr + 1, sb.capacity) << "Unable to update strbuf capacity\n";
|
||||
ASSERT_EQ(len, sb.length) << "Unable to update strbuf length\n";
|
||||
|
||||
rc = strbuf_realloc(&sb, 10);
|
||||
ASSERT_EQ(false, rc) << "realloc to smaller capacity succeeded and has truncated existing string\n";
|
||||
|
||||
strbuf_destroy(&sb);
|
||||
}
|
||||
|
||||
} // namespace ContainerExecutor
|
||||
|
@ -0,0 +1,752 @@
|
||||
/**
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#include <algorithm>
|
||||
#include <gtest/gtest.h>
|
||||
#include <fstream>
|
||||
#include "errno.h"
|
||||
#include "configuration.h"
|
||||
#include <pwd.h>
|
||||
#include <stdbool.h>
|
||||
|
||||
extern "C" {
|
||||
#include "container-executor.h"
|
||||
#include "runc/runc_launch_cmd.h"
|
||||
#include "runc/runc_write_config.h"
|
||||
#include "utils/mount-utils.h"
|
||||
}
|
||||
|
||||
#define STARTING_JSON_BUFFER_SIZE (128*1024)
|
||||
|
||||
namespace ContainerExecutor {
|
||||
|
||||
class TestRunc : public ::testing::Test {
|
||||
protected:
|
||||
virtual void SetUp() {
|
||||
container_executor_cfg_file = "container-executor.cfg";
|
||||
std::string container_executor_cfg_contents = "[runc]\n "
|
||||
"runc.allowed.rw-mounts=/opt,/var,/usr/bin/cut,/usr/bin/awk\n "
|
||||
"runc.allowed.ro-mounts=/etc/passwd";
|
||||
|
||||
int ret = setup_container_executor_cfg(container_executor_cfg_contents);
|
||||
ASSERT_EQ(ret, 0) << "Container executor cfg setup failed\n";
|
||||
}
|
||||
|
||||
virtual void TearDown() {
|
||||
remove(runc_config_file);
|
||||
remove(container_executor_cfg_file.c_str());
|
||||
delete_ce_file();
|
||||
free_executor_configurations();
|
||||
}
|
||||
|
||||
const char *runc_config_file = "runc-config.json";
|
||||
std::string container_executor_cfg_file;
|
||||
|
||||
|
||||
void write_file(const std::string fname, const std::string contents) {
|
||||
std::ofstream config_file;
|
||||
config_file.open(fname.c_str());
|
||||
config_file << contents;
|
||||
config_file.close();
|
||||
}
|
||||
|
||||
int create_ce_file() {
|
||||
int ret = 0;
|
||||
const char *fname = HADOOP_CONF_DIR "/" CONF_FILENAME;
|
||||
struct stat buffer;
|
||||
|
||||
if (stat(fname, &buffer) == 0) {
|
||||
return ret;
|
||||
}
|
||||
|
||||
if (strcmp("../etc/hadoop/container-executor.cfg", fname) == 0) {
|
||||
ret = mkdir("../etc", 0755);
|
||||
if (ret == 0 || errno == EEXIST) {
|
||||
ret = mkdir("../etc/hadoop", 0755);
|
||||
if (ret == 0 || errno == EEXIST) {
|
||||
write_file("../etc/hadoop/container-executor.cfg", "");
|
||||
} else {
|
||||
std::cerr << "Could not create ../etc/hadoop, " << strerror(errno) << std::endl;
|
||||
}
|
||||
} else {
|
||||
std::cerr << "Could not create ../etc, " << strerror(errno) << std::endl;
|
||||
}
|
||||
} else {
|
||||
// Don't want to create directories all over. Make a simple attempt to
|
||||
// write the file.
