[18/44] hadoop git commit: YARN-7221. Add security check for privileged docker container. Contributed by Eric Yang
YARN-7221. Add security check for privileged docker container. Contributed by
Eric Yang
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/933477e9
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/933477e9
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/933477e9
Branch: refs/heads/HDFS-7240
Commit: 933477e9e0526e2ed81ea454f8806de31981822a
Parents: f7d5bac
Author: Billie Rinaldi
Authored: Wed Apr 11 08:23:20 2018 -0700
Committer: Billie Rinaldi
Committed: Wed Apr 11 11:24:23 2018 -0700
--
.../runtime/DockerLinuxContainerRuntime.java| 10 +-
.../container-executor/impl/utils/docker-util.c | 100 ++-
.../test/utils/test_docker_util.cc | 97 +-
.../runtime/TestDockerContainerRuntime.java | 11 +-
4 files changed, 157 insertions(+), 61 deletions(-)
--
http://git-wip-us.apache.org/repos/asf/hadoop/blob/933477e9/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java
--
diff --git
a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java
b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java
index 51abeb6..7106aad 100644
---
a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java
+++
b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java
@@ -767,7 +767,11 @@ public class DockerLinuxContainerRuntime implements
LinuxContainerRuntime {
throw new ContainerExecutionException(message);
}
}
- dockerRunAsUser = uid + ":" + gid;
+ if (!allowPrivilegedContainerExecution(container)) {
+dockerRunAsUser = uid + ":" + gid;
+ } else {
+dockerRunAsUser = ctx.getExecutionAttribute(USER);
+ }
}
//List -> stored as List -> fetched/converted to List
@@ -879,7 +883,9 @@ public class DockerLinuxContainerRuntime implements
LinuxContainerRuntime {
}
if(enableUserReMapping) {
- runCommand.groupAdd(groups);
+ if (!allowPrivilegedContainerExecution(container)) {
+runCommand.groupAdd(groups);
+ }
}
// use plugins to update docker run command.
http://git-wip-us.apache.org/repos/asf/hadoop/blob/933477e9/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c
--
diff --git
a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c
b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c
index 3bd94a1..fdeaeea 100644
---
a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c
+++
b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c
@@ -16,6 +16,9 @@
* limitations under the License.
*/
+#include
+#include
+#include
#include
#include
#include
@@ -25,6 +28,9 @@
#include "docker-util.h"
#include "string-utils.h"
#include "util.h"
+#include
+#include
+#include
static int read_and_verify_command_file(const char *command_file, const char
*docker_command,
struct configuration *command_config) {
@@ -1254,14 +1260,94 @@ static int add_rw_mounts(const struct configuration
*command_config, const stru
return add_mounts(command_config, conf, "rw-mounts", 0, out, outlen);
}
+static int check_privileges(const char *user) {
+ int ngroups = 0;
+ gid_t *groups = NULL;
+ struct passwd *pw;
+ struct group *gr;
+ int ret = 0;
+ int waitid = -1;
+ int statval = 0;
+
+ pw = getpwnam(user);
+ if (pw == NULL) {
+fprintf(ERRORFILE, "User %s does not exist in host OS.\n", user);
+exit(INITIALIZE_USER_FAILED);
+ }
+
+ int rc = getgrouplist(user, pw->pw_gid, groups, &ngroups);
+ i
hadoop git commit: YARN-7221. Add security check for privileged docker container. Contributed by Eric Yang
Repository: hadoop
Updated Branches:
refs/heads/branch-3.1 3c1cd08f0 -> 11f1d4982
YARN-7221. Add security check for privileged docker container. Contributed by
Eric Yang
(cherry picked from commit 933477e9e0526e2ed81ea454f8806de31981822a)
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/11f1d498
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/11f1d498
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/11f1d498
Branch: refs/heads/branch-3.1
Commit: 11f1d498232f6be50d657009963183159e1dd97a
Parents: 3c1cd08
Author: Billie Rinaldi
Authored: Wed Apr 11 08:23:20 2018 -0700
Committer: Billie Rinaldi
Committed: Wed Apr 11 12:15:00 2018 -0700
--
.../runtime/DockerLinuxContainerRuntime.java| 10 +-
.../container-executor/impl/utils/docker-util.c | 100 ++-
.../test/utils/test_docker_util.cc | 97 +-
.../runtime/TestDockerContainerRuntime.java | 11 +-
4 files changed, 157 insertions(+), 61 deletions(-)
--
http://git-wip-us.apache.org/repos/asf/hadoop/blob/11f1d498/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java
--
diff --git
a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java
b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java
index 0290493..567c4b5 100644
---
a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java
+++
b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java
@@ -760,7 +760,11 @@ public class DockerLinuxContainerRuntime implements
LinuxContainerRuntime {
throw new ContainerExecutionException(message);
}
}
- dockerRunAsUser = uid + ":" + gid;
+ if (!allowPrivilegedContainerExecution(container)) {
+dockerRunAsUser = uid + ":" + gid;
+ } else {
+dockerRunAsUser = ctx.getExecutionAttribute(USER);
+ }
}
//List -> stored as List -> fetched/converted to List
@@ -872,7 +876,9 @@ public class DockerLinuxContainerRuntime implements
LinuxContainerRuntime {
}
if(enableUserReMapping) {
- runCommand.groupAdd(groups);
+ if (!allowPrivilegedContainerExecution(container)) {
+runCommand.groupAdd(groups);
+ }
}
// use plugins to update docker run command.
