HADOOP-15195. With SELinux enabled, directories mounted with start-build-env.sh may not be accessible. Contributed by Grigori Rybkine
(cherry picked from commit 0c5d7d71a80bccd4ad7eab269d0727b999606a7e) Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/08053c4e Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/08053c4e Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/08053c4e Branch: refs/heads/branch-3.1 Commit: 08053c4ead2f6026a5eb937df560db251123633c Parents: 1f6b189 Author: Chris Douglas <cdoug...@apache.org> Authored: Mon Feb 12 21:07:15 2018 -0800 Committer: Chris Douglas <cdoug...@apache.org> Committed: Mon Feb 12 21:07:25 2018 -0800 ---------------------------------------------------------------------- .../src/test/scripts/start-build-env.bats | 102 +++++++++++++++++++ start-build-env.sh | 32 +++++- 2 files changed, 131 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/08053c4e/hadoop-common-project/hadoop-common/src/test/scripts/start-build-env.bats ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/test/scripts/start-build-env.bats b/hadoop-common-project/hadoop-common/src/test/scripts/start-build-env.bats new file mode 100644 index 0000000..dbb14ad --- /dev/null +++ b/hadoop-common-project/hadoop-common/src/test/scripts/start-build-env.bats @@ -0,0 +1,102 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +load hadoop-functions_test_helper + +# Mock docker command +docker () { + if [ "$1" = "-v" ]; then + shift + echo Docker version ${DCKR_MOCK_VER:?} + elif [ "$1" = run ]; then + shift + until [ $# -eq 0 ]; do + if [ "$1" = -v ]; then + shift + echo "$1"|awk -F':' '{if (NF == 3 && $3 == "z") + printf "Mounted %s with z option.\n", $1 + else if (NF == 2) + printf "Mounted %s without z option.\n", $1}' + fi + shift + done + fi +} +export -f docker +export DCKR_MOCK_VER + +# Mock a SELinux enabled system +enable_selinux () { + mkdir -p "${TMP}/bin" + echo true >"${TMP}/bin"/selinuxenabled + chmod a+x "${TMP}/bin"/selinuxenabled + if [ "${PATH#${TMP}/bin}" = "${PATH}" ]; then + PATH="${TMP}/bin":"$PATH" + fi +} + +setup_user () { + if [ -z "$(printenv USER)" ]; then + if [ -z "$USER" ]; then + USER=${HOME##*/} + fi + export USER + fi +} + +# Mock stat command as used in start-build-env.sh +stat () { + if [ "$1" = --printf='%C' -a $# -eq 2 ]; then + printf 'mock_u:mock_r:mock_t:s0' + else + command stat "$@" + fi +} +export -f stat + +# Verify that host directories get mounted without z option +# and INFO messages get printed out +@test "start-build-env.sh (Docker without z mount option)" { + if [ "$(uname -s)" != "Linux" ]; then + skip "Not on Linux platform" + fi + enable_selinux + setup_user + DCKR_MOCK_VER=1.4 + run "${BATS_TEST_DIRNAME}/../../../../../start-build-env.sh" + [ "$status" -eq 0 ] + [[ ${lines[0]} == "INFO: SELinux is enabled." ]] + [[ ${lines[1]} =~ \ + "Mounted ".*" may not be accessible to the container." ]] + [[ ${lines[2]} == \ + "INFO: If so, on the host, run the following command:" ]] + [[ ${lines[3]} =~ "# chcon -Rt svirt_sandbox_file_t " ]] + [[ ${lines[-2]} =~ "Mounted ".*" without z option." ]] + [[ ${lines[-1]} =~ "Mounted ".*" without z option." ]] +} + +# Verify that host directories get mounted with z option +@test "start-build-env.sh (Docker with z mount option)" { + if [ "$(uname -s)" != "Linux" ]; then + skip "Not on Linux platform" + fi + enable_selinux + setup_user + DCKR_MOCK_VER=1.7 + run "${BATS_TEST_DIRNAME}/../../../../../start-build-env.sh" + [ "$status" -eq 0 ] + [[ ${lines[-2]} =~ "Mounted ".*" with z option." ]] + [[ ${lines[-1]} =~ "Mounted ".*" with z option." ]] +} http://git-wip-us.apache.org/repos/asf/hadoop/blob/08053c4e/start-build-env.sh ---------------------------------------------------------------------- diff --git a/start-build-env.sh b/start-build-env.sh index 5a18151..4da55af 100755 --- a/start-build-env.sh +++ b/start-build-env.sh @@ -21,10 +21,36 @@ cd "$(dirname "$0")" # connect to root docker build -t hadoop-build dev-support/docker -if [ "$(uname -s)" == "Linux" ]; then +if [ "$(uname -s)" = "Linux" ]; then USER_NAME=${SUDO_USER:=$USER} USER_ID=$(id -u "${USER_NAME}") GROUP_ID=$(id -g "${USER_NAME}") + # man docker-run + # When using SELinux, mounted directories may not be accessible + # to the container. To work around this, with Docker prior to 1.7 + # one needs to run the "chcon -Rt svirt_sandbox_file_t" command on + # the directories. With Docker 1.7 and later the z mount option + # does this automatically. + if command -v selinuxenabled >/dev/null && selinuxenabled; then + DCKR_VER=$(docker -v| + awk '$1 == "Docker" && $2 == "version" {split($3,ver,".");print ver[1]"."ver[2]}') + DCKR_MAJ=${DCKR_VER%.*} + DCKR_MIN=${DCKR_VER#*.} + if [ "${DCKR_MAJ}" -eq 1 ] && [ "${DCKR_MIN}" -ge 7 ] || + [ "${DCKR_MAJ}" -gt 1 ]; then + V_OPTS=:z + else + for d in "${PWD}" "${HOME}/.m2"; do + ctx=$(stat --printf='%C' "$d"|cut -d':' -f3) + if [ "$ctx" != svirt_sandbox_file_t ] && [ "$ctx" != container_file_t ]; then + printf 'INFO: SELinux is enabled.\n' + printf '\tMounted %s may not be accessible to the container.\n' "$d" + printf 'INFO: If so, on the host, run the following command:\n' + printf '\t# chcon -Rt svirt_sandbox_file_t %s\n' "$d" + fi + done + fi + fi else # boot2docker uid and gid USER_NAME=$USER USER_ID=1000 @@ -45,8 +71,8 @@ UserSpecificDocker # system. And this also is a significant speedup in subsequent # builds because the dependencies are downloaded only once. docker run --rm=true -t -i \ - -v "${PWD}:/home/${USER_NAME}/hadoop" \ + -v "${PWD}:/home/${USER_NAME}/hadoop${V_OPTS:-}" \ -w "/home/${USER_NAME}/hadoop" \ - -v "${HOME}/.m2:/home/${USER_NAME}/.m2" \ + -v "${HOME}/.m2:/home/${USER_NAME}/.m2${V_OPTS:-}" \ -u "${USER_NAME}" \ "hadoop-build-${USER_ID}" --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org
