YARN-8380. Support bind propagation options for mounts in docker runtime.
Contributed by Billie Rinaldi
(cherry picked from commit 8688a0c7f8
)
This commit is contained in:
parent
e665c0a9dd
commit
23b8546a80
|
@ -157,9 +157,13 @@ import static org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.r
|
||||||
* {@code YARN_CONTAINER_RUNTIME_DOCKER_MOUNTS} allows users to specify
|
* {@code YARN_CONTAINER_RUNTIME_DOCKER_MOUNTS} allows users to specify
|
||||||
+ additional volume mounts for the Docker container. The value of the
|
+ additional volume mounts for the Docker container. The value of the
|
||||||
* environment variable should be a comma-separated list of mounts.
|
* environment variable should be a comma-separated list of mounts.
|
||||||
* All such mounts must be given as {@code source:dest:mode}, and the mode
|
* All such mounts must be given as {@code source:dest[:mode]} and the mode
|
||||||
* must be "ro" (read-only) or "rw" (read-write) to specify the type of
|
* must be "ro" (read-only) or "rw" (read-write) to specify the type of
|
||||||
* access being requested. The requested mounts will be validated by
|
* access being requested. If neither is specified, read-write will be
|
||||||
|
* assumed. The mode may include a bind propagation option. In that case,
|
||||||
|
* the mode should either be of the form [option], rw+[option], or
|
||||||
|
* ro+[option]. Valid bind propagation options are shared, rshared, slave,
|
||||||
|
* rslave, private, and rprivate. The requested mounts will be validated by
|
||||||
* container-executor based on the values set in container-executor.cfg for
|
* container-executor based on the values set in container-executor.cfg for
|
||||||
* {@code docker.allowed.ro-mounts} and {@code docker.allowed.rw-mounts}.
|
* {@code docker.allowed.ro-mounts} and {@code docker.allowed.rw-mounts}.
|
||||||
* </li>
|
* </li>
|
||||||
|
@ -192,7 +196,8 @@ public class DockerLinuxContainerRuntime implements LinuxContainerRuntime {
|
||||||
private static final Pattern hostnamePattern = Pattern.compile(
|
private static final Pattern hostnamePattern = Pattern.compile(
|
||||||
HOSTNAME_PATTERN);
|
HOSTNAME_PATTERN);
|
||||||
private static final Pattern USER_MOUNT_PATTERN = Pattern.compile(
|
private static final Pattern USER_MOUNT_PATTERN = Pattern.compile(
|
||||||
"(?<=^|,)([^:\\x00]+):([^:\\x00]+):([a-z]+)");
|
"(?<=^|,)([^:\\x00]+):([^:\\x00]+)" +
|
||||||
|
"(:(r[ow]|(r[ow][+])?(r?shared|r?slave|r?private)))?(?:,|$)");
|
||||||
private static final int HOST_NAME_LENGTH = 64;
|
private static final int HOST_NAME_LENGTH = 64;
|
||||||
private static final String DEFAULT_PROCFS = "/proc";
|
private static final String DEFAULT_PROCFS = "/proc";
|
||||||
|
|
||||||
|
@ -844,24 +849,30 @@ public class DockerLinuxContainerRuntime implements LinuxContainerRuntime {
|
||||||
+ environment.get(ENV_DOCKER_CONTAINER_MOUNTS));
|
+ environment.get(ENV_DOCKER_CONTAINER_MOUNTS));
|
||||||
}
|
}
|
||||||
parsedMounts.reset();
|
parsedMounts.reset();
|
||||||
|
long mountCount = 0;
|
||||||
while (parsedMounts.find()) {
|
while (parsedMounts.find()) {
|
||||||
|
mountCount++;
|
||||||
String src = parsedMounts.group(1);
|
String src = parsedMounts.group(1);
|
||||||
java.nio.file.Path srcPath = java.nio.file.Paths.get(src);
|
java.nio.file.Path srcPath = java.nio.file.Paths.get(src);
|
||||||
if (!srcPath.isAbsolute()) {
|
if (!srcPath.isAbsolute()) {
|
||||||
src = mountReadOnlyPath(src, localizedResources);
|
src = mountReadOnlyPath(src, localizedResources);
|
||||||
}
|
}
|
||||||
String dst = parsedMounts.group(2);
|
String dst = parsedMounts.group(2);
|
||||||
String mode = parsedMounts.group(3);
|
String mode = parsedMounts.group(4);
|
||||||
if (!mode.equals("ro") && !mode.equals("rw")) {
|
if (mode == null) {
|
||||||
throw new ContainerExecutionException(
|
mode = "rw";
|
||||||
"Invalid mount mode requested for mount: "
|
} else if (!mode.startsWith("ro") && !mode.startsWith("rw")) {
|
||||||
+ parsedMounts.group());
|
mode = "rw+" + mode;
|
||||||
}
|
|
||||||
if (mode.equals("ro")) {
|
|
||||||
runCommand.addReadOnlyMountLocation(src, dst);
|
|
||||||
} else {
|
|
||||||
runCommand.addReadWriteMountLocation(src, dst);
|
|
||||||
}
|
}
|
||||||
|
runCommand.addMountLocation(src, dst, mode);
|
||||||
|
}
|
||||||
|
long commaCount = environment.get(ENV_DOCKER_CONTAINER_MOUNTS).chars()
|
||||||
|
.filter(c -> c == ',').count();
|
||||||
|
if (mountCount != commaCount + 1) {
|
||||||
|
// this means the matcher skipped an improperly formatted mount
|
||||||
|
throw new ContainerExecutionException(
|
||||||
|
"Unable to parse some mounts in user supplied mount list: "
|
||||||
|
+ environment.get(ENV_DOCKER_CONTAINER_MOUNTS));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -65,19 +65,15 @@ public class DockerRunCommand extends DockerCommand {
|
||||||
}
|
}
|
||||||
|
|
||||||
public DockerRunCommand addMountLocation(String sourcePath, String
|
public DockerRunCommand addMountLocation(String sourcePath, String
|
||||||
destinationPath, boolean createSource) {
|
destinationPath, String mode) {
|
||||||
boolean sourceExists = new File(sourcePath).exists();
|
super.addCommandArguments("mounts", sourcePath + ":" +
|
||||||
if (!sourceExists && !createSource) {
|
destinationPath + ":" + mode);
|
||||||
return this;
|
|
||||||
}
|
|
||||||
super.addCommandArguments("rw-mounts", sourcePath + ":" + destinationPath);
|
|
||||||
return this;
|
return this;
|
||||||
}
|
}
|
||||||
|
|
||||||
public DockerRunCommand addReadWriteMountLocation(String sourcePath, String
|
public DockerRunCommand addReadWriteMountLocation(String sourcePath, String
|
||||||
destinationPath) {
|
destinationPath) {
|
||||||
super.addCommandArguments("rw-mounts", sourcePath + ":" + destinationPath);
|
return addMountLocation(sourcePath, destinationPath, "rw");
|
||||||
return this;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public DockerRunCommand addAllReadWriteMountLocations(List<String> paths) {
|
public DockerRunCommand addAllReadWriteMountLocations(List<String> paths) {
|
||||||
|
@ -93,14 +89,12 @@ public class DockerRunCommand extends DockerCommand {
|
||||||
if (!sourceExists && !createSource) {
|
if (!sourceExists && !createSource) {
|
||||||
return this;
|
return this;
|
||||||
}
|
}
|
||||||
super.addCommandArguments("ro-mounts", sourcePath + ":" + destinationPath);
|
return addReadOnlyMountLocation(sourcePath, destinationPath);
|
||||||
return this;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public DockerRunCommand addReadOnlyMountLocation(String sourcePath, String
|
public DockerRunCommand addReadOnlyMountLocation(String sourcePath, String
|
||||||
destinationPath) {
|
destinationPath) {
|
||||||
super.addCommandArguments("ro-mounts", sourcePath + ":" + destinationPath);
|
return addMountLocation(sourcePath, destinationPath, "ro");
|
||||||
return this;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public DockerRunCommand addAllReadOnlyMountLocations(List<String> paths) {
|
public DockerRunCommand addAllReadOnlyMountLocations(List<String> paths) {
|
||||||
|
|
|
@ -1095,105 +1095,150 @@ static char* get_mount_source(const char *mount) {
|
||||||
return strndup(mount, len);
|
return strndup(mount, len);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int add_mounts(const struct configuration *command_config, const struct configuration *conf, const char *key,
|
static char* get_mount_type(const char *mount) {
|
||||||
const int ro, args *args) {
|
const char *tmp = strrchr(mount, ':');
|
||||||
const char *ro_suffix = "";
|
if (tmp == NULL) {
|
||||||
|
fprintf(ERRORFILE, "Invalid docker mount '%s'\n", mount);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
if (strlen(tmp) < 2) {
|
||||||
|
fprintf(ERRORFILE, "Invalid docker mount '%s'\n", mount);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
char *mount_type = strdup(&tmp[1]);
|
||||||
|
if (strncmp("ro", mount_type, 2) != 0 &&
|
||||||
|
strncmp("rw", mount_type, 2) != 0) {
|
||||||
|
fprintf(ERRORFILE, "Invalid docker mount type '%s'\n", mount_type);
|
||||||
|
free(mount_type);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
if (strlen(mount_type) > 2) {
|
||||||
|
if (strlen(mount_type) < 8 ||
|
||||||
|
(strcmp("shared", mount_type + 3) != 0 &&
|
||||||
|
strcmp("rshared", mount_type + 3) != 0 &&
|
||||||
|
strcmp("slave", mount_type + 3) != 0 &&
|
||||||
|
strcmp("rslave", mount_type + 3) != 0 &&
|
||||||
|
strcmp("private", mount_type + 3) != 0 &&
|
||||||
|
strcmp("rprivate", mount_type + 3) != 0)) {
|
||||||
|
fprintf(ERRORFILE, "Invalid docker mount type '%s'\n", mount_type);
|
||||||
|
free(mount_type);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
mount_type[2] = ',';
|
||||||
|
}
|
||||||
|
return mount_type;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int add_mounts(const struct configuration *command_config, const struct configuration *conf, args *args) {
|
||||||
const char *tmp_path_buffer[2] = {NULL, NULL};
|
const char *tmp_path_buffer[2] = {NULL, NULL};
|
||||||
char *mount_src = NULL;
|
char *mount_src = NULL;
|
||||||
|
char *mount_type = NULL;
|
||||||
char **permitted_ro_mounts = get_configuration_values_delimiter("docker.allowed.ro-mounts",
|
char **permitted_ro_mounts = get_configuration_values_delimiter("docker.allowed.ro-mounts",
|
||||||
CONTAINER_EXECUTOR_CFG_DOCKER_SECTION, conf, ",");
|
CONTAINER_EXECUTOR_CFG_DOCKER_SECTION, conf, ",");
|
||||||
char **permitted_rw_mounts = get_configuration_values_delimiter("docker.allowed.rw-mounts",
|
char **permitted_rw_mounts = get_configuration_values_delimiter("docker.allowed.rw-mounts",
|
||||||
CONTAINER_EXECUTOR_CFG_DOCKER_SECTION, conf, ",");
|
CONTAINER_EXECUTOR_CFG_DOCKER_SECTION, conf, ",");
|
||||||
char **values = get_configuration_values_delimiter(key, DOCKER_COMMAND_FILE_SECTION, command_config, ",");
|
char **values = get_configuration_values_delimiter("mounts", DOCKER_COMMAND_FILE_SECTION, command_config, ",");
|
||||||
char *config_path = get_config_path("");
|
char *config_path = get_config_path("");
|
||||||
const char *container_executor_cfg_path = normalize_mount(config_path, 0);
|
const char *container_executor_cfg_path = normalize_mount(config_path, 0);
|
||||||
free(config_path);
|
free(config_path);
|
||||||
int i = 0, permitted_rw = 0, permitted_ro = 0, ret = 0;
|
int i = 0, permitted_rw = 0, permitted_ro = 0, ret = 0;
|
||||||
if (ro != 0) {
|
if (values == NULL) {
|
||||||
ro_suffix = ":ro";
|
goto free_and_exit;
|
||||||
}
|
}
|
||||||
if (values != NULL) {
|
// Disable mount volumes if image is not trusted.