|
||||
write_file(fname, "");
|
||||
}
|
||||
|
||||
if (stat(fname, &buffer) != 0) {
|
||||
std::cerr << "Could not create " << fname << strerror(errno) << std::endl;
|
||||
ret = 1;
|
||||
}
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
void delete_ce_file() {
|
||||
const char *fname = HADOOP_CONF_DIR "/" CONF_FILENAME;
|
||||
if (strcmp("../etc/hadoop/container-executor.cfg", fname) == 0) {
|
||||
struct stat buffer;
|
||||
if (stat(fname, &buffer) == 0) {
|
||||
remove("../etc/hadoop/container-executor.cfg");
|
||||
rmdir("../etc/hadoop");
|
||||
rmdir("../etc");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
void write_container_executor_cfg(const std::string contents) {
|
||||
write_file(container_executor_cfg_file, contents);
|
||||
}
|
||||
|
||||
void write_config_file(const std::string contents) {
|
||||
write_file(runc_config_file, contents);
|
||||
}
|
||||
|
||||
int setup_container_executor_cfg(const std::string container_executor_cfg_contents) {
|
||||
write_container_executor_cfg(container_executor_cfg_contents);
|
||||
read_executor_config(container_executor_cfg_file.c_str());
|
||||
|
||||
return create_ce_file();
|
||||
}
|
||||
|
||||
static cJSON* build_layer_array(const rlc_layer_spec *layers_array, int num_layers) {
|
||||
cJSON* layer_json_array = cJSON_CreateArray();
|
||||
if (layer_json_array == NULL) { return NULL; }
|
||||
|
||||
int i;
|
||||
|
||||
for (i = 0; i < num_layers; i++) {
|
||||
const rlc_layer_spec *layer = &layers_array[i];
|
||||
cJSON* layer_json = cJSON_CreateObject();
|
||||
if (layer_json == NULL) { goto fail; }
|
||||
cJSON_AddStringToObject(layer_json, "mediaType", layer->media_type);
|
||||
cJSON_AddStringToObject(layer_json, "path", layer->path);
|
||||
cJSON_AddItemToArray(layer_json_array, layer_json);
|
||||
}
|
||||
return layer_json_array;
|
||||
|
||||
fail:
|
||||
cJSON_Delete(layer_json_array);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static cJSON* build_string_array(char const* const* dirs_array) {
|
||||
int i;
|
||||
cJSON* dirs_json_array = cJSON_CreateArray();
|
||||
if (dirs_json_array == NULL) { return NULL; }
|
||||
|
||||
for (i = 0; dirs_array[i] != NULL; i++) {
|
||||
const char *dir = dirs_array[i];
|
||||
cJSON* layer_json = cJSON_CreateString(dir);
|
||||
if (layer_json == NULL) { goto fail; }
|
||||
cJSON_AddItemToArray(dirs_json_array, layer_json);
|
||||
}
|
||||
|
||||
return dirs_json_array;
|
||||
|
||||
fail:
|
||||
cJSON_Delete(dirs_json_array);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static bool build_process_struct(runc_config_process *const process, char const* const* args, char const* const cwd,
|
||||
char const* const* env) {
|
||||
cJSON *args_array = build_string_array(args);
|
||||
if (args_array == NULL) { return false; }
|
||||
cJSON *cwd_string = cJSON_CreateString(cwd);
|
||||
if (cwd_string == NULL) { return false; }
|
||||
cJSON *env_array = build_string_array(env);
|
||||
if (env_array == NULL) { return false; }
|
||||
|
||||
process->args = args_array;
|
||||
process->cwd = cwd_string;
|
||||
process->env = env_array;
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
static cJSON* build_process_json(runc_config_process const* const process) {
|
||||
cJSON* process_json = cJSON_CreateObject();
|
||||
if (process_json == NULL) { return NULL; }
|
||||
|
||||
cJSON_AddItemReferenceToObject(process_json, "args", process->args);
|
||||
cJSON_AddItemReferenceToObject(process_json, "cwd", process->cwd);
|
||||
cJSON_AddItemReferenceToObject(process_json, "env", process->env);
|
||||
|
||||
return process_json;
|
||||
}
|
||||
|
||||
