Repository: hadoop Updated Branches: refs/heads/branch-2.8.1-private [created] 1e6296df3
Validate docker image name before launching container. (cherry picked from commit 51e65cc7104bcccdfc2554f489c8a5c0e8feea37) Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/bbe3b085 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/bbe3b085 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/bbe3b085 Branch: refs/heads/branch-2.8.1-private Commit: bbe3b0857d383c5e4dc4a7ade90a88a3e24338b2 Parents: 91f2b7a Author: Varun Vasudev <vvasu...@apache.org> Authored: Thu May 18 11:53:16 2017 +0530 Committer: Vinod Kumar Vavilapalli (I am also known as @tshooter.) <vino...@apache.org> Committed: Wed Jun 7 13:37:34 2017 -0700 ---------------------------------------------------------------------- .../runtime/DockerLinuxContainerRuntime.java | 24 +++++++++++++--- .../runtime/TestDockerContainerRuntime.java | 29 ++++++++++++++++++++ 2 files changed, 49 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/bbe3b085/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java ---------------------------------------------------------------------- diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java index c303e94..fc3376a 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java @@ -51,6 +51,7 @@ import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Set; +import java.util.regex.Pattern; import static org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.LinuxContainerRuntimeConstants.*; @@ -60,6 +61,12 @@ public class DockerLinuxContainerRuntime implements LinuxContainerRuntime { private static final Log LOG = LogFactory.getLog( DockerLinuxContainerRuntime.class); + // This validates that the image is a proper docker image + public static final String DOCKER_IMAGE_PATTERN = + "^(([a-zA-Z0-9.-]+)(:\\d+)?/)?([a-z0-9_./-]+)(:[\\w.-]+)?$"; + private static final Pattern dockerImagePattern = + Pattern.compile(DOCKER_IMAGE_PATTERN); + @InterfaceAudience.Private public static final String ENV_DOCKER_CONTAINER_IMAGE = "YARN_CONTAINER_RUNTIME_DOCKER_IMAGE"; @@ -216,10 +223,7 @@ public class DockerLinuxContainerRuntime implements LinuxContainerRuntime { .getEnvironment(); String imageName = environment.get(ENV_DOCKER_CONTAINER_IMAGE); - if (imageName == null) { - throw new ContainerExecutionException(ENV_DOCKER_CONTAINER_IMAGE - + " not set!"); - } + validateImageName(imageName); String containerIdStr = container.getContainerId().toString(); String runAsUser = ctx.getExecutionAttribute(RUN_AS_USER); @@ -354,4 +358,16 @@ public class DockerLinuxContainerRuntime implements LinuxContainerRuntime { throws ContainerExecutionException { } + + public static void validateImageName(String imageName) + throws ContainerExecutionException { + if (imageName == null || imageName.isEmpty()) { + throw new ContainerExecutionException( + ENV_DOCKER_CONTAINER_IMAGE + " not set!"); + } + if (!dockerImagePattern.matcher(imageName).matches()) { + throw new ContainerExecutionException("Image name '" + imageName + + "' doesn't match docker image name pattern"); + } + } } http://git-wip-us.apache.org/repos/asf/hadoop/blob/bbe3b085/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/TestDockerContainerRuntime.java ---------------------------------------------------------------------- diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/TestDockerContainerRuntime.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/TestDockerContainerRuntime.java index 05f144f..1d95513 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/TestDockerContainerRuntime.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/TestDockerContainerRuntime.java @@ -388,4 +388,33 @@ public class TestDockerContainerRuntime { + ": " + command, command.contains("--privileged")); } + @Test + public void testDockerImageNamePattern() throws Exception { + String[] validNames = + { "ubuntu", "fedora/httpd:version1.0", + "fedora/httpd:version1.0.test", + "fedora/httpd:version1.0.TEST", + "myregistryhost:5000/ubuntu", + "myregistryhost:5000/fedora/httpd:version1.0", + "myregistryhost:5000/fedora/httpd:version1.0.test", + "myregistryhost:5000/fedora/httpd:version1.0.TEST"}; + + String[] invalidNames = { "Ubuntu", "ubuntu || fedora", "ubuntu#", + "myregistryhost:50AB0/ubuntu", "myregistry#host:50AB0/ubuntu", + ":8080/ubuntu" + }; + + for (String name : validNames) { + DockerLinuxContainerRuntime.validateImageName(name); + } + + for (String name : invalidNames) { + try { + DockerLinuxContainerRuntime.validateImageName(name); + Assert.fail(name + " is an invalid name and should fail the regex"); + } catch (ContainerExecutionException ce) { + continue; + } + } + } } --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org