|
||||||
// Disable mount volumes if image is not trusted.
|
if (check_trusted_image(command_config, conf) != 0) {
|
||||||
if (check_trusted_image(command_config, conf) != 0) {
|
fprintf(ERRORFILE, "Disable mount volume for untrusted image\n");
|
||||||
fprintf(ERRORFILE, "Disable mount volume for untrusted image\n");
|
// YARN will implicitly bind node manager local directory to
|
||||||
// YARN will implicitly bind node manager local directory to
|
// docker image. This can create file system security holes,
|
||||||
// docker image. This can create file system security holes,
|
// if docker container has binary to escalate privileges.
|
||||||
// if docker container has binary to escalate privileges.
|
// For untrusted image, we drop mounting without reporting
|
||||||
// For untrusted image, we drop mounting without reporting
|
// INVALID_DOCKER_MOUNT messages to allow running untrusted
|
||||||
// INVALID_DOCKER_MOUNT messages to allow running untrusted
|
// image in a sandbox.
|
||||||
// image in a sandbox.
|
ret = 0;
|
||||||
ret = 0;
|
goto free_and_exit;
|
||||||
|
}
|
||||||
|
ret = normalize_mounts(permitted_ro_mounts, 1);
|
||||||
|
ret |= normalize_mounts(permitted_rw_mounts, 1);
|
||||||
|
if (ret != 0) {
|
||||||
|
fprintf(ERRORFILE, "Unable to find permitted docker mounts on disk\n");
|
||||||
|
ret = MOUNT_ACCESS_ERROR;
|
||||||
|
goto free_and_exit;
|
||||||
|
}
|
||||||
|
for (i = 0; values[i] != NULL; i++) {
|
||||||
|
mount_src = get_mount_source(values[i]);
|
||||||
|
if (mount_src == NULL) {
|
||||||
|
fprintf(ERRORFILE, "Invalid docker mount '%s'\n", values[i]);
|
||||||
|
ret = INVALID_DOCKER_MOUNT;
|
||||||
goto free_and_exit;
|
goto free_and_exit;
|
||||||
}
|
}
|
||||||
ret = normalize_mounts(permitted_ro_mounts, 1);
|
mount_type = get_mount_type(values[i]);
|
||||||
ret |= normalize_mounts(permitted_rw_mounts, 1);
|
if (mount_type == NULL) {
|
||||||
if (ret != 0) {
|
fprintf(ERRORFILE, "Invalid docker mount '%s'\n", values[i]);
|
||||||
fprintf(ERRORFILE, "Unable to find permitted docker mounts on disk\n");
|
ret = INVALID_DOCKER_MOUNT;
|
||||||
ret = MOUNT_ACCESS_ERROR;
|
|
||||||
goto free_and_exit;
|
goto free_and_exit;
|
||||||
}
|
}
|
||||||
for (i = 0; values[i] != NULL; i++) {
|
permitted_rw = check_mount_permitted((const char **) permitted_rw_mounts, mount_src);
|
||||||
mount_src = get_mount_source(values[i]);
|
permitted_ro = check_mount_permitted((const char **) permitted_ro_mounts, mount_src);
|
||||||
if (mount_src == NULL) {
|
if (permitted_ro == -1 || permitted_rw == -1) {
|
||||||
fprintf(ERRORFILE, "Invalid docker mount '%s'\n", values[i]);
|
fprintf(ERRORFILE, "Invalid docker mount '%s', realpath=%s\n", values[i], mount_src);
|
||||||
ret = INVALID_DOCKER_MOUNT;
|
ret = INVALID_DOCKER_MOUNT;
|
||||||
goto free_and_exit;
|
goto free_and_exit;
|
||||||
}
|
}
|
||||||
permitted_rw = check_mount_permitted((const char **) permitted_rw_mounts, mount_src);
|
if (strncmp("rw", mount_type, 2) == 0) {
|
||||||
permitted_ro = check_mount_permitted((const char **) permitted_ro_mounts, mount_src);
|
|
||||||
if (permitted_ro == -1 || permitted_rw == -1) {
|
|
||||||
fprintf(ERRORFILE, "Invalid docker mount '%s', realpath=%s\n", values[i], mount_src);
|
|
||||||
ret = INVALID_DOCKER_MOUNT;
|
|
||||||
goto free_and_exit;
|
|
||||||
}
|
|
||||||
// rw mount
|
// rw mount
|
||||||
if (ro == 0) {
|
if (permitted_rw == 0) {
|
||||||
if (permitted_rw == 0) {
|
fprintf(ERRORFILE, "Invalid docker rw mount '%s', realpath=%s\n", values[i], mount_src);
|
||||||
fprintf(ERRORFILE, "Invalid docker rw mount '%s', realpath=%s\n", values[i], mount_src);
|
ret = INVALID_DOCKER_RW_MOUNT;
|
||||||
|
goto free_and_exit;
|
||||||
|
} else {
|
||||||
|
// determine if the user can modify the container-executor.cfg file
|
||||||
|
tmp_path_buffer[0] = normalize_mount(mount_src, 0);
|
||||||
|
// just re-use the function, flip the args to check if the container-executor path is in the requested
|
||||||
|
// mount point
|
||||||
|
ret = check_mount_permitted(tmp_path_buffer, container_executor_cfg_path);
|
||||||
|
free((void *) tmp_path_buffer[0]);
|
||||||
|
if (ret == 1) {
|
||||||
|
fprintf(ERRORFILE, "Attempting to mount a parent directory '%s' of container-executor.cfg as read-write\n",
|
||||||
|
values[i]);
|
||||||
ret = INVALID_DOCKER_RW_MOUNT;
|
ret = INVALID_DOCKER_RW_MOUNT;
|
||||||
goto free_and_exit;
|
goto free_and_exit;
|
||||||
} else {
|
|
||||||
// determine if the user can modify the container-executor.cfg file
|
|
||||||
tmp_path_buffer[0] = normalize_mount(mount_src, 0);
|
|
||||||
// just re-use the function, flip the args to check if the container-executor path is in the requested
|
|
||||||
// mount point
|
|
||||||
ret = check_mount_permitted(tmp_path_buffer, container_executor_cfg_path);
|
|
||||||
free((void *) tmp_path_buffer[0]);
|
|
||||||
if (ret == 1) {
|
|
||||||
fprintf(ERRORFILE, "Attempting to mount a parent directory '%s' of container-executor.cfg as read-write\n",
|
|
||||||
values[i]);
|
|
||||||
ret = INVALID_DOCKER_RW_MOUNT;
|
|
||||||
goto free_and_exit;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
//ro mount
|
} else {
|
||||||
if (ro != 0 && permitted_ro == 0 && permitted_rw == 0) {
|
// ro mount
|
||||||
|
if (permitted_ro == 0 && permitted_rw == 0) {
|
||||||
fprintf(ERRORFILE, "Invalid docker ro mount '%s', realpath=%s\n", values[i], mount_src);
|
fprintf(ERRORFILE, "Invalid docker ro mount '%s', realpath=%s\n", values[i], mount_src);
|
||||||
ret = INVALID_DOCKER_RO_MOUNT;
|
ret = INVALID_DOCKER_RO_MOUNT;
|
||||||
goto free_and_exit;
|
goto free_and_exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = add_to_args(args, "-v");
|
|
||||||
if (ret != 0) {
|
|
||||||
ret = BUFFER_TOO_SMALL;
|
|
||||||
goto free_and_exit;
|
|
||||||
}
|
|
||||||
|
|
||||||
char *tmp_buffer = make_string("%s%s", values[i], (char *) ro_suffix);
|
|
||||||
ret = add_to_args(args, tmp_buffer);
|
|
||||||
free(tmp_buffer);
|
|
||||||
if (ret != 0) {
|
|
||||||
ret = BUFFER_TOO_SMALL;
|
|
||||||
goto free_and_exit;
|
|
||||||
}
|
|
||||||
free(mount_src);
|
|
||||||
mount_src = NULL;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (strlen(mount_type) > 2) {
|
||||||
|
// overwrite separator between read mode and propagation option with ','
|
||||||
|
int mount_type_index = strlen(values[i]) - strlen(mount_type);
|
||||||
|
values[i][mount_type_index + 2] = ',';
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = add_to_args(args, "-v");
|
||||||
|
if (ret != 0) {
|
||||||
|
ret = BUFFER_TOO_SMALL;
|
||||||
|
goto free_and_exit;
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = add_to_args(args, values[i]);
|
||||||
|
if (ret != 0) {
|
||||||
|
ret = BUFFER_TOO_SMALL;
|
||||||
|
goto free_and_exit;
|
||||||
|
}
|
||||||
|
free(mount_src);
|
||||||
|
free(mount_type);
|
||||||
|
mount_src = NULL;
|
||||||
|
mount_type = NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
free_and_exit:
|
free_and_exit:
|
||||||
free(mount_src);
|
free(mount_src);
|
||||||
|
free(mount_type);
|
||||||
free_values(permitted_ro_mounts);
|
free_values(permitted_ro_mounts);
|
||||||
free_values(permitted_rw_mounts);
|
free_values(permitted_rw_mounts);
|
||||||
free_values(values);
|
free_values(values);
|
||||||
|
@ -1201,14 +1246,6 @@ free_and_exit:
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int add_ro_mounts(const struct configuration *command_config, const struct configuration *conf, args *args) {
|
|
||||||
return add_mounts(command_config, conf, "ro-mounts", 1, args);
|
|
||||||
}
|
|
||||||
|
|
||||||
static int add_rw_mounts(const struct configuration *command_config, const struct configuration *conf, args *args) {
|
|
||||||
return add_mounts(command_config, conf, "rw-mounts", 0, args);
|
|
||||||
}
|
|
||||||
|
|
||||||
static int check_privileges(const char *user) {
|
static int check_privileges(const char *user) {
|
||||||
int ngroups = 0;
|
int ngroups = 0;
|
||||||
gid_t *groups = NULL;
|
gid_t *groups = NULL;
|
||||||
|
@ -1427,12 +1464,7 @@ int get_docker_run_command(const char *command_file, const struct configuration
|
||||||
goto free_and_exit;
|
goto free_and_exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = add_ro_mounts(&command_config, conf, args);
|
ret = add_mounts(&command_config, conf, args);
|
||||||
if (ret != 0) {
|
|
||||||
goto free_and_exit;
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = add_rw_mounts(&command_config, conf, args);
|
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
goto free_and_exit;
|
goto free_and_exit;
|
||||||
}
|
}
|
||||||
|
|
|
@ -934,36 +934,42 @@ namespace ContainerExecutor {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
TEST_F(TestDockerUtil, test_add_rw_mounts) {
|
TEST_F(TestDockerUtil, test_add_mounts) {
|
||||||
struct configuration container_cfg, cmd_cfg;
|
struct configuration container_cfg, cmd_cfg;
|
||||||
struct args buff = ARGS_INITIAL_VALUE;