static cJSON* build_config_json(runc_config const* const config) {
|
||||
cJSON *config_json = cJSON_CreateObject();
|
||||
if (config_json == NULL) { return NULL; }
|
||||
|
||||
runc_config_process const *const process = &config->process;
|
||||
cJSON *process_json = build_process_json(process);
|
||||
if (process_json == NULL) { goto fail; }
|
||||
|
||||
|
||||
cJSON_AddItemToObject(config_json, "process", process_json);
|
||||
cJSON_AddItemReferenceToObject(config_json, "linux", config->linux_config);
|
||||
cJSON_AddItemReferenceToObject(config_json, "mounts", config->mounts);
|
||||
|
||||
return config_json;
|
||||
|
||||
fail:
|
||||
cJSON_Delete(config_json);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static cJSON* build_runc_config_json(runc_launch_cmd const* const rlc) {
|
||||
cJSON *local_dir_json;
|
||||
cJSON *log_dir_json;
|
||||
cJSON *layer_dir_json;
|
||||
cJSON *runc_config_json = cJSON_CreateObject();
|
||||
if (runc_config_json == NULL) { return NULL; }
|
||||
|
||||
runc_config const* const config = &rlc->config;
|
||||
|
||||
cJSON* config_json = build_config_json(config);
|
||||
if (config_json == NULL) { goto fail; }
|
||||
|
||||
cJSON_AddItemToObject(runc_config_json, "ociRuntimeConfig", config_json);
|
||||
cJSON_AddStringToObject(runc_config_json, "runAsUser", rlc->run_as_user);
|
||||
cJSON_AddStringToObject(runc_config_json, "username", rlc->username);
|
||||
cJSON_AddStringToObject(runc_config_json, "applicationId", rlc->app_id);
|
||||
cJSON_AddStringToObject(runc_config_json, "containerId", rlc->container_id);
|
||||
cJSON_AddStringToObject(runc_config_json, "pidFile", rlc->pid_file);
|
||||
cJSON_AddStringToObject(runc_config_json, "containerScriptPath", rlc->script_path);
|
||||
cJSON_AddStringToObject(runc_config_json, "containerCredentialsPath", rlc->cred_path);
|
||||
cJSON_AddNumberToObject(runc_config_json, "https", rlc->https);
|
||||
|
||||
local_dir_json = build_string_array(rlc->local_dirs);
|
||||
log_dir_json = build_string_array(rlc->log_dirs);
|
||||
layer_dir_json = build_layer_array(rlc->layers, rlc->num_layers);
|
||||
|
||||
cJSON_AddItemToObject(runc_config_json, "layers", layer_dir_json);
|
||||
cJSON_AddItemToObject(runc_config_json, "localDirs", local_dir_json);
|
||||
cJSON_AddItemToObject(runc_config_json, "logDirs", log_dir_json);
|
||||
|
||||
cJSON_AddNumberToObject(runc_config_json, "reapLayerKeepCount", rlc->num_reap_layers_keep);
|
||||
return runc_config_json;
|
||||
|
||||
fail:
|
||||
cJSON_Delete(runc_config_json);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static cJSON* build_mount_json(const char *src, const char *dest, const char *input_options[]) {
|
||||
cJSON* mount_json = cJSON_CreateObject();
|
||||
if (mount_json == NULL) { return NULL; }
|
||||
|
||||
cJSON_AddStringToObject(mount_json, "source", src);
|
||||
cJSON_AddStringToObject(mount_json, "destination", dest);
|
||||
cJSON_AddStringToObject(mount_json, "type", "bind");
|
||||
|
||||
cJSON* options_array = build_string_array(input_options);
|
||||
cJSON_AddItemToObject(mount_json, "options", options_array);
|
||||
|
||||
return mount_json;
|
||||
}
|
||||
|
||||
|
||||
static cJSON* build_mounts_json() {
|
||||
cJSON* mount_json = NULL;
|
||||
|
||||
cJSON* mounts_json_array = cJSON_CreateArray();
|
||||
if (mounts_json_array == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
const char *options_rw[10] = {"rw", "rprivate", "rbind"};
|
||||
const char *options_ro[10] = {"ro", "rprivate", "rbind"};
|
||||
|
||||
mount_json = build_mount_json("/opt", "/opt", options_rw);
|
||||
if (mount_json == NULL) { goto fail; }
|
||||
cJSON_AddItemToArray(mounts_json_array, mount_json);