http://git-wip-us.apache.org/repos/asf/hadoop/blob/11f1d498/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c
--
diff --git
a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c
b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c
index ccc21fa..465dc49 100644
---
a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c
+++
b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c
@@ -16,6 +16,9 @@
* limitations under the License.
*/
+#include
+#include
+#include
#include
#include
#include
@@ -25,6 +28,9 @@
#include "docker-util.h"
#include "string-utils.h"
#include "util.h"
+#include
+#include
+#include
static int read_and_verify_command_file(const char *command_file, const char
*docker_command,
struct configuration *command_config) {
@@ -1214,14 +1220,94 @@ static int add_rw_mounts(const struct configuration
*command_config, const stru
return add_mounts(command_config, conf, "rw-mounts", 0, out, outlen);
}
+static int check_privileges(const char *user) {
+ int ngroups = 0;
+ gid_t *groups = NULL;
+ struct passwd *pw;
+ struct group *gr;
+ int ret = 0;
+ int waitid = -1;
+ int statval = 0;
+
+ pw = getpwnam(user);
+ if (pw == NULL) {
+fprintf(ERRORFILE
hadoop git commit: YARN-7221. Add security check for privileged docker container. Contributed by Eric Yang
Repository: hadoop
Updated Branches:
refs/heads/trunk f7d5bace4 -> 933477e9e
YARN-7221. Add security check for privileged docker container. Contributed by
Eric Yang
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/933477e9
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/933477e9
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/933477e9
Branch: refs/heads/trunk
Commit: 933477e9e0526e2ed81ea454f8806de31981822a
Parents: f7d5bac
Author: Billie Rinaldi
Authored: Wed Apr 11 08:23:20 2018 -0700
Committer: Billie Rinaldi
Committed: Wed Apr 11 11:24:23 2018 -0700
--
.../runtime/DockerLinuxContainerRuntime.java| 10 +-
.../container-executor/impl/utils/docker-util.c | 100 ++-
.../test/utils/test_docker_util.cc | 97 +-
.../runtime/TestDockerContainerRuntime.java | 11 +-
4 files changed, 157 insertions(+), 61 deletions(-)
--
http://git-wip-us.apache.org/repos/asf/hadoop/blob/933477e9/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java
--
diff --git
a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java
b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java
index 51abeb6..7106aad 100644
---
a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java
+++
b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java
@@ -767,7 +767,11 @@ public class DockerLinuxContainerRuntime implements
LinuxContainerRuntime {
throw new ContainerExecutionException(message);
}
}
- dockerRunAsUser = uid + ":" + gid;
+ if (!allowPrivilegedContainerExecution(container)) {
+dockerRunAsUser = uid + ":" + gid;
+ } else {
+dockerRunAsUser = ctx.getExecutionAttribute(USER);
+ }
}
//List -> stored as List -> fetched/converted to List
@@ -879,7 +883,9 @@ public class DockerLinuxContainerRuntime implements
LinuxContainerRuntime {
}
if(enableUserReMapping) {
- runCommand.groupAdd(groups);
+ if (!allowPrivilegedContainerExecution(container)) {
+runCommand.groupAdd(groups);
+ }
}
// use plugins to update docker run command.
http://git-wip-us.apache.org/repos/asf/hadoop/blob/933477e9/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c
--
diff --git
a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c
b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c
index 3bd94a1..fdeaeea 100644
---
a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c
+++
b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c
@@ -16,6 +16,9 @@
* limitations under the License.
*/
+#include
+#include
+#include
#include
#include
#include
@@ -25,6 +28,9 @@
#include "docker-util.h"
#include "string-utils.h"
#include "util.h"
+#include
+#include
+#include
static int read_and_verify_command_file(const char *command_file, const char
*docker_command,
struct configuration *command_config) {
@@ -1254,14 +1260,94 @@ static int add_rw_mounts(const struct configuration
*command_config, const stru
return add_mounts(command_config, conf, "rw-mounts", 0, out, outlen);
}
+static int check_privileges(const char *user) {
+ int ngroups = 0;
+ gid_t *groups = NULL;
+ struct passwd *pw;
+ struct group *gr;
+ int ret = 0;
+ int waitid = -1;
+ int statval = 0;
+
+ pw = getpwnam(user);
+ if (pw == NULL) {
+fprintf(ERRORFILE, "User %s does not exist in host OS.\n", user);
+exit(INITIALIZE_USER_FAILE