|
struct args buff = ARGS_INITIAL_VALUE;
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
std::string container_executor_cfg_contents = "[docker]\n docker.trusted.registries=hadoop\n "
|
std::string container_executor_cfg_contents = "[docker]\n docker.trusted.registries=hadoop\n "
|
||||||
"docker.allowed.rw-mounts=/opt,/var,/usr/bin/cut\n "
|
"docker.allowed.rw-mounts=/opt,/var,/usr/bin/cut,/usr/bin/awk\n "
|
||||||
"docker.allowed.ro-mounts=/etc/passwd";
|
"docker.allowed.ro-mounts=/etc/passwd";
|
||||||
std::vector<std::pair<std::string, std::string> > file_cmd_vec;
|
std::vector<std::pair<std::string, std::string> > file_cmd_vec;
|
||||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n rw-mounts=/var:/var", "-v /var:/var"));
|
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n mounts=/var:/var:rw", "-v /var:/var:rw"));
|
||||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
"[docker-command-execution]\n docker-command=run\n image=nothadoop/image\n rw-mounts=/var:/var", ""));
|
"[docker-command-execution]\n docker-command=run\n image=nothadoop/image\n mounts=/var:/var:rw", ""));
|
||||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n rw-mounts=/var/:/var/", "-v /var/:/var/"));
|
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n mounts=/var/:/var/:rw", "-v /var/:/var/:rw"));
|
||||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n rw-mounts=/usr/bin/cut:/usr/bin/cut",
|
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n mounts=/usr/bin/cut:/usr/bin/cut:rw",
|
||||||
"-v /usr/bin/cut:/usr/bin/cut"));
|
"-v /usr/bin/cut:/usr/bin/cut:rw"));
|
||||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
"[docker-command-execution]\n docker-command=run\n image=nothadoop/image\n rw-mounts=/lib:/lib",
|
"[docker-command-execution]\n docker-command=run\n image=nothadoop/image\n mounts=/lib:/lib:rw",
|
||||||
""));
|
""));
|
||||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n rw-mounts=/opt:/mydisk1,/var/log/:/mydisk2",
|
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n mounts=/opt:/mydisk1:rw,/var/log/:/mydisk2:rw",
|
||||||
"-v /opt:/mydisk1 -v /var/log/:/mydisk2"));
|
"-v /opt:/mydisk1:rw -v /var/log/:/mydisk2:rw"));
|
||||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
"[docker-command-execution]\n docker-command=run\n image=nothadoop/image\n rw-mounts=/opt:/mydisk1,/var/log/:/mydisk2",
|
"[docker-command-execution]\n docker-command=run\n image=nothadoop/image\n mounts=/opt:/mydisk1:rw,/var/log/:/mydisk2:rw",
|
||||||
""));
|
""));
|
||||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n", ""));
|
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n", ""));
|
||||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
"[docker-command-execution]\n docker-command=run\n image=nothadoop/image\n", ""));
|
"[docker-command-execution]\n docker-command=run\n image=nothadoop/image\n", ""));
|
||||||
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
|
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n mounts=/usr/bin/awk:/awk:rw+shared,/etc/passwd:/etc/passwd:ro",
|
||||||
|
"-v /usr/bin/awk:/awk:rw,shared -v /etc/passwd:/etc/passwd:ro"));
|
||||||
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
|
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n mounts=/var:/var:ro+rprivate,/etc/passwd:/etc/passwd:ro+rshared",
|
||||||
|
"-v /var:/var:ro,rprivate -v /etc/passwd:/etc/passwd:ro,rshared"));
|
||||||
write_container_executor_cfg(container_executor_cfg_contents);
|
write_container_executor_cfg(container_executor_cfg_contents);
|
||||||
ret = read_config(container_executor_cfg_file.c_str(), &container_cfg);
|
ret = read_config(container_executor_cfg_file.c_str(), &container_cfg);
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
|
@ -984,7 +990,7 @@ namespace ContainerExecutor {
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
FAIL();
|
FAIL();
|
||||||
}
|
}
|
||||||
ret = add_rw_mounts(&cmd_cfg, &container_cfg, &buff);
|
ret = add_mounts(&cmd_cfg, &container_cfg, &buff);
|
||||||
char *actual = flatten(&buff);
|
char *actual = flatten(&buff);
|
||||||
ASSERT_EQ(0, ret);
|
ASSERT_EQ(0, ret);
|
||||||
ASSERT_STREQ(itr->second.c_str(), actual);
|
ASSERT_STREQ(itr->second.c_str(), actual);
|
||||||
|
@ -995,13 +1001,22 @@ namespace ContainerExecutor {
|
||||||
|
|
||||||
std::vector<std::pair<std::string, int> > bad_file_cmds_vec;
|
std::vector<std::pair<std::string, int> > bad_file_cmds_vec;
|
||||||
bad_file_cmds_vec.push_back(std::make_pair<std::string, int>(
|
bad_file_cmds_vec.push_back(std::make_pair<std::string, int>(
|
||||||
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n rw-mounts=/lib:/lib",
|
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n mounts=/lib:/lib:rw",
|
||||||
static_cast<int>(INVALID_DOCKER_RW_MOUNT)));
|
static_cast<int>(INVALID_DOCKER_RW_MOUNT)));
|
||||||
bad_file_cmds_vec.push_back(std::make_pair<std::string, int>(
|
bad_file_cmds_vec.push_back(std::make_pair<std::string, int>(
|
||||||
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n rw-mounts=/usr/bin/:/usr/bin",
|
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n mounts=/usr/bin/:/usr/bin:rw",
|
||||||
static_cast<int>(INVALID_DOCKER_RW_MOUNT)));
|
static_cast<int>(INVALID_DOCKER_RW_MOUNT)));
|
||||||
bad_file_cmds_vec.push_back(std::make_pair<std::string, int>(
|
bad_file_cmds_vec.push_back(std::make_pair<std::string, int>(
|
||||||
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n rw-mounts=/blah:/blah",
|
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n mounts=/blah:/blah:rw",
|
||||||
|
static_cast<int>(INVALID_DOCKER_MOUNT)));
|
||||||
|
bad_file_cmds_vec.push_back(std::make_pair<std::string, int>(
|
||||||
|
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n mounts=/tmp:/tmp:shared",
|
||||||
|
static_cast<int>(INVALID_DOCKER_MOUNT)));
|
||||||
|
bad_file_cmds_vec.push_back(std::make_pair<std::string, int>(
|
||||||
|
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n mounts=/lib:/lib",
|
||||||
|
static_cast<int>(INVALID_DOCKER_MOUNT)));
|
||||||
|
bad_file_cmds_vec.push_back(std::make_pair<std::string, int>(
|
||||||
|
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n mounts=/lib:/lib:other",
|
||||||
static_cast<int>(INVALID_DOCKER_MOUNT)));
|
static_cast<int>(INVALID_DOCKER_MOUNT)));
|
||||||
|
|
||||||
std::vector<std::pair<std::string, int> >::const_iterator itr2;
|
std::vector<std::pair<std::string, int> >::const_iterator itr2;
|
||||||
|
@ -1012,7 +1027,7 @@ namespace ContainerExecutor {
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
FAIL();
|
FAIL();
|
||||||
}
|
}
|
||||||
ret = add_rw_mounts(&cmd_cfg, &container_cfg, &buff);
|
ret = add_mounts(&cmd_cfg, &container_cfg, &buff);
|
||||||
char *actual = flatten(&buff);
|
char *actual = flatten(&buff);
|
||||||
ASSERT_EQ(itr2->second, ret);
|
ASSERT_EQ(itr2->second, ret);
|
||||||
ASSERT_STREQ("", actual);
|
ASSERT_STREQ("", actual);
|
||||||
|
@ -1024,14 +1039,14 @@ namespace ContainerExecutor {
|
||||||
// verify that you can't mount any directory in the container-executor.cfg path
|
// verify that you can't mount any directory in the container-executor.cfg path
|
||||||
char *ce_path = realpath("../etc/hadoop/container-executor.cfg", NULL);
|
char *ce_path = realpath("../etc/hadoop/container-executor.cfg", NULL);
|
||||||
while (strlen(ce_path) != 0) {
|
while (strlen(ce_path) != 0) {
|
||||||
std::string cmd_file_contents = "[docker-command-execution]\n docker-command=run\n image=hadoop/image\n rw-mounts=";
|
std::string cmd_file_contents = "[docker-command-execution]\n docker-command=run\n image=hadoop/image\n mounts=";
|
||||||
cmd_file_contents.append(ce_path).append(":").append("/etc/hadoop");
|
cmd_file_contents.append(ce_path).append(":").append("/etc/hadoop").append(":rw");
|
||||||
write_command_file(cmd_file_contents);
|
write_command_file(cmd_file_contents);
|
||||||
ret = read_config(docker_command_file.c_str(), &cmd_cfg);
|
ret = read_config(docker_command_file.c_str(), &cmd_cfg);
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
FAIL();
|
FAIL();
|
||||||
}
|
}
|
||||||
ret = add_rw_mounts(&cmd_cfg, &container_cfg, &buff);
|
ret = add_mounts(&cmd_cfg, &container_cfg, &buff);
|
||||||
ASSERT_EQ(INVALID_DOCKER_RW_MOUNT, ret) << " for input " << cmd_file_contents;
|
ASSERT_EQ(INVALID_DOCKER_RW_MOUNT, ret) << " for input " << cmd_file_contents;
|
||||||
char *actual = flatten(&buff);
|
char *actual = flatten(&buff);
|
||||||
ASSERT_STREQ("", actual);
|
ASSERT_STREQ("", actual);
|
||||||
|
@ -1046,7 +1061,7 @@ namespace ContainerExecutor {
|
||||||
free(ce_path);
|
free(ce_path);
|
||||||
free_configuration(&container_cfg);
|
free_configuration(&container_cfg);
|
||||||
|
|
||||||
// For untrusted image, container add_rw_mounts will pass through
|
// For untrusted image, container add_mounts will pass through
|
||||||
// without mounting or report error code.
|
// without mounting or report error code.