|
||||
|
||||
mount_json = build_mount_json("/var/", "/var/", options_rw);
|
||||
if (mount_json == NULL) { goto fail; }
|
||||
cJSON_AddItemToArray(mounts_json_array, mount_json);
|
||||
|
||||
mount_json = build_mount_json("/etc/passwd", "/etc/passwd", options_ro);
|
||||
if (mount_json == NULL) { goto fail; }
|
||||
cJSON_AddItemToArray(mounts_json_array, mount_json);
|
||||
|
||||
return mounts_json_array;
|
||||
|
||||
fail:
|
||||
cJSON_Delete(mounts_json_array);
|
||||
return NULL;
|
||||
|
||||
}
|
||||
|
||||
static runc_launch_cmd* build_default_runc_launch_cmd() {
|
||||
char* run_as_user = strdup(getpwuid(getuid())->pw_name);
|
||||
char* username = strdup(getpwuid(getuid())->pw_name);
|
||||
char const* const application_id = "application_1571614753172_3182915";
|
||||
char const* const container_id = "container_e14_1571614753172_3182915_01_000001";
|
||||
char const* const pid_file = "/tmp/container_e14_1571614753172_3182915_01_000001.pid";
|
||||
char const* const container_script_path = "/tmp/launch_container.sh";
|
||||
char const* const container_credentials_path = "/tmp/container_e14_1571614753172_3182915_01_000001.tokens";
|
||||
char const* const log_dirs[] = {"/log1", "/log2", NULL};
|
||||
char const* const local_dirs[] = {"/local1", "/local2", NULL};
|
||||
char const* const layer_media_type = "application/vnd.squashfs";
|
||||
char const* const args[] = {"bash", "/tmp/launch_container.sh", NULL};
|
||||
char const* const cwd = "/tmp";
|
||||
char const* const env[] = {"HADOOP_PREFIX=/tmp", "PATH=/tmp", NULL};
|
||||
char const* const hostname = "hostname";
|
||||
int num_reap_layers_keep = 10;
|
||||
unsigned int num_layers = 2;
|
||||
int https = 1;
|
||||
int i;
|
||||
|
||||
runc_launch_cmd *rlc_input = NULL;
|
||||
rlc_layer_spec *layers_input = NULL;
|
||||
cJSON *hostname_json = NULL;
|
||||
cJSON *linux_config_json = NULL;
|
||||
cJSON *mounts_json = NULL;
|
||||
|
||||
rlc_input = (runc_launch_cmd*) calloc(1, sizeof(*rlc_input));
|
||||
if (rlc_input == NULL) { return NULL; }
|
||||
|
||||
runc_config *config = &rlc_input->config;
|
||||
|
||||
rlc_input->run_as_user = run_as_user;
|
||||
rlc_input->username = username;
|
||||
rlc_input->app_id = strdup(application_id);
|
||||
rlc_input->container_id = strdup(container_id);
|
||||
rlc_input->pid_file = strdup(pid_file);
|
||||
rlc_input->script_path = strdup(container_script_path);
|
||||
rlc_input->cred_path = strdup(container_credentials_path);
|
||||
rlc_input->https = https;
|
||||
|
||||
rlc_input->local_dirs = (char **) calloc(sizeof(local_dirs)/sizeof(local_dirs[0]) + 1, sizeof(*local_dirs));
|
||||
for (i = 0; local_dirs[i] != NULL; i++) {
|
||||
rlc_input->local_dirs[i] = strdup(local_dirs[i]);
|
||||
}
|
||||
rlc_input->local_dirs[i] = NULL;
|
||||
|
||||
rlc_input->log_dirs = (char **) calloc(sizeof(log_dirs)/sizeof(log_dirs[0]) + 1, sizeof(*log_dirs));
|
||||
for (i = 0; log_dirs[i] != NULL; i++) {
|
||||
rlc_input->log_dirs[i] = strdup(log_dirs[i]);
|
||||
}
|
||||
rlc_input->log_dirs[i] = NULL;
|
||||
|
||||
rlc_input->num_reap_layers_keep = num_reap_layers_keep;
|
||||
rlc_input->num_layers = num_layers;
|
||||
|
||||
layers_input = (rlc_layer_spec*) calloc(num_layers, sizeof(*layers_input));
|
||||
(&layers_input[0])->media_type = strdup(layer_media_type);
|
||||
(&layers_input[0])->path = strdup("/foo");
|
||||
(&layers_input[1])->media_type = strdup(layer_media_type);
|
||||
(&layers_input[1])->path = strdup("/bar");
|
||||
|
||||
rlc_input->layers = layers_input;
|
||||
|
||||
build_process_struct(&config->process, args, cwd, env);
|
||||
|
||||
hostname_json = cJSON_CreateString(hostname);
