[
https://issues.apache.org/jira/browse/YARN-7353?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16210587#comment-16210587
]
Varun Vasudev commented on YARN-7353:
-------------------------------------
Thanks for the patch [~ebadger]. A couple of tests still fail on Centos 7 due
to /bin being symlinked to /usr/bin - test_normalize_mounts and
test_add_rw_mounts.
Here are the changes I had made for YARN-7344 -
{noformat}
TEST_F(TestDockerUtil, test_normalize_mounts) {
const int entries = 4;
- const char *permitted_mounts[] = {"/home", "/usr", "/bin/ls", NULL};
- const char *expected[] = {"/home/", "/usr/", "/bin/ls", NULL};
+ const char *permitted_mounts[] = {"/home", "/usr", "/usr/bin/yes", NULL};
+ const char *expected[] = {"/home/", "/usr/", "/usr/bin/yes", NULL};
char **ptr = static_cast<char **>(malloc(entries * sizeof(char *)));
for (int i = 0; i < entries; ++i) {
if (permitted_mounts[i] != NULL) {
@@ -659,22 +659,22 @@ namespace ContainerExecutor {
const int buff_len = 1024;
char buff[buff_len];
int ret = 0;
- std::string container_executor_cfg_contents = "[docker]\n
docker.allowed.rw-mounts=/usr,/var,/bin/ls,..\n "
-
"docker.allowed.ro-mounts=/bin/cat";
+ std::string container_executor_cfg_contents = "[docker]\n
docker.allowed.rw-mounts=/opt,/var,/usr/bin/yes,..\n "
+
"docker.allowed.ro-mounts=/usr/bin/cut";
std::vector<std::pair<std::string, std::string> > file_cmd_vec;
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
"[docker-command-execution]\n docker-command=run\n
rw-mounts=/var:/var", "-v '/var:/var' "));
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
"[docker-command-execution]\n docker-command=run\n
rw-mounts=/var/:/var/", "-v '/var/:/var/' "));
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
- "[docker-command-execution]\n docker-command=run\n
rw-mounts=/usr:/usr", "-v '/usr:/usr' "));
+ "[docker-command-execution]\n docker-command=run\n
rw-mounts=/opt:/opt", "-v '/opt:/opt' "));
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
- "[docker-command-execution]\n docker-command=run\n
rw-mounts=/usr/:/usr", "-v '/usr/:/usr' "));
+ "[docker-command-execution]\n docker-command=run\n
rw-mounts=/opt/:/opt", "-v '/opt/:/opt' "));
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
- "[docker-command-execution]\n docker-command=run\n
rw-mounts=/bin/ls:/bin/ls", "-v '/bin/ls:/bin/ls' "));
+ "[docker-command-execution]\n docker-command=run\n
rw-mounts=/usr/bin/yes:/usr/bin/yes", "-v '/usr/bin/yes:/usr/bin/yes' "));
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
- "[docker-command-execution]\n docker-command=run\n
rw-mounts=/usr/bin:/mydisk1,/var/log/:/mydisk2",
- "-v '/usr/bin:/mydisk1' -v '/var/log/:/mydisk2' "));
+ "[docker-command-execution]\n docker-command=run\n
rw-mounts=/opt:/mydisk1,/var/log/:/mydisk2",
+ "-v '/opt:/mydisk1' -v '/var/log/:/mydisk2' "));
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
"[docker-command-execution]\n docker-command=run\n", ""));
write_container_executor_cfg(container_executor_cfg_contents);
@@ -708,7 +708,7 @@ namespace ContainerExecutor {
"[docker-command-execution]\n docker-command=run\n
rw-mounts=/home:/home",
static_cast<int>(INVALID_DOCKER_RW_MOUNT)));
bad_file_cmds_vec.push_back(std::make_pair<std::string, int>(
- "[docker-command-execution]\n docker-command=run\n
rw-mounts=/bin/cat:/bin/cat",
+ "[docker-command-execution]\n docker-command=run\n
rw-mounts=/usr/bin/cut:/usr/bin/cut",
static_cast<int>(INVALID_DOCKER_RW_MOUNT)));
bad_file_cmds_vec.push_back(std::make_pair<std::string, int>(
"[docker-command-execution]\n docker-command=run\n
rw-mounts=/blah:/blah",
{noformat}
Can you incorporate them into your patch? Thanks!
> Docker permitted volumes don't properly check for directories
> -------------------------------------------------------------
>
> Key: YARN-7353
> URL: https://issues.apache.org/jira/browse/YARN-7353
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: Eric Badger
> Assignee: Eric Badger
> Attachments: YARN-7353.001.patch, YARN-7353.002.patch
>
>
> {noformat:title=docker-util.c:check_mount_permitted()}
> // directory check
> permitted_mount_len = strlen(permitted_mounts[i]);
> if (permitted_mount_len > 0
> && permitted_mounts[i][permitted_mount_len - 1] == '/') {
> if (strncmp(normalized_path, permitted_mounts[i], permitted_mount_len)
> == 0) {
> ret = 1;
> break;
> }
> }
> {noformat}
> This code will treat "/home/" as a directory, but not "/home"
> {noformat}
> [ FAILED ] 3 tests, listed below:
> [ FAILED ] TestDockerUtil.test_check_mount_permitted
> [ FAILED ] TestDockerUtil.test_normalize_mounts
> [ FAILED ] TestDockerUtil.test_add_rw_mounts
> {noformat}
> Additionally, YARN-6623 introduced new test failures in the C++
> container-executor test "cetest"
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