|
||||||
container_executor_cfg_contents = "[docker]\n";
|
container_executor_cfg_contents = "[docker]\n";
|
||||||
write_container_executor_cfg(container_executor_cfg_contents);
|
write_container_executor_cfg(container_executor_cfg_contents);
|
||||||
|
@ -1054,7 +1069,7 @@ namespace ContainerExecutor {
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
FAIL();
|
FAIL();
|
||||||
}
|
}
|
||||||
ret = add_rw_mounts(&cmd_cfg, &container_cfg, &buff);
|
ret = add_mounts(&cmd_cfg, &container_cfg, &buff);
|
||||||
char *actual = flatten(&buff);
|
char *actual = flatten(&buff);
|
||||||
ASSERT_EQ(0, ret);
|
ASSERT_EQ(0, ret);
|
||||||
ASSERT_STREQ("", actual);
|
ASSERT_STREQ("", actual);
|
||||||
|
@ -1073,26 +1088,26 @@ namespace ContainerExecutor {
|
||||||
"docker.allowed.ro-mounts=/etc/passwd,/etc/group";
|
"docker.allowed.ro-mounts=/etc/passwd,/etc/group";
|
||||||
std::vector<std::pair<std::string, std::string> > file_cmd_vec;
|
std::vector<std::pair<std::string, std::string> > file_cmd_vec;
|
||||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
"[docker-command-execution]\n docker-command=run\n image=nothadoop/image\n ro-mounts=/var:/var", ""));
|
"[docker-command-execution]\n docker-command=run\n image=nothadoop/image\n mounts=/var:/var:ro", ""));
|
||||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
"[docker-command-execution]\n docker-command=run\n image=nothadoop/image\n ro-mounts=/etc:/etc", ""));
|
"[docker-command-execution]\n docker-command=run\n image=nothadoop/image\n mounts=/etc:/etc:ro", ""));
|
||||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n ro-mounts=/var/:/var/", "-v /var/:/var/:ro"));
|
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n mounts=/var/:/var/:ro", "-v /var/:/var/:ro"));
|
||||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n ro-mounts=/home:/home", "-v /home:/home:ro"));
|
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n mounts=/home:/home:ro", "-v /home:/home:ro"));
|
||||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n ro-mounts=/home/:/home", "-v /home/:/home:ro"));
|
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n mounts=/home/:/home:ro", "-v /home/:/home:ro"));
|
||||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n ro-mounts=/usr/bin/cut:/usr/bin/cut",
|
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n mounts=/usr/bin/cut:/usr/bin/cut:ro",
|
||||||
"-v /usr/bin/cut:/usr/bin/cut:ro"));
|
"-v /usr/bin/cut:/usr/bin/cut:ro"));
|
||||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n ro-mounts=/etc/group:/etc/group",
|
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n mounts=/etc/group:/etc/group:ro",
|
||||||
"-v /etc/group:/etc/group:ro"));
|
"-v /etc/group:/etc/group:ro"));
|
||||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n ro-mounts=/etc/passwd:/etc/passwd",
|
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n mounts=/etc/passwd:/etc/passwd:ro",
|
||||||
"-v /etc/passwd:/etc/passwd:ro"));
|
"-v /etc/passwd:/etc/passwd:ro"));
|
||||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n ro-mounts=/var/log:/mydisk1,/etc/passwd:/etc/passwd",
|
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n mounts=/var/log:/mydisk1:ro,/etc/passwd:/etc/passwd:ro",
|
||||||
"-v /var/log:/mydisk1:ro -v /etc/passwd:/etc/passwd:ro"));
|
"-v /var/log:/mydisk1:ro -v /etc/passwd:/etc/passwd:ro"));
|
||||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n", ""));
|
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n", ""));
|
||||||
|
@ -1116,7 +1131,7 @@ namespace ContainerExecutor {
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
FAIL();
|
FAIL();
|
||||||
}
|
}
|
||||||
ret = add_ro_mounts(&cmd_cfg, &container_cfg, &buff);
|
ret = add_mounts(&cmd_cfg, &container_cfg, &buff);
|
||||||
char *actual = flatten(&buff);
|
char *actual = flatten(&buff);
|
||||||
ASSERT_EQ(0, ret);
|
ASSERT_EQ(0, ret);
|
||||||
ASSERT_STREQ(itr->second.c_str(), actual);
|
ASSERT_STREQ(itr->second.c_str(), actual);
|
||||||
|
@ -1127,10 +1142,10 @@ namespace ContainerExecutor {
|
||||||
|
|
||||||
std::vector<std::pair<std::string, int> > bad_file_cmds_vec;
|
std::vector<std::pair<std::string, int> > bad_file_cmds_vec;
|
||||||
bad_file_cmds_vec.push_back(std::make_pair<std::string, int>(
|
bad_file_cmds_vec.push_back(std::make_pair<std::string, int>(
|
||||||
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n ro-mounts=/etc:/etc",
|
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n mounts=/etc:/etc:ro",
|
||||||
static_cast<int>(INVALID_DOCKER_RO_MOUNT)));
|
static_cast<int>(INVALID_DOCKER_RO_MOUNT)));
|
||||||
bad_file_cmds_vec.push_back(std::make_pair<std::string, int>(
|
bad_file_cmds_vec.push_back(std::make_pair<std::string, int>(
|
||||||
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n ro-mounts=/blah:/blah",
|
"[docker-command-execution]\n docker-command=run\n image=hadoop/image\n mounts=/blah:/blah:ro",
|
||||||
static_cast<int>(INVALID_DOCKER_MOUNT)));
|
static_cast<int>(INVALID_DOCKER_MOUNT)));
|
||||||
|
|
||||||
std::vector<std::pair<std::string, int> >::const_iterator itr2;
|
std::vector<std::pair<std::string, int> >::const_iterator itr2;
|
||||||
|
@ -1141,7 +1156,7 @@ namespace ContainerExecutor {
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
FAIL();
|
FAIL();
|
||||||
}
|
}
|
||||||
ret = add_ro_mounts(&cmd_cfg, &container_cfg, &buff);
|
ret = add_mounts(&cmd_cfg, &container_cfg, &buff);
|
||||||
char *actual = flatten(&buff);
|
char *actual = flatten(&buff);
|
||||||
ASSERT_EQ(itr2->second, ret);
|
ASSERT_EQ(itr2->second, ret);
|
||||||
ASSERT_STREQ("", actual);
|
ASSERT_STREQ("", actual);
|
||||||
|
@ -1157,12 +1172,12 @@ namespace ContainerExecutor {
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
FAIL();
|
FAIL();
|
||||||
}
|
}
|
||||||
write_command_file("[docker-command-execution]\n docker-command=run\n image=hadoop/image\n ro-mounts=/home:/home");
|
write_command_file("[docker-command-execution]\n docker-command=run\n image=hadoop/image\n mounts=/home:/home:ro");
|
||||||
ret = read_config(docker_command_file.c_str(), &cmd_cfg);
|
ret = read_config(docker_command_file.c_str(), &cmd_cfg);
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
FAIL();
|
FAIL();
|
||||||
}
|
}
|
||||||
ret = add_ro_mounts(&cmd_cfg, &container_cfg, &buff);
|
ret = add_mounts(&cmd_cfg, &container_cfg, &buff);
|
||||||
ASSERT_EQ(INVALID_DOCKER_RO_MOUNT, ret);
|
ASSERT_EQ(INVALID_DOCKER_RO_MOUNT, ret);
|
||||||
ASSERT_EQ(0, buff.length);
|
ASSERT_EQ(0, buff.length);
|
||||||
reset_args(&buff);
|
reset_args(&buff);
|
||||||
|
@ -1203,18 +1218,18 @@ namespace ContainerExecutor {
|
||||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
"[docker-command-execution]\n"
|
"[docker-command-execution]\n"
|
||||||
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n"
|
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n"
|
||||||
" ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n"
|
" mounts=/var/log:/var/log:ro,/var/lib:/lib:ro,/usr/bin/cut:/usr/bin/cut:ro,/tmp:/tmp:rw\n"
|
||||||
" network=bridge\n devices=/dev/test:/dev/test\n"
|
" network=bridge\n devices=/dev/test:/dev/test\n"
|
||||||
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
||||||
" launch-command=bash,test_script.sh,arg1,arg2",
|
" launch-command=bash,test_script.sh,arg1,arg2",
|
||||||
"run --name=container_e1_12312_11111_02_000001 --user=nobody -d --rm -v /var/log:/var/log:ro -v /var/lib:/lib:ro"
|
"run --name=container_e1_12312_11111_02_000001 --user=nobody -d --rm -v /var/log:/var/log:ro -v /var/lib:/lib:ro"
|
||||||
" -v /usr/bin/cut:/usr/bin/cut:ro -v /tmp:/tmp --cgroup-parent=ctr-cgroup --cap-drop=ALL --cap-add=CHOWN"
|
" -v /usr/bin/cut:/usr/bin/cut:ro -v /tmp:/tmp:rw --cgroup-parent=ctr-cgroup --cap-drop=ALL --cap-add=CHOWN"
|
||||||
" --cap-add=SETUID --hostname=host-id --device=/dev/test:/dev/test hadoop/docker-image bash "
|
" --cap-add=SETUID --hostname=host-id --device=/dev/test:/dev/test hadoop/docker-image bash "
|
||||||
"test_script.sh arg1 arg2"));
|
"test_script.sh arg1 arg2"));
|
||||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
"[docker-command-execution]\n"
|
"[docker-command-execution]\n"
|
||||||
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=nobody\n hostname=host-id\n"
|
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=nobody\n hostname=host-id\n"
|
||||||
" ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n"
|
" mounts=/var/log:/var/log:ro,/var/lib:/lib:ro,/usr/bin/cut:/usr/bin/cut:ro,/tmp:/tmp:rw\n"
|
||||||
" network=bridge\n"
|
" network=bridge\n"
|
||||||
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
||||||
" launch-command=bash,test_script.sh,arg1,arg2",
|
" launch-command=bash,test_script.sh,arg1,arg2",
|
||||||
|
@ -1225,18 +1240,18 @@ namespace ContainerExecutor {
|
||||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
"[docker-command-execution]\n"
|
"[docker-command-execution]\n"
|
||||||
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n"
|
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n"
|
||||||
" ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n"
|
" mounts=/var/log:/var/log:ro,/var/lib:/lib:ro,/usr/bin/cut:/usr/bin/cut:ro,/tmp:/tmp:rw\n"
|
||||||
" network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n"
|
" network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n"
|
||||||
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
||||||
" launch-command=bash,test_script.sh,arg1,arg2",
|
" launch-command=bash,test_script.sh,arg1,arg2",
|
||||||
"run --name=container_e1_12312_11111_02_000001 --user=nobody -d --rm --net=bridge -v /var/log:/var/log:ro -v /var/lib:/lib:ro"
|
"run --name=container_e1_12312_11111_02_000001 --user=nobody -d --rm --net=bridge -v /var/log:/var/log:ro -v /var/lib:/lib:ro"
|
||||||
" -v /usr/bin/cut:/usr/bin/cut:ro -v /tmp:/tmp --cgroup-parent=ctr-cgroup --cap-drop=ALL --cap-add=CHOWN "
|
" -v /usr/bin/cut:/usr/bin/cut:ro -v /tmp:/tmp:rw --cgroup-parent=ctr-cgroup --cap-drop=ALL --cap-add=CHOWN "
|
||||||
"--cap-add=SETUID --hostname=host-id --device=/dev/test:/dev/test hadoop/docker-image bash"
|
"--cap-add=SETUID --hostname=host-id --device=/dev/test:/dev/test hadoop/docker-image bash"
|
||||||
" test_script.sh arg1 arg2"));
|
" test_script.sh arg1 arg2"));
|
||||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
"[docker-command-execution]\n"
|
"[docker-command-execution]\n"
|
||||||
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=nobody\n hostname=host-id\n"
|
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=nobody\n hostname=host-id\n"
|
||||||
" ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n"
|
" mounts=/var/log:/var/log:ro,/var/lib:/lib:ro,/usr/bin/cut:/usr/bin/cut:ro,/tmp:/tmp:rw\n"
|
||||||
" network=bridge\n net=bridge\n"
|
" network=bridge\n net=bridge\n"
|
||||||
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
||||||
" launch-command=bash,test_script.sh,arg1,arg2",
|
" launch-command=bash,test_script.sh,arg1,arg2",
|
||||||
|
@ -1247,24 +1262,24 @@ namespace ContainerExecutor {
|
||||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
"[docker-command-execution]\n"
|
"[docker-command-execution]\n"
|
||||||
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=root\n hostname=host-id\n"
|
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=root\n hostname=host-id\n"
|
||||||
" ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n"
|
" mounts=/var/log:/var/log:ro,/var/lib:/lib:ro,/usr/bin/cut:/usr/bin/cut:ro,/tmp:/tmp:rw\n"