|
||||
if (hostname_json == NULL) { goto fail; }
|
||||
config->hostname = hostname_json;
|
||||
|
||||
linux_config_json = cJSON_CreateObject();
|
||||
if (linux_config_json == NULL) { goto fail; }
|
||||
config->linux_config = linux_config_json;
|
||||
|
||||
mounts_json = build_mounts_json();
|
||||
if (mounts_json == NULL) { goto fail; }
|
||||
config->mounts = mounts_json;
|
||||
|
||||
return rlc_input;
|
||||
fail:
|
||||
free_runc_launch_cmd(rlc_input);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
||||
static void test_runc_launch_cmd(runc_launch_cmd const* const rlc_input, runc_launch_cmd const* const rlc_parsed) {
|
||||
unsigned int i;
|
||||
|
||||
ASSERT_STREQ(rlc_parsed->run_as_user, rlc_input->run_as_user);
|
||||
ASSERT_STREQ(rlc_parsed->username, rlc_input->username);
|
||||
ASSERT_STREQ(rlc_parsed->app_id, rlc_input->app_id);
|
||||
ASSERT_STREQ(rlc_parsed->container_id, rlc_input->container_id);
|
||||
ASSERT_STREQ(rlc_parsed->pid_file, rlc_input->pid_file);
|
||||
ASSERT_STREQ(rlc_parsed->script_path, rlc_input->script_path);
|
||||
ASSERT_STREQ(rlc_parsed->cred_path, rlc_input->cred_path);
|
||||
ASSERT_EQ(rlc_parsed->https, rlc_input->https);
|
||||
|
||||
for (i = 0; rlc_input->local_dirs[i] != NULL; i++) {
|
||||
ASSERT_NE(rlc_input->local_dirs[i], nullptr);
|
||||
ASSERT_NE(rlc_parsed->local_dirs[i], nullptr);
|
||||
ASSERT_STREQ(rlc_parsed->local_dirs[i], rlc_input->local_dirs[i]);
|
||||
}
|
||||
|
||||
for (i = 0; rlc_input->log_dirs[i] != NULL; i++) {
|
||||
ASSERT_NE(rlc_input->log_dirs[i], nullptr);
|
||||
ASSERT_NE(rlc_parsed->log_dirs[i], nullptr);
|
||||
ASSERT_STREQ(rlc_parsed->log_dirs[i], rlc_input->log_dirs[i]);
|
||||
}
|
||||
|
||||
for (i = 0; i < rlc_input->num_layers; i++) {
|
||||
rlc_layer_spec *layer_input = &rlc_input->layers[i];
|
||||
rlc_layer_spec *layer_parsed = &rlc_parsed->layers[i];
|
||||
ASSERT_NE(layer_input, nullptr);
|
||||
ASSERT_NE(layer_parsed, nullptr);
|
||||
ASSERT_STREQ(layer_parsed->media_type, layer_input->media_type);
|
||||
ASSERT_STREQ(layer_parsed->path, layer_input->path);
|
||||
}
|
||||
|
||||
ASSERT_EQ(rlc_parsed->num_layers, rlc_input->num_layers);
|
||||
ASSERT_EQ(rlc_parsed->num_reap_layers_keep, rlc_input->num_reap_layers_keep);
|
||||
}
|
||||
};
|
||||
|
||||
static mount* build_mounts(std::string mounts_string,
|
||||
unsigned int num_mounts) {
|
||||
|
||||
mount* mounts = (mount*) calloc(num_mounts, sizeof(*mounts));
|
||||
std::istringstream comma_iss(mounts_string);
|
||||
std::string comma_token;
|
||||
int i = 0;
|
||||
while (std::getline(comma_iss, comma_token, ','))
|
||||
{
|
||||
mount_options *options = (mount_options*) calloc(1, sizeof(*options));
|
||||
mounts[i].options = options;
|
||||
std::istringstream colon_iss(comma_token);
|
||||
std::string colon_token;
|
||||
|
||||
std::getline(colon_iss, colon_token, ':');
|
||||
mounts[i].src = strdup(colon_token.c_str());
|
||||
|
||||
std::getline(colon_iss, colon_token, ':');
|
||||
mounts[i].dest = strdup(colon_token.c_str());
|
||||
|
||||
std::getline(colon_iss, colon_token, ':');
|
||||
std::istringstream plus_iss(colon_token);
|
||||
std::string plus_token;
|
||||
|
||||
unsigned int num_opts = std::count(colon_token.begin(), colon_token.end(), '+') + 1;
|
||||
int j = 0;
|
||||
char **opts = (char**) calloc(num_opts + 1, sizeof(*opts));
|
||||
mounts[i].options->opts = opts;
|
||||
while(std::getline(plus_iss, plus_token, '+')) {
|
||||
char *mount_option = strdup(plus_token.c_str());
|
||||
if (strcmp("rw", mount_option) == 0) {
|
||||
options->rw = 1;
|
||||
} else if (strcmp("ro", mount_option) == 0) {
|
||||
options->rw = 0;
|
||||
}