|
||||||
" network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n privileged=true\n"
|
" network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n privileged=true\n"
|
||||||
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
||||||
" launch-command=bash,test_script.sh,arg1,arg2",
|
" launch-command=bash,test_script.sh,arg1,arg2",
|
||||||
"run --name=container_e1_12312_11111_02_000001 -d --rm --net=bridge -v /var/log:/var/log:ro -v /var/lib:/lib:ro"
|
"run --name=container_e1_12312_11111_02_000001 -d --rm --net=bridge -v /var/log:/var/log:ro -v /var/lib:/lib:ro"
|
||||||
" -v /usr/bin/cut:/usr/bin/cut:ro -v /tmp:/tmp --cgroup-parent=ctr-cgroup --privileged --cap-drop=ALL "
|
" -v /usr/bin/cut:/usr/bin/cut:ro -v /tmp:/tmp:rw --cgroup-parent=ctr-cgroup --privileged --cap-drop=ALL "
|
||||||
"--cap-add=CHOWN --cap-add=SETUID --hostname=host-id --device=/dev/test:/dev/test hadoop/docker-image "
|
"--cap-add=CHOWN --cap-add=SETUID --hostname=host-id --device=/dev/test:/dev/test hadoop/docker-image "
|
||||||
"bash test_script.sh arg1 arg2"));
|
"bash test_script.sh arg1 arg2"));
|
||||||
|
|
||||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
"[docker-command-execution]\n"
|
"[docker-command-execution]\n"
|
||||||
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=root\n hostname=host-id\n"
|
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=root\n hostname=host-id\n"
|
||||||
" ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n"
|
" mounts=/var/log:/var/log:ro,/var/lib:/lib:ro,/usr/bin/cut:/usr/bin/cut:ro,/tmp:/tmp:rw\n"
|
||||||
" network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n privileged=true\n"
|
" network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n privileged=true\n"
|
||||||
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n group-add=1000,1001\n"
|
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n group-add=1000,1001\n"
|
||||||
" launch-command=bash,test_script.sh,arg1,arg2",
|
" launch-command=bash,test_script.sh,arg1,arg2",
|
||||||
"run --name=container_e1_12312_11111_02_000001 -d --rm --net=bridge -v /var/log:/var/log:ro -v /var/lib:/lib:ro"
|
"run --name=container_e1_12312_11111_02_000001 -d --rm --net=bridge -v /var/log:/var/log:ro -v /var/lib:/lib:ro"
|
||||||
" -v /usr/bin/cut:/usr/bin/cut:ro -v /tmp:/tmp --cgroup-parent=ctr-cgroup --privileged --cap-drop=ALL "
|
" -v /usr/bin/cut:/usr/bin/cut:ro -v /tmp:/tmp:rw --cgroup-parent=ctr-cgroup --privileged --cap-drop=ALL "
|
||||||
"--cap-add=CHOWN --cap-add=SETUID --hostname=host-id "
|
"--cap-add=CHOWN --cap-add=SETUID --hostname=host-id "
|
||||||
"--device=/dev/test:/dev/test hadoop/docker-image bash test_script.sh arg1 arg2"));
|
"--device=/dev/test:/dev/test hadoop/docker-image bash test_script.sh arg1 arg2"));
|
||||||
|
|
||||||
|
@ -1292,7 +1307,7 @@ namespace ContainerExecutor {
|
||||||
bad_file_cmd_vec.push_back(std::make_pair<std::string, int>(
|
bad_file_cmd_vec.push_back(std::make_pair<std::string, int>(
|
||||||
"[docker-command-execution]\n"
|
"[docker-command-execution]\n"
|
||||||
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=nobody\n hostname=host-id\n"
|
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=nobody\n hostname=host-id\n"
|
||||||
" ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n"
|
" mounts=/var/log:/var/log:ro,/var/lib:/lib:ro,/usr/bin/cut:/usr/bin/cut:ro,/tmp:/tmp:rw\n"
|
||||||
" network=bridge\n net=bridge\n privileged=true\n"
|
" network=bridge\n net=bridge\n privileged=true\n"
|
||||||
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n group-add=1000,1001\n"
|
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n group-add=1000,1001\n"
|
||||||
" launch-command=bash,test_script.sh,arg1,arg2",
|
" launch-command=bash,test_script.sh,arg1,arg2",
|
||||||
|
@ -1302,7 +1317,7 @@ namespace ContainerExecutor {
|
||||||
bad_file_cmd_vec.push_back(std::make_pair<std::string, int>(
|
bad_file_cmd_vec.push_back(std::make_pair<std::string, int>(
|
||||||
"[docker-command-execution]\n"
|
"[docker-command-execution]\n"
|
||||||
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n"
|
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n"
|
||||||
" ro-mounts=/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/var/log:/var/log\n"
|
" mounts=/var/lib:/lib:ro,/usr/bin/cut:/usr/bin/cut:ro,/var/log:/var/log:rw\n"
|
||||||
" network=bridge\n devices=/dev/test:/dev/test\n"
|
" network=bridge\n devices=/dev/test:/dev/test\n"
|
||||||
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
||||||
" launch-command=bash,test_script.sh,arg1,arg2",
|
" launch-command=bash,test_script.sh,arg1,arg2",
|
||||||
|
@ -1312,7 +1327,7 @@ namespace ContainerExecutor {
|
||||||
bad_file_cmd_vec.push_back(std::make_pair<std::string, int>(
|
bad_file_cmd_vec.push_back(std::make_pair<std::string, int>(
|
||||||
"[docker-command-execution]\n"
|
"[docker-command-execution]\n"
|
||||||
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n"
|
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n"
|
||||||
" ro-mounts=/bin:/bin,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n"
|
" mounts=/bin:/bin:ro,/usr/bin/cut:/usr/bin/cut:ro,/tmp:/tmp:rw\n"
|
||||||
" network=bridge\n devices=/dev/test:/dev/test\n"
|
" network=bridge\n devices=/dev/test:/dev/test\n"
|
||||||
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
||||||
" launch-command=bash,test_script.sh,arg1,arg2",
|
" launch-command=bash,test_script.sh,arg1,arg2",
|
||||||
|
@ -1322,7 +1337,7 @@ namespace ContainerExecutor {
|
||||||
bad_file_cmd_vec.push_back(std::make_pair<std::string, int>(
|
bad_file_cmd_vec.push_back(std::make_pair<std::string, int>(
|
||||||
"[docker-command-execution]\n"
|
"[docker-command-execution]\n"
|
||||||
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n"
|
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n"
|
||||||
" ro-mounts=/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n"
|
" mounts=/usr/bin/cut:/usr/bin/cut:ro,/tmp:/tmp:rw\n"
|
||||||
" network=bridge\n devices=/dev/test:/dev/test\n"
|
" network=bridge\n devices=/dev/test:/dev/test\n"
|
||||||
" cap-add=CHOWN,SETUID,SETGID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
" cap-add=CHOWN,SETUID,SETGID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
||||||
" launch-command=bash,test_script.sh,arg1,arg2",
|
" launch-command=bash,test_script.sh,arg1,arg2",
|
||||||
|
@ -1332,7 +1347,7 @@ namespace ContainerExecutor {
|
||||||
bad_file_cmd_vec.push_back(std::make_pair<std::string, int>(
|
bad_file_cmd_vec.push_back(std::make_pair<std::string, int>(
|
||||||
"[docker-command-execution]\n"
|
"[docker-command-execution]\n"
|
||||||
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n"
|
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n"
|
||||||
" ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n"
|
" mounts=/var/log:/var/log:ro,/var/lib:/lib:ro,/usr/bin/cut:/usr/bin/cut:ro,/tmp:/tmp:rw\n"
|
||||||
" network=bridge\n devices=/dev/dev1:/dev/dev1\n privileged=true\n"
|
" network=bridge\n devices=/dev/dev1:/dev/dev1\n privileged=true\n"
|
||||||
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
||||||
" launch-command=bash,test_script.sh,arg1,arg2",
|
" launch-command=bash,test_script.sh,arg1,arg2",
|
||||||
|
@ -1342,7 +1357,7 @@ namespace ContainerExecutor {
|
||||||
bad_file_cmd_vec.push_back(std::make_pair<std::string, int>(
|
bad_file_cmd_vec.push_back(std::make_pair<std::string, int>(
|
||||||
"[docker-command-execution]\n"
|
"[docker-command-execution]\n"
|
||||||
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n"
|
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n"
|
||||||
" ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n"
|
" mounts=/var/log:/var/log:ro,/var/lib:/lib:ro,/usr/bin/cut:/usr/bin/cut:ro,/tmp:/tmp:rw\n"
|
||||||
" network=bridge\n devices=/dev/test:/dev/test\n privileged=true\n net=host\n"
|
" network=bridge\n devices=/dev/test:/dev/test\n privileged=true\n net=host\n"
|
||||||
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
||||||
" launch-command=bash,test_script.sh,arg1,arg2",
|
" launch-command=bash,test_script.sh,arg1,arg2",
|
||||||
|
@ -1432,18 +1447,18 @@ namespace ContainerExecutor {
|
||||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
"[docker-command-execution]\n"
|
"[docker-command-execution]\n"
|
||||||
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n"
|
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n"
|
||||||
" ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n"
|
" mounts=/var/log:/var/log:ro,/var/lib:/lib:ro,/usr/bin/cut:/usr/bin/cut:ro,/tmp:/tmp:rw\n"
|
||||||
" network=bridge\n devices=/dev/test:/dev/test\n"
|
" network=bridge\n devices=/dev/test:/dev/test\n"
|
||||||
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
||||||
" launch-command=bash,test_script.sh,arg1,arg2",
|
" launch-command=bash,test_script.sh,arg1,arg2",
|
||||||
"run --name=container_e1_12312_11111_02_000001 --user=nobody -d --rm -v /var/log:/var/log:ro -v /var/lib:/lib:ro"
|
"run --name=container_e1_12312_11111_02_000001 --user=nobody -d --rm -v /var/log:/var/log:ro -v /var/lib:/lib:ro"
|
||||||
" -v /usr/bin/cut:/usr/bin/cut:ro -v /tmp:/tmp --cgroup-parent=ctr-cgroup --cap-drop=ALL --cap-add=CHOWN"
|
" -v /usr/bin/cut:/usr/bin/cut:ro -v /tmp:/tmp:rw --cgroup-parent=ctr-cgroup --cap-drop=ALL --cap-add=CHOWN"
|
||||||
" --cap-add=SETUID --hostname=host-id --device=/dev/test:/dev/test hadoop/docker-image bash "
|
" --cap-add=SETUID --hostname=host-id --device=/dev/test:/dev/test hadoop/docker-image bash "
|
||||||
"test_script.sh arg1 arg2"));
|
"test_script.sh arg1 arg2"));
|
||||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
"[docker-command-execution]\n"
|
"[docker-command-execution]\n"
|
||||||
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=nobody\n hostname=host-id\n"
|
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=nobody\n hostname=host-id\n"
|
||||||
" ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n"
|
" mounts=/var/log:/var/log:ro,/var/lib:/lib:ro,/usr/bin/cut:/usr/bin/cut:ro,/tmp:/tmp:rw\n"
|
||||||
" network=bridge\n"
|
" network=bridge\n"
|
||||||
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
||||||
" launch-command=bash,test_script.sh,arg1,arg2",
|
" launch-command=bash,test_script.sh,arg1,arg2",
|
||||||
|
@ -1453,18 +1468,18 @@ namespace ContainerExecutor {
|
||||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
"[docker-command-execution]\n"
|
"[docker-command-execution]\n"
|
||||||
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n"
|
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n"
|
||||||
" ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n"
|
" mounts=/var/log:/var/log:ro,/var/lib:/lib:ro,/usr/bin/cut:/usr/bin/cut:ro,/tmp:/tmp:rw\n"
|
||||||
" network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n"
|
" network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n"
|
||||||
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
||||||
" launch-command=bash,test_script.sh,arg1,arg2",
|
" launch-command=bash,test_script.sh,arg1,arg2",
|
||||||
"run --name=container_e1_12312_11111_02_000001 --user=nobody -d --rm --net=bridge -v /var/log:/var/log:ro -v /var/lib:/lib:ro"
|
"run --name=container_e1_12312_11111_02_000001 --user=nobody -d --rm --net=bridge -v /var/log:/var/log:ro -v /var/lib:/lib:ro"
|
||||||
" -v /usr/bin/cut:/usr/bin/cut:ro -v /tmp:/tmp --cgroup-parent=ctr-cgroup --cap-drop=ALL --cap-add=CHOWN "
|
" -v /usr/bin/cut:/usr/bin/cut:ro -v /tmp:/tmp:rw --cgroup-parent=ctr-cgroup --cap-drop=ALL --cap-add=CHOWN "
|
||||||
"--cap-add=SETUID --hostname=host-id --device=/dev/test:/dev/test hadoop/docker-image bash"
|
"--cap-add=SETUID --hostname=host-id --device=/dev/test:/dev/test hadoop/docker-image bash"
|
||||||
" test_script.sh arg1 arg2"));
|
" test_script.sh arg1 arg2"));
|
||||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||||
"[docker-command-execution]\n"
|
"[docker-command-execution]\n"
|
||||||
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=nobody\n hostname=host-id\n"
|
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=nobody\n hostname=host-id\n"
|
||||||
" ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n"
|
" mounts=/var/log:/var/log:ro,/var/lib:/lib:ro,/usr/bin/cut:/usr/bin/cut:ro,/tmp:/tmp:rw\n"
|
||||||
" network=bridge\n net=bridge\n"
|
" network=bridge\n net=bridge\n"
|
||||||
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
||||||
" launch-command=bash,test_script.sh,arg1,arg2",
|
" launch-command=bash,test_script.sh,arg1,arg2",
|
||||||
|
@ -1475,7 +1490,7 @@ namespace ContainerExecutor {
|
||||||
bad_file_cmd_vec.push_back(std::make_pair<std::string, int>(
|
bad_file_cmd_vec.push_back(std::make_pair<std::string, int>(
|
||||||
"[docker-command-execution]\n"
|
"[docker-command-execution]\n"
|
||||||
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n"
|
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n"
|
||||||
" ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n"
|
" mounts=/var/log:/var/log:ro,/var/lib:/lib:ro,/usr/bin/cut:/usr/bin/cut:ro,/tmp:/tmp:rw\n"
|
||||||
" network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n privileged=true\n"
|
" network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n privileged=true\n"
|
||||||
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
||||||
" launch-command=bash,test_script.sh,arg1,arg2",
|
" launch-command=bash,test_script.sh,arg1,arg2",
|
||||||
|
|
|
@ -389,7 +389,7 @@ public class TestDockerContainerRuntime {
|
||||||
List<String> dockerCommands = Files.readAllLines(Paths.get
|
List<String> dockerCommands = Files.readAllLines(Paths.get
|
||||||
(dockerCommandFile), Charset.forName("UTF-8"));
|
(dockerCommandFile), Charset.forName("UTF-8"));
|
||||||
|
|
||||||
int expected = 14;
|
int expected = 13;
|
||||||
int counter = 0;
|
int counter = 0;
|
||||||
Assert.assertEquals(expected, dockerCommands.size());
|
Assert.assertEquals(expected, dockerCommands.size());
|
||||||
Assert.assertEquals("[docker-command-execution]",
|
Assert.assertEquals("[docker-command-execution]",
|
||||||
|
@ -406,17 +406,16 @@ public class TestDockerContainerRuntime {
|
||||||
Assert.assertEquals(
|
Assert.assertEquals(
|
||||||
" launch-command=bash,/test_container_work_dir/launch_container.sh",
|
" launch-command=bash,/test_container_work_dir/launch_container.sh",
|
||||||
dockerCommands.get(counter++));
|
dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" mounts="
|
||||||
|
+ "/test_container_log_dir:/test_container_log_dir:rw,"
|
||||||
|
+ "/test_application_local_dir:/test_application_local_dir:rw,"
|
||||||
|
+ "/test_filecache_dir:/test_filecache_dir:ro,"
|
||||||
|
+ "/test_user_filecache_dir:/test_user_filecache_dir:ro",
|
||||||
|
dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(
|
Assert.assertEquals(
|
||||||
" name=container_e11_1518975676334_14532816_01_000001",
|
" name=container_e11_1518975676334_14532816_01_000001",
|
||||||
dockerCommands.get(counter++));
|
dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" net=host", dockerCommands.get(counter++));
|
Assert.assertEquals(" net=host", dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" ro-mounts=/test_filecache_dir:/test_filecache_dir,"
|
|
||||||
+ "/test_user_filecache_dir:/test_user_filecache_dir",
|
|
||||||
dockerCommands.get(counter++));
|
|
||||||
Assert.assertEquals(
|
|
||||||
" rw-mounts=/test_container_log_dir:/test_container_log_dir,"
|
|
||||||
+ "/test_application_local_dir:/test_application_local_dir",
|
|
||||||
dockerCommands.get(counter++));
|
|
||||||
Assert.assertEquals(" user=" + uidGidPair, dockerCommands.get(counter++));
|
Assert.assertEquals(" user=" + uidGidPair, dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" workdir=/test_container_work_dir",
|
Assert.assertEquals(" workdir=/test_container_work_dir",
|
||||||
dockerCommands.get(counter));
|
dockerCommands.get(counter));
|
||||||
|
@ -440,7 +439,7 @@ public class TestDockerContainerRuntime {
|
||||||
List<String> dockerCommands = Files.readAllLines(
|
List<String> dockerCommands = Files.readAllLines(
|
||||||
Paths.get(dockerCommandFile), Charset.forName("UTF-8"));
|
Paths.get(dockerCommandFile), Charset.forName("UTF-8"));
|
||||||
|
|
||||||
Assert.assertEquals(14, dockerCommands.size());
|
Assert.assertEquals(13, dockerCommands.size());
|
||||||
int counter = 0;
|
int counter = 0;
|
||||||
Assert.assertEquals("[docker-command-execution]",
|
Assert.assertEquals("[docker-command-execution]",
|
||||||
dockerCommands.get(counter++));
|
dockerCommands.get(counter++));
|
||||||
|
@ -456,18 +455,17 @@ public class TestDockerContainerRuntime {
|
||||||
Assert.assertEquals(
|
Assert.assertEquals(
|
||||||
" launch-command=bash,/test_container_work_dir/launch_container.sh",
|
" launch-command=bash,/test_container_work_dir/launch_container.sh",
|
||||||
dockerCommands.get(counter++));
|
dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" mounts="
|
||||||
|
+ "/test_container_log_dir:/test_container_log_dir:rw,"
|
||||||
|
+ "/test_application_local_dir:/test_application_local_dir:rw,"
|
||||||
|
+ "/test_filecache_dir:/test_filecache_dir:ro,"
|
||||||
|
+ "/test_user_filecache_dir:/test_user_filecache_dir:ro",
|
||||||
|
dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(
|
Assert.assertEquals(
|
||||||
" name=container_e11_1518975676334_14532816_01_000001",
|
" name=container_e11_1518975676334_14532816_01_000001",
|
||||||
dockerCommands.get(counter++));
|
dockerCommands.get(counter++));
|
||||||
Assert
|
Assert
|
||||||
.assertEquals(" net=host", dockerCommands.get(counter++));
|
.assertEquals(" net=host", dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" ro-mounts=/test_filecache_dir:/test_filecache_dir,"
|
|
||||||
+ "/test_user_filecache_dir:/test_user_filecache_dir",
|
|
||||||
dockerCommands.get(counter++));
|
|
||||||
Assert.assertEquals(
|
|
||||||
" rw-mounts=/test_container_log_dir:/test_container_log_dir,"
|
|
||||||
+ "/test_application_local_dir:/test_application_local_dir",
|
|
||||||
dockerCommands.get(counter++));
|
|
||||||
Assert.assertEquals(" user=" + uidGidPair, dockerCommands.get(counter++));
|
Assert.assertEquals(" user=" + uidGidPair, dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" workdir=/test_container_work_dir",
|
Assert.assertEquals(" workdir=/test_container_work_dir",
|
||||||
dockerCommands.get(counter));
|
dockerCommands.get(counter));
|
||||||
|
@ -555,7 +553,7 @@ public class TestDockerContainerRuntime {
|
||||||
//This is the expected docker invocation for this case
|
//This is the expected docker invocation for this case
|
||||||
List<String> dockerCommands = Files
|
List<String> dockerCommands = Files
|
||||||
.readAllLines(Paths.get(dockerCommandFile), Charset.forName("UTF-8"));
|
.readAllLines(Paths.get(dockerCommandFile), Charset.forName("UTF-8"));
|
||||||
int expected = 15;
|
int expected = 14;
|
||||||
int counter = 0;
|
int counter = 0;
|
||||||
Assert.assertEquals(expected, dockerCommands.size());
|
Assert.assertEquals(expected, dockerCommands.size());
|
||||||
Assert.assertEquals("[docker-command-execution]",
|
Assert.assertEquals("[docker-command-execution]",
|
||||||
|
@ -574,18 +572,17 @@ public class TestDockerContainerRuntime {
|
||||||
Assert.assertEquals(
|
Assert.assertEquals(
|
||||||
" launch-command=bash,/test_container_work_dir/launch_container.sh",
|
" launch-command=bash,/test_container_work_dir/launch_container.sh",
|
||||||
dockerCommands.get(counter++));
|
dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" mounts="
|
||||||
|
+ "/test_container_log_dir:/test_container_log_dir:rw,"
|
||||||
|
+ "/test_application_local_dir:/test_application_local_dir:rw,"
|
||||||
|
+ "/test_filecache_dir:/test_filecache_dir:ro,"
|
||||||
|
+ "/test_user_filecache_dir:/test_user_filecache_dir:ro",
|
||||||
|
dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(
|
Assert.assertEquals(
|
||||||
" name=container_e11_1518975676334_14532816_01_000001",
|
" name=container_e11_1518975676334_14532816_01_000001",
|
||||||
dockerCommands.get(counter++));
|
dockerCommands.get(counter++));
|
||||||
Assert
|
Assert
|
||||||
.assertEquals(" net=" + allowedNetwork, dockerCommands.get(counter++));
|
.assertEquals(" net=" + allowedNetwork, dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" ro-mounts=/test_filecache_dir:/test_filecache_dir,"
|
|
||||||
+ "/test_user_filecache_dir:/test_user_filecache_dir",
|
|
||||||
dockerCommands.get(counter++));
|
|
||||||
Assert.assertEquals(
|
|
||||||
" rw-mounts=/test_container_log_dir:/test_container_log_dir,"
|
|
||||||
+ "/test_application_local_dir:/test_application_local_dir",
|
|
||||||
dockerCommands.get(counter++));
|
|
||||||
Assert.assertEquals(" user=" + uidGidPair, dockerCommands.get(counter++));
|
Assert.assertEquals(" user=" + uidGidPair, dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" workdir=/test_container_work_dir",
|
Assert.assertEquals(" workdir=/test_container_work_dir",
|
||||||
dockerCommands.get(counter));
|
dockerCommands.get(counter));
|
||||||
|
@ -615,7 +612,7 @@ public class TestDockerContainerRuntime {
|
||||||
//This is the expected docker invocation for this case
|
//This is the expected docker invocation for this case
|
||||||
List<String> dockerCommands = Files
|
List<String> dockerCommands = Files
|
||||||
.readAllLines(Paths.get(dockerCommandFile), Charset.forName("UTF-8"));
|
.readAllLines(Paths.get(dockerCommandFile), Charset.forName("UTF-8"));
|
||||||
int expected = 15;
|
int expected = 14;
|
||||||
int counter = 0;
|
int counter = 0;
|
||||||
Assert.assertEquals(expected, dockerCommands.size());
|
Assert.assertEquals(expected, dockerCommands.size());
|
||||||
Assert.assertEquals("[docker-command-execution]",
|
Assert.assertEquals("[docker-command-execution]",
|
||||||
|
@ -634,18 +631,17 @@ public class TestDockerContainerRuntime {
|
||||||
Assert.assertEquals(
|
Assert.assertEquals(
|
||||||
" launch-command=bash,/test_container_work_dir/launch_container.sh",
|
" launch-command=bash,/test_container_work_dir/launch_container.sh",
|
||||||
dockerCommands.get(counter++));
|
dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" mounts="
|
||||||
|
+ "/test_container_log_dir:/test_container_log_dir:rw,"
|
||||||
|
+ "/test_application_local_dir:/test_application_local_dir:rw,"
|
||||||
|
+ "/test_filecache_dir:/test_filecache_dir:ro,"
|
||||||
|
+ "/test_user_filecache_dir:/test_user_filecache_dir:ro",
|
||||||
|
dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(
|
Assert.assertEquals(
|
||||||
" name=container_e11_1518975676334_14532816_01_000001",
|
" name=container_e11_1518975676334_14532816_01_000001",
|
||||||
dockerCommands.get(counter++));
|
dockerCommands.get(counter++));
|
||||||
Assert
|
Assert
|
||||||
.assertEquals(" net=host", dockerCommands.get(counter++));
|