|
||||
options->opts[j] = mount_option;
|
||||
j++;
|
||||
}
|
||||
options->opts[j] = NULL;
|
||||
options->num_opts = num_opts;
|
||||
i++;
|
||||
}
|
||||
return mounts;
|
||||
}
|
||||
|
||||
TEST_F(TestRunc, test_parse_runc_launch_cmd_valid) {
|
||||
runc_launch_cmd *rlc_input = NULL;
|
||||
runc_launch_cmd *rlc_parsed = NULL;
|
||||
cJSON *runc_config_json = NULL;
|
||||
char* json_data = NULL;
|
||||
int ret = 0;
|
||||
|
||||
rlc_input = build_default_runc_launch_cmd();
|
||||
ASSERT_NE(rlc_input, nullptr);
|
||||
|
||||
runc_config_json = build_runc_config_json(rlc_input);
|
||||
ASSERT_NE(runc_config_json, nullptr);
|
||||
|
||||
json_data = cJSON_PrintBuffered(runc_config_json, STARTING_JSON_BUFFER_SIZE, false);
|
||||
write_config_file(json_data);
|
||||
|
||||
rlc_parsed = parse_runc_launch_cmd(runc_config_file);
|
||||
ASSERT_NE(rlc_parsed, nullptr);
|
||||
|
||||
ret = is_valid_runc_launch_cmd(rlc_parsed);
|
||||
ASSERT_NE(ret, false);
|
||||
|
||||
test_runc_launch_cmd(rlc_input, rlc_parsed);
|
||||
|
||||
cJSON_Delete(runc_config_json);
|
||||
free_runc_launch_cmd(rlc_input);
|
||||
free(json_data);
|
||||
free_runc_launch_cmd(rlc_parsed);
|
||||
}
|
||||
|
||||
TEST_F(TestRunc, test_parse_runc_launch_cmd_bad_container_id) {
|
||||
runc_launch_cmd *rlc_input = NULL;
|
||||
runc_launch_cmd *rlc_parsed = NULL;
|
||||
cJSON *runc_config_json = NULL;
|
||||
char* json_data = NULL;
|
||||
int ret = 0;
|
||||
|
||||
rlc_input = build_default_runc_launch_cmd();
|
||||
ASSERT_NE(rlc_input, nullptr);
|
||||
|
||||
free(rlc_input->container_id);
|
||||
rlc_input->container_id = strdup("foobar");
|
||||
|
||||
runc_config_json = build_runc_config_json(rlc_input);
|
||||
ASSERT_NE(runc_config_json, nullptr);
|
||||
|
||||
json_data = cJSON_PrintBuffered(runc_config_json, STARTING_JSON_BUFFER_SIZE, false);
|
||||
write_config_file(json_data);
|
||||
|
||||
rlc_parsed = parse_runc_launch_cmd(runc_config_file);
|
||||
ASSERT_NE(rlc_parsed, nullptr);
|
||||
|
||||
ret = is_valid_runc_launch_cmd(rlc_parsed);
|
||||
// An invalid container_id should cause an error and the parse function should return null
|
||||
ASSERT_EQ(ret, false);
|
||||
|
||||
cJSON_Delete(runc_config_json);
|
||||
free_runc_launch_cmd(rlc_input);
|
||||
free(json_data);
|
||||
free_runc_launch_cmd(rlc_parsed);
|
||||
}
|
||||
|
||||
TEST_F(TestRunc, test_parse_runc_launch_cmd_existing_pidfile) {
|
||||
runc_launch_cmd *rlc_input = NULL;
|
||||
runc_launch_cmd *rlc_parsed = NULL;
|
||||
cJSON *runc_config_json = NULL;
|
||||
char* json_data = NULL;
|
||||
int ret = 0;
|
||||
|
||||
rlc_input = build_default_runc_launch_cmd();
|
||||
ASSERT_NE(rlc_input, nullptr);
|
||||
|
||||
free(rlc_input->pid_file);
|
||||
const char* pid_file = "/tmp/foo";
|
||||
rlc_input->pid_file = strdup(pid_file);
|
||||
write_file(pid_file, "");
|
||||
|
||||
runc_config_json = build_runc_config_json(rlc_input);
|
||||
ASSERT_NE(runc_config_json, nullptr);
|
||||
|
||||
json_data = cJSON_PrintBuffered(runc_config_json, STARTING_JSON_BUFFER_SIZE, false);
|
||||
write_config_file(json_data);
|
||||
|
||||
rlc_parsed = parse_runc_launch_cmd(runc_config_file);
|
||||
ASSERT_NE(rlc_parsed, nullptr);
|
||||
|
||||
ret = is_valid_runc_launch_cmd(rlc_parsed);
|
||||
// A pid file that already exists should cause an error and the parse function should return null
|
||||
ASSERT_EQ(ret, false);
|
||||
|
||||
remove(pid_file);
|
||||
cJSON_Delete(runc_config_json);
|
||||
free_runc_launch_cmd(rlc_input);
|
||||
free(json_data);
|
||||
free_runc_launch_cmd(rlc_parsed);
|
||||
}
|
||||
|
||||
TEST_F(TestRunc, test_parse_runc_launch_cmd_invalid_media_type) {
|