.assertEquals(" net=host", dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" ro-mounts=/test_filecache_dir:/test_filecache_dir,"
|
|
||||||
+ "/test_user_filecache_dir:/test_user_filecache_dir",
|
|
||||||
dockerCommands.get(counter++));
|
|
||||||
Assert.assertEquals(
|
|
||||||
" rw-mounts=/test_container_log_dir:/test_container_log_dir,"
|
|
||||||
+ "/test_application_local_dir:/test_application_local_dir",
|
|
||||||
dockerCommands.get(counter++));
|
|
||||||
Assert.assertEquals(" user=" + uidGidPair, dockerCommands.get(counter++));
|
Assert.assertEquals(" user=" + uidGidPair, dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" workdir=/test_container_work_dir",
|
Assert.assertEquals(" workdir=/test_container_work_dir",
|
||||||
dockerCommands.get(counter));
|
dockerCommands.get(counter));
|
||||||
|
@ -685,7 +681,7 @@ public class TestDockerContainerRuntime {
|
||||||
List<String> dockerCommands = Files
|
List<String> dockerCommands = Files
|
||||||
.readAllLines(Paths.get(dockerCommandFile), Charset.forName("UTF-8"));
|
.readAllLines(Paths.get(dockerCommandFile), Charset.forName("UTF-8"));
|
||||||
|
|
||||||
int expected = 15;
|
int expected = 14;
|
||||||
int counter = 0;
|
int counter = 0;
|
||||||
Assert.assertEquals(expected, dockerCommands.size());
|
Assert.assertEquals(expected, dockerCommands.size());
|
||||||
Assert.assertEquals("[docker-command-execution]",
|
Assert.assertEquals("[docker-command-execution]",
|
||||||
|
@ -705,17 +701,17 @@ public class TestDockerContainerRuntime {
|
||||||
Assert.assertEquals(
|
Assert.assertEquals(
|
||||||
" launch-command=bash,/test_container_work_dir/launch_container.sh",
|
" launch-command=bash,/test_container_work_dir/launch_container.sh",
|
||||||
dockerCommands.get(counter++));
|
dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(
|
||||||
|
" mounts="
|
||||||
|
+ "/test_container_log_dir:/test_container_log_dir:rw,"
|
||||||
|
+ "/test_application_local_dir:/test_application_local_dir:rw,"
|
||||||
|
+ "/test_filecache_dir:/test_filecache_dir:ro,"
|
||||||
|
+ "/test_user_filecache_dir:/test_user_filecache_dir:ro",
|
||||||
|
dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(
|
Assert.assertEquals(
|
||||||
" name=container_e11_1518975676334_14532816_01_000001",
|
" name=container_e11_1518975676334_14532816_01_000001",
|
||||||
dockerCommands.get(counter++));
|
dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" net=sdn1", dockerCommands.get(counter++));
|
Assert.assertEquals(" net=sdn1", dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" ro-mounts=/test_filecache_dir:/test_filecache_dir,"
|
|
||||||
+ "/test_user_filecache_dir:/test_user_filecache_dir",
|
|
||||||
dockerCommands.get(counter++));
|
|
||||||
Assert.assertEquals(
|
|
||||||
" rw-mounts=/test_container_log_dir:/test_container_log_dir,"
|
|
||||||
+ "/test_application_local_dir:/test_application_local_dir",
|
|
||||||
dockerCommands.get(counter++));
|
|
||||||
Assert.assertEquals(" user=" + uidGidPair, dockerCommands.get(counter++));
|
Assert.assertEquals(" user=" + uidGidPair, dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" workdir=/test_container_work_dir",
|
Assert.assertEquals(" workdir=/test_container_work_dir",
|
||||||
dockerCommands.get(counter));
|
dockerCommands.get(counter));
|
||||||
|
@ -754,18 +750,16 @@ public class TestDockerContainerRuntime {
|
||||||
Assert.assertEquals(
|
Assert.assertEquals(
|
||||||
" launch-command=bash,/test_container_work_dir/launch_container.sh",
|
" launch-command=bash,/test_container_work_dir/launch_container.sh",
|
||||||
dockerCommands.get(counter++));
|
dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" mounts="
|
||||||
|
+ "/test_container_log_dir:/test_container_log_dir:rw,"
|
||||||
|
+ "/test_application_local_dir:/test_application_local_dir:rw,"
|
||||||
|
+ "/test_filecache_dir:/test_filecache_dir:ro,"
|
||||||
|
+ "/test_user_filecache_dir:/test_user_filecache_dir:ro",
|
||||||
|
dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(
|
Assert.assertEquals(
|
||||||
" name=container_e11_1518975676334_14532816_01_000001",
|
" name=container_e11_1518975676334_14532816_01_000001",
|
||||||
dockerCommands.get(counter++));
|
dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" net=sdn2", dockerCommands.get(counter++));
|
Assert.assertEquals(" net=sdn2", dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" ro-mounts=/test_filecache_dir:/test_filecache_dir,"
|
|
||||||
+ "/test_user_filecache_dir:/test_user_filecache_dir",
|
|
||||||
dockerCommands.get(counter++));
|
|
||||||
Assert.assertEquals(
|
|
||||||
" rw-mounts=/test_container_log_dir:/test_container_log_dir,"
|
|
||||||
+ "/test_application_local_dir:/test_application_local_dir",
|
|
||||||
dockerCommands.get(counter++));
|
|
||||||
Assert.assertEquals(" user=" + uidGidPair, dockerCommands.get(counter++));
|
Assert.assertEquals(" user=" + uidGidPair, dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" workdir=/test_container_work_dir",
|
Assert.assertEquals(" workdir=/test_container_work_dir",
|
||||||
dockerCommands.get(counter));
|
dockerCommands.get(counter));
|
||||||
|
@ -803,7 +797,7 @@ public class TestDockerContainerRuntime {
|
||||||
List<String> dockerCommands = Files.readAllLines(Paths.get
|
List<String> dockerCommands = Files.readAllLines(Paths.get
|
||||||
(dockerCommandFile), Charset.forName("UTF-8"));
|
(dockerCommandFile), Charset.forName("UTF-8"));
|
||||||
|
|
||||||
int expected = 14;
|
int expected = 13;
|
||||||
Assert.assertEquals(expected, dockerCommands.size());
|
Assert.assertEquals(expected, dockerCommands.size());
|
||||||
|
|
||||||
String command = dockerCommands.get(0);
|
String command = dockerCommands.get(0);
|
||||||
|
@ -854,7 +848,7 @@ public class TestDockerContainerRuntime {
|
||||||
List<String> dockerCommands = Files.readAllLines(
|
List<String> dockerCommands = Files.readAllLines(
|
||||||
Paths.get(dockerCommandFile), Charset.forName("UTF-8"));
|
Paths.get(dockerCommandFile), Charset.forName("UTF-8"));
|
||||||
|
|
||||||
int expected = 15;
|
int expected = 14;
|
||||||
int counter = 0;
|
int counter = 0;
|
||||||
Assert.assertEquals(expected, dockerCommands.size());
|
Assert.assertEquals(expected, dockerCommands.size());
|
||||||
Assert.assertEquals("[docker-command-execution]",
|
Assert.assertEquals("[docker-command-execution]",
|
||||||
|
@ -871,18 +865,17 @@ public class TestDockerContainerRuntime {
|
||||||
Assert.assertEquals(
|
Assert.assertEquals(
|
||||||
" launch-command=bash,/test_container_work_dir/launch_container.sh",
|
" launch-command=bash,/test_container_work_dir/launch_container.sh",
|
||||||
dockerCommands.get(counter++));
|
dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" mounts="
|
||||||
|
+ "/test_container_log_dir:/test_container_log_dir:rw,"
|
||||||
|
+ "/test_application_local_dir:/test_application_local_dir:rw,"
|
||||||
|
+ "/test_filecache_dir:/test_filecache_dir:ro,"
|
||||||
|
+ "/test_user_filecache_dir:/test_user_filecache_dir:ro",
|
||||||
|
dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(
|
Assert.assertEquals(
|
||||||
" name=container_e11_1518975676334_14532816_01_000001",
|
" name=container_e11_1518975676334_14532816_01_000001",
|
||||||
dockerCommands.get(counter++));
|
dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" net=host", dockerCommands.get(counter++));
|
Assert.assertEquals(" net=host", dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" pid=host", dockerCommands.get(counter++));
|
Assert.assertEquals(" pid=host", dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" ro-mounts=/test_filecache_dir:/test_filecache_dir,"
|
|
||||||
+ "/test_user_filecache_dir:/test_user_filecache_dir",
|
|
||||||
dockerCommands.get(counter++));
|
|
||||||
Assert.assertEquals(
|
|
||||||
" rw-mounts=/test_container_log_dir:/test_container_log_dir,"
|
|
||||||
+ "/test_application_local_dir:/test_application_local_dir",
|
|
||||||
dockerCommands.get(counter++));
|
|
||||||
Assert.assertEquals(" user=" + uidGidPair, dockerCommands.get(counter++));
|
Assert.assertEquals(" user=" + uidGidPair, dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" workdir=/test_container_work_dir",
|
Assert.assertEquals(" workdir=/test_container_work_dir",
|
||||||
dockerCommands.get(counter));
|
dockerCommands.get(counter));
|
||||||
|
@ -907,7 +900,7 @@ public class TestDockerContainerRuntime {
|
||||||
List<String> dockerCommands = Files.readAllLines(
|
List<String> dockerCommands = Files.readAllLines(
|
||||||
Paths.get(dockerCommandFile), Charset.forName("UTF-8"));
|
Paths.get(dockerCommandFile), Charset.forName("UTF-8"));
|
||||||
|
|
||||||
int expected = 14;
|
int expected = 13;
|
||||||
Assert.assertEquals(expected, dockerCommands.size());
|
Assert.assertEquals(expected, dockerCommands.size());
|
||||||
|
|
||||||
String command = dockerCommands.get(0);
|
String command = dockerCommands.get(0);
|
||||||
|
@ -1016,7 +1009,7 @@ public class TestDockerContainerRuntime {
|
||||||
List<String> dockerCommands = Files.readAllLines(Paths.get
|
List<String> dockerCommands = Files.readAllLines(Paths.get
|
||||||
(dockerCommandFile), Charset.forName("UTF-8"));
|
(dockerCommandFile), Charset.forName("UTF-8"));
|
||||||
|
|
||||||
int expected = 14;
|
int expected = 13;
|
||||||
int counter = 0;
|
int counter = 0;
|
||||||
Assert.assertEquals(expected, dockerCommands.size());
|
Assert.assertEquals(expected, dockerCommands.size());
|
||||||
Assert.assertEquals("[docker-command-execution]",
|
Assert.assertEquals("[docker-command-execution]",
|
||||||
|
@ -1031,18 +1024,17 @@ public class TestDockerContainerRuntime {
|
||||||
Assert.assertEquals(
|
Assert.assertEquals(
|
||||||
" launch-command=bash,/test_container_work_dir/launch_container.sh",
|
" launch-command=bash,/test_container_work_dir/launch_container.sh",
|
||||||
dockerCommands.get(counter++));
|
dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" mounts="
|
||||||
|
+ "/test_container_log_dir:/test_container_log_dir:rw,"
|
||||||
|
+ "/test_application_local_dir:/test_application_local_dir:rw,"
|
||||||
|
+ "/test_filecache_dir:/test_filecache_dir:ro,"
|
||||||
|
+ "/test_user_filecache_dir:/test_user_filecache_dir:ro",
|
||||||
|
dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(
|
Assert.assertEquals(
|
||||||
" name=container_e11_1518975676334_14532816_01_000001",
|
" name=container_e11_1518975676334_14532816_01_000001",
|
||||||
dockerCommands.get(counter++));
|
dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" net=host", dockerCommands.get(counter++));
|
Assert.assertEquals(" net=host", dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" privileged=true", dockerCommands.get(counter++));
|
Assert.assertEquals(" privileged=true", dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" ro-mounts=/test_filecache_dir:/test_filecache_dir,"
|
|
||||||
+ "/test_user_filecache_dir:/test_user_filecache_dir",
|
|
||||||
dockerCommands.get(counter++));
|
|
||||||
Assert.assertEquals(
|
|
||||||
" rw-mounts=/test_container_log_dir:/test_container_log_dir,"
|
|
||||||
+ "/test_application_local_dir:/test_application_local_dir",
|
|
||||||
dockerCommands.get(counter++));
|
|
||||||
Assert.assertEquals(" user=" + submittingUser,
|
Assert.assertEquals(" user=" + submittingUser,
|
||||||
dockerCommands.get(counter++));
|
dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" workdir=/test_container_work_dir",
|