||||
runc_launch_cmd *rlc_input = NULL;
|
||||
runc_launch_cmd *rlc_parsed = NULL;
|
||||
cJSON *runc_config_json = NULL;
|
||||
char* json_data = NULL;
|
||||
int ret = 0;
|
||||
|
||||
rlc_input = build_default_runc_launch_cmd();
|
||||
ASSERT_NE(rlc_input, nullptr);
|
||||
|
||||
free(rlc_input->layers[0].media_type);
|
||||
rlc_input->layers[0].media_type = strdup("bad media type");
|
||||
|
||||
runc_config_json = build_runc_config_json(rlc_input);
|
||||
ASSERT_NE(runc_config_json, nullptr);
|
||||
|
||||
json_data = cJSON_PrintBuffered(runc_config_json, STARTING_JSON_BUFFER_SIZE, false);
|
||||
write_config_file(json_data);
|
||||
|
||||
rlc_parsed = parse_runc_launch_cmd(runc_config_file);
|
||||
ASSERT_NE(rlc_parsed, nullptr);
|
||||
|
||||
ret = is_valid_runc_launch_cmd(rlc_parsed);
|
||||
// A bad layer media type should cause an error and the parse function should return null
|
||||
ASSERT_EQ(ret, false);
|
||||
|
||||
cJSON_Delete(runc_config_json);
|
||||
free_runc_launch_cmd(rlc_input);
|
||||
free(json_data);
|
||||
free_runc_launch_cmd(rlc_parsed);
|
||||
}
|
||||
|
||||
TEST_F(TestRunc, test_parse_runc_launch_cmd_invalid_num_reap_layers_keep) {
|
||||
runc_launch_cmd *rlc_input = NULL;
|
||||
runc_launch_cmd *rlc_parsed = NULL;
|
||||
cJSON *runc_config_json = NULL;
|
||||
char* json_data = NULL;
|
||||
int ret = 0;
|
||||
|
||||
rlc_input = build_default_runc_launch_cmd();
|
||||
ASSERT_NE(rlc_input, nullptr);
|
||||
|
||||
rlc_input->num_reap_layers_keep = -1;
|
||||
|
||||
runc_config_json = build_runc_config_json(rlc_input);
|
||||
ASSERT_NE(runc_config_json, nullptr);
|
||||
|
||||
json_data = cJSON_PrintBuffered(runc_config_json, STARTING_JSON_BUFFER_SIZE, false);
|
||||
write_config_file(json_data);
|
||||
|
||||
rlc_parsed = parse_runc_launch_cmd(runc_config_file);
|
||||
ASSERT_NE(rlc_parsed, nullptr);
|
||||
|
||||
ret = is_valid_runc_launch_cmd(rlc_parsed);
|
||||
// A negative num_reap_layers_keep value should cause an error and the parse function should return null
|
||||
ASSERT_EQ(ret, false);
|
||||
|
||||
cJSON_Delete(runc_config_json);
|
||||
free_runc_launch_cmd(rlc_input);
|
||||
free(json_data);
|
||||
free_runc_launch_cmd(rlc_parsed);
|
||||
}
|
||||
|
||||
TEST_F(TestRunc, test_parse_runc_launch_cmd_valid_mounts) {
|
||||
runc_launch_cmd *rlc_input = NULL;
|
||||
runc_launch_cmd *rlc_parsed = NULL;
|
||||
cJSON *runc_config_json = NULL;
|
||||
char* json_data = NULL;
|
||||
int ret = 0;
|
||||
|
||||
std::vector<std::string> mounts_string_vec;
|
||||
|
||||
mounts_string_vec.push_back(std::string("/var:/var:rw+rbind+rprivate"));
|
||||
mounts_string_vec.push_back(std::string("/var:/var:rw+rbind+rprivate"));
|
||||
mounts_string_vec.push_back(std::string("/var/:/var/:rw+rbind+rprivate"));
|
||||
mounts_string_vec.push_back(std::string("/usr/bin/cut:/usr/bin/cut:rw+rbind+rprivate"));
|
||||
mounts_string_vec.push_back(std::string(
|
||||
"/usr/bin/awk:/awk:rw+shared+rbind+rprivate,/etc/passwd:/etc/passwd:ro+rbind+rprivate"));
|
||||
mounts_string_vec.push_back(std::string(
|
||||
"/var:/var:ro+rprivate+rbind,/etc/passwd:/etc/passwd:ro+rshared+rbind+rprivate"));
|
||||
|
||||
mount *mounts = NULL;
|
||||
std::vector<std::string>::const_iterator itr;
|
||||
|
||||
for (itr = mounts_string_vec.begin(); itr != mounts_string_vec.end(); ++itr) {
|
||||
rlc_input = build_default_runc_launch_cmd();
|
||||
ASSERT_NE(rlc_input, nullptr);
|
||||
|
||||
cJSON* mounts_json_array = cJSON_CreateArray();
|
||||
ASSERT_NE(mounts_json_array, nullptr);
|
||||
|
||||
unsigned int num_mounts = std::count(itr->begin(), itr->end(), ',') + 1;
|
||||
mounts = build_mounts(*itr, num_mounts);
|
||||
for (unsigned int i = 0; i < num_mounts; i++) {
|
||||
cJSON *mount_json = build_mount_json(mounts[i].src,
|
||||
mounts[i].dest,
|
||||
(const char**) mounts[i].options->opts);
|
||||
ASSERT_NE(mount_json, nullptr);
|
||||
cJSON_AddItemToArray(mounts_json_array, mount_json);
|
||||
}
|
||||
|
||||
cJSON_Delete(rlc_input->config.mounts);
|
||||
rlc_input->config.mounts = mounts_json_array;
|
||||
|
||||
runc_config_json = build_runc_config_json(rlc_input);
|
||||
ASSERT_NE(runc_config_json, nullptr);
|
||||
|
||||
json_data = cJSON_PrintBuffered(runc_config_json, STARTING_JSON_BUFFER_SIZE, false);
|
||||
write_config_file(json_data);
|
||||
|
||||
rlc_parsed = parse_runc_launch_cmd(runc_config_file);
|
||||
ASSERT_NE(rlc_parsed, nullptr);
|
||||
|
||||
ret = is_valid_runc_launch_cmd(rlc_parsed);
|
||||
ASSERT_NE(ret, false);
|
||||
|
||||
test_runc_launch_cmd(rlc_input, rlc_parsed );
|
||||
|
||||
cJSON_Delete(runc_config_json);
|
||||
free_mounts(mounts, num_mounts);
|
||||
free_runc_launch_cmd(rlc_input);
|
||||
free(json_data);
|
||||
free_runc_launch_cmd(rlc_parsed);
|
||||
}
|
||||
}
|
||||
|
||||
TEST_F(TestRunc, test_parse_runc_launch_cmd_invalid_mounts) {
|
||||
runc_launch_cmd *rlc_input = NULL;
|
||||
runc_launch_cmd *rlc_parsed = NULL;
|
||||
cJSON *runc_config_json = NULL;
|
||||
char* json_data = NULL;
|
||||
int ret = 0;
|
||||
|
||||
std::vector<std::string> mounts_string_vec;
|
||||
|
||||
mounts_string_vec.push_back(std::string("/lib:/lib:rw+rbind+rprivate"));
|
||||
mounts_string_vec.push_back(std::string("/lib:/lib:rw+rbind+rprivate"));
|
||||
mounts_string_vec.push_back(std::string("/usr/bin/:/usr/bin:rw+rbind+rprivate"));
|
||||
mounts_string_vec.push_back(std::string("/blah:/blah:rw+rbind+rprivate"));
|
||||
mounts_string_vec.push_back(std::string("/tmp:/tmp:shared"));
|
||||
mounts_string_vec.push_back(std::string("/lib:/lib"));
|
||||
mounts_string_vec.push_back(std::string("/lib:/lib:other"));
|
||||
|
||||
mount *mounts = NULL;
|
||||
std::vector<std::string>::const_iterator itr;
|
||||
|
||||
for (itr = mounts_string_vec.begin(); itr != mounts_string_vec.end(); ++itr) {
|
||||
rlc_input = build_default_runc_launch_cmd();
|
||||
ASSERT_NE(rlc_input, nullptr);
|
||||
|
||||
cJSON* mounts_json_array = cJSON_CreateArray();
|
||||
ASSERT_NE(mounts_json_array, nullptr);
|
||||
|
||||
unsigned int num_mounts = std::count(itr->begin(), itr->end(), ',') + 1;
|
||||
mounts = build_mounts(*itr, num_mounts);
|
||||
for (unsigned int i = 0; i < num_mounts; i++) {
|
||||
cJSON *mount_json = build_mount_json(mounts[i].src,
|
||||
mounts[i].dest,
|
||||
(const char**) mounts[i].options->opts);
|
||||
ASSERT_NE(mount_json, nullptr);
|
||||
cJSON_AddItemToArray(mounts_json_array, mount_json);
|
||||
}
|
||||
|
||||
cJSON_Delete(rlc_input->config.mounts);
|
||||
rlc_input->config.mounts = mounts_json_array;
|
||||
|
||||
runc_config_json = build_runc_config_json(rlc_input);
|
||||
ASSERT_NE(runc_config_json, nullptr);
|
||||
|
||||
json_data = cJSON_PrintBuffered(runc_config_json, STARTING_JSON_BUFFER_SIZE, false);
|
||||
write_config_file(json_data);
|
||||
|
||||
rlc_parsed = parse_runc_launch_cmd(runc_config_file);
|
||||
ASSERT_NE(rlc_parsed, nullptr);
|
||||
|
||||
ret = is_valid_runc_launch_cmd(rlc_parsed);
|
||||
// A invalid mount should cause an error and the parse function should return null
|
||||
ASSERT_EQ(ret, false);
|
||||
|
||||
cJSON_Delete(runc_config_json);
|
||||
free_mounts(mounts, num_mounts);
|
||||
free_runc_launch_cmd(rlc_input);
|
||||
free(json_data);
|
||||
free_runc_launch_cmd(rlc_parsed);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user