Assert.assertEquals(" workdir=/test_container_work_dir",
|
||||||
|
@ -1103,7 +1095,7 @@ public class TestDockerContainerRuntime {
|
||||||
|
|
||||||
env.put(
|
env.put(
|
||||||
DockerLinuxContainerRuntime.ENV_DOCKER_CONTAINER_MOUNTS,
|
DockerLinuxContainerRuntime.ENV_DOCKER_CONTAINER_MOUNTS,
|
||||||
"source");
|
"/source");
|
||||||
|
|
||||||
try {
|
try {
|
||||||
runtime.launchContainer(builder.build());
|
runtime.launchContainer(builder.build());
|
||||||
|
@ -1133,7 +1125,7 @@ public class TestDockerContainerRuntime {
|
||||||
List<String> dockerCommands = Files.readAllLines(Paths.get
|
List<String> dockerCommands = Files.readAllLines(Paths.get
|
||||||
(dockerCommandFile), Charset.forName("UTF-8"));
|
(dockerCommandFile), Charset.forName("UTF-8"));
|
||||||
|
|
||||||
int expected = 14;
|
int expected = 13;
|
||||||
int counter = 0;
|
int counter = 0;
|
||||||
Assert.assertEquals(expected, dockerCommands.size());
|
Assert.assertEquals(expected, dockerCommands.size());
|
||||||
Assert.assertEquals("[docker-command-execution]",
|
Assert.assertEquals("[docker-command-execution]",
|
||||||
|
@ -1150,19 +1142,17 @@ public class TestDockerContainerRuntime {
|
||||||
Assert.assertEquals(
|
Assert.assertEquals(
|
||||||
" launch-command=bash,/test_container_work_dir/launch_container.sh",
|
" launch-command=bash,/test_container_work_dir/launch_container.sh",
|
||||||
dockerCommands.get(counter++));
|
dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" mounts="
|
||||||
|
+ "/test_container_log_dir:/test_container_log_dir:rw,"
|
||||||
|
+ "/test_application_local_dir:/test_application_local_dir:rw,"
|
||||||
|
+ "/test_filecache_dir:/test_filecache_dir:ro,"
|
||||||
|
+ "/test_user_filecache_dir:/test_user_filecache_dir:ro,"
|
||||||
|
+ "/test_local_dir/test_resource_file:test_mount:ro",
|
||||||
|
dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(
|
Assert.assertEquals(
|
||||||
" name=container_e11_1518975676334_14532816_01_000001",
|
" name=container_e11_1518975676334_14532816_01_000001",
|
||||||
dockerCommands.get(counter++));
|
dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" net=host", dockerCommands.get(counter++));
|
Assert.assertEquals(" net=host", dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(
|
|
||||||
" ro-mounts=/test_filecache_dir:/test_filecache_dir,/"
|
|
||||||
+ "test_user_filecache_dir:/test_user_filecache_dir,"
|
|
||||||
+ "/test_local_dir/test_resource_file:test_mount",
|
|
||||||
dockerCommands.get(counter++));
|
|
||||||
Assert.assertEquals(
|
|
||||||
" rw-mounts=/test_container_log_dir:/test_container_log_dir,"
|
|
||||||
+ "/test_application_local_dir:/test_application_local_dir",
|
|
||||||
dockerCommands.get(counter++));
|
|
||||||
Assert.assertEquals(" user=" + uidGidPair, dockerCommands.get(counter++));
|
Assert.assertEquals(" user=" + uidGidPair, dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" workdir=/test_container_work_dir",
|
Assert.assertEquals(" workdir=/test_container_work_dir",
|
||||||
dockerCommands.get(counter));
|
dockerCommands.get(counter));
|
||||||
|
@ -1189,7 +1179,7 @@ public class TestDockerContainerRuntime {
|
||||||
List<String> dockerCommands = Files.readAllLines(Paths.get
|
List<String> dockerCommands = Files.readAllLines(Paths.get
|
||||||
(dockerCommandFile), Charset.forName("UTF-8"));
|
(dockerCommandFile), Charset.forName("UTF-8"));
|
||||||
|
|
||||||
int expected = 14;
|
int expected = 13;
|
||||||
int counter = 0;
|
int counter = 0;
|
||||||
Assert.assertEquals(expected, dockerCommands.size());
|
Assert.assertEquals(expected, dockerCommands.size());
|
||||||
Assert.assertEquals("[docker-command-execution]",
|
Assert.assertEquals("[docker-command-execution]",
|
||||||
|
@ -1206,20 +1196,18 @@ public class TestDockerContainerRuntime {
|
||||||
Assert.assertEquals(
|
Assert.assertEquals(
|
||||||
" launch-command=bash,/test_container_work_dir/launch_container.sh",
|
" launch-command=bash,/test_container_work_dir/launch_container.sh",
|
||||||
dockerCommands.get(counter++));
|
dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" mounts="
|
||||||
|
+ "/test_container_log_dir:/test_container_log_dir:rw,"
|
||||||
|
+ "/test_application_local_dir:/test_application_local_dir:rw,"
|
||||||
|
+ "/test_filecache_dir:/test_filecache_dir:ro,"
|
||||||
|
+ "/test_user_filecache_dir:/test_user_filecache_dir:ro,"
|
||||||
|
+ "/test_local_dir/test_resource_file:test_mount1:ro,"
|
||||||
|
+ "/test_local_dir/test_resource_file:test_mount2:ro",
|
||||||
|
dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(
|
Assert.assertEquals(
|
||||||
" name=container_e11_1518975676334_14532816_01_000001",
|
" name=container_e11_1518975676334_14532816_01_000001",
|
||||||
dockerCommands.get(counter++));
|
dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" net=host", dockerCommands.get(counter++));
|
Assert.assertEquals(" net=host", dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(
|
|
||||||
" ro-mounts=/test_filecache_dir:/test_filecache_dir,"
|
|
||||||
+ "/test_user_filecache_dir:/test_user_filecache_dir,"
|
|
||||||
+ "/test_local_dir/test_resource_file:test_mount1,"
|
|
||||||
+ "/test_local_dir/test_resource_file:test_mount2",
|
|
||||||
dockerCommands.get(counter++));
|
|
||||||
Assert.assertEquals(
|
|
||||||
" rw-mounts=/test_container_log_dir:/test_container_log_dir,"
|
|
||||||
+ "/test_application_local_dir:/test_application_local_dir",
|
|
||||||
dockerCommands.get(counter++));
|
|
||||||
Assert.assertEquals(" user=" + uidGidPair, dockerCommands.get(counter++));
|
Assert.assertEquals(" user=" + uidGidPair, dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" workdir=/test_container_work_dir",
|
Assert.assertEquals(" workdir=/test_container_work_dir",
|
||||||
dockerCommands.get(counter));
|
dockerCommands.get(counter));
|
||||||
|
@ -1235,7 +1223,8 @@ public class TestDockerContainerRuntime {
|
||||||
|
|
||||||
env.put(
|
env.put(
|
||||||
DockerLinuxContainerRuntime.ENV_DOCKER_CONTAINER_MOUNTS,
|
DockerLinuxContainerRuntime.ENV_DOCKER_CONTAINER_MOUNTS,
|
||||||
"/tmp/foo:/tmp/foo:ro,/tmp/bar:/tmp/bar:rw");
|
"/tmp/foo:/tmp/foo:ro,/tmp/bar:/tmp/bar:rw,/tmp/baz:/tmp/baz," +
|
||||||
|
"/a:/a:shared,/b:/b:ro+shared,/c:/c:rw+rshared,/d:/d:private");
|
||||||
|
|
||||||
runtime.launchContainer(builder.build());
|
runtime.launchContainer(builder.build());
|
||||||
PrivilegedOperation op = capturePrivilegedOperationAndVerifyArgs();
|
PrivilegedOperation op = capturePrivilegedOperationAndVerifyArgs();
|
||||||
|
@ -1245,7 +1234,7 @@ public class TestDockerContainerRuntime {
|
||||||
List<String> dockerCommands = Files.readAllLines(
|
List<String> dockerCommands = Files.readAllLines(
|
||||||
Paths.get(dockerCommandFile), Charset.forName("UTF-8"));
|
Paths.get(dockerCommandFile), Charset.forName("UTF-8"));
|
||||||
|
|
||||||
int expected = 14;
|
int expected = 13;
|
||||||
int counter = 0;
|
int counter = 0;
|
||||||
Assert.assertEquals(expected, dockerCommands.size());
|
Assert.assertEquals(expected, dockerCommands.size());
|
||||||
Assert.assertEquals("[docker-command-execution]",
|
Assert.assertEquals("[docker-command-execution]",
|
||||||
|
@ -1262,19 +1251,19 @@ public class TestDockerContainerRuntime {
|
||||||
Assert.assertEquals(
|
Assert.assertEquals(
|
||||||
" launch-command=bash,/test_container_work_dir/launch_container.sh",
|
" launch-command=bash,/test_container_work_dir/launch_container.sh",
|
||||||
dockerCommands.get(counter++));
|
dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" mounts="
|
||||||
|
+ "/test_container_log_dir:/test_container_log_dir:rw,"
|
||||||
|
+ "/test_application_local_dir:/test_application_local_dir:rw,"
|
||||||
|
+ "/test_filecache_dir:/test_filecache_dir:ro,"
|
||||||
|
+ "/test_user_filecache_dir:/test_user_filecache_dir:ro,"
|
||||||
|
+ "/tmp/foo:/tmp/foo:ro,"
|
||||||
|
+ "/tmp/bar:/tmp/bar:rw,/tmp/baz:/tmp/baz:rw,/a:/a:rw+shared,"
|
||||||
|
+ "/b:/b:ro+shared,/c:/c:rw+rshared,/d:/d:rw+private",
|
||||||
|
dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(
|
Assert.assertEquals(
|
||||||
" name=container_e11_1518975676334_14532816_01_000001",
|
" name=container_e11_1518975676334_14532816_01_000001",
|
||||||
dockerCommands.get(counter++));
|
dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" net=host", dockerCommands.get(counter++));
|
Assert.assertEquals(" net=host", dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" ro-mounts=/test_filecache_dir:/test_filecache_dir,"
|
|
||||||
+ "/test_user_filecache_dir:/test_user_filecache_dir,"
|
|
||||||
+ "/tmp/foo:/tmp/foo",
|
|
||||||
dockerCommands.get(counter++));
|
|
||||||
Assert.assertEquals(
|
|
||||||
" rw-mounts=/test_container_log_dir:/test_container_log_dir,"
|
|
||||||
+ "/test_application_local_dir:/test_application_local_dir,"
|
|
||||||
+ "/tmp/bar:/tmp/bar",
|
|
||||||
dockerCommands.get(counter++));
|
|
||||||
Assert.assertEquals(" user=" + uidGidPair, dockerCommands.get(counter++));
|
Assert.assertEquals(" user=" + uidGidPair, dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" workdir=/test_container_work_dir",
|
Assert.assertEquals(" workdir=/test_container_work_dir",
|
||||||
dockerCommands.get(counter));
|
dockerCommands.get(counter));
|
||||||
|
@ -1288,7 +1277,7 @@ public class TestDockerContainerRuntime {
|
||||||
|
|
||||||
env.put(
|
env.put(
|
||||||
DockerLinuxContainerRuntime.ENV_DOCKER_CONTAINER_MOUNTS,
|
DockerLinuxContainerRuntime.ENV_DOCKER_CONTAINER_MOUNTS,
|
||||||
"source:target");
|
"/source:target:ro,/source:target:other,/source:target:rw");
|
||||||
|
|
||||||
try {
|
try {
|
||||||
runtime.launchContainer(builder.build());
|
runtime.launchContainer(builder.build());
|
||||||
|
@ -1306,7 +1295,7 @@ public class TestDockerContainerRuntime {
|
||||||
|
|
||||||
env.put(
|
env.put(
|
||||||
DockerLinuxContainerRuntime.ENV_DOCKER_CONTAINER_MOUNTS,
|
DockerLinuxContainerRuntime.ENV_DOCKER_CONTAINER_MOUNTS,
|
||||||
"source:target:other");
|
"/source:target:other");
|
||||||
|
|
||||||
try {
|
try {
|
||||||
runtime.launchContainer(builder.build());
|
runtime.launchContainer(builder.build());
|
||||||
|
@ -1324,7 +1313,7 @@ public class TestDockerContainerRuntime {
|
||||||
|
|
||||||
env.put(
|
env.put(
|
||||||
DockerLinuxContainerRuntime.ENV_DOCKER_CONTAINER_MOUNTS,
|
DockerLinuxContainerRuntime.ENV_DOCKER_CONTAINER_MOUNTS,
|
||||||
"s\0ource:target:ro");
|
"/s\0ource:target:ro");
|
||||||
|
|
||||||
try {
|
try {
|
||||||
runtime.launchContainer(builder.build());
|
runtime.launchContainer(builder.build());
|
||||||
|
@ -1352,7 +1341,7 @@ public class TestDockerContainerRuntime {
|
||||||
List<String> dockerCommands = Files.readAllLines(
|
List<String> dockerCommands = Files.readAllLines(
|
||||||
Paths.get(dockerCommandFile), Charset.forName("UTF-8"));
|
Paths.get(dockerCommandFile), Charset.forName("UTF-8"));
|
||||||
|
|
||||||
int expected = 14;
|
int expected = 13;
|
||||||
int counter = 0;
|
int counter = 0;
|
||||||
Assert.assertEquals(expected, dockerCommands.size());
|
Assert.assertEquals(expected, dockerCommands.size());
|
||||||
Assert.assertEquals("[docker-command-execution]",
|
Assert.assertEquals("[docker-command-execution]",
|
||||||
|
@ -1369,18 +1358,17 @@ public class TestDockerContainerRuntime {
|
||||||
Assert.assertEquals(
|
Assert.assertEquals(
|
||||||
" launch-command=bash,/test_container_work_dir/launch_container.sh",
|
" launch-command=bash,/test_container_work_dir/launch_container.sh",
|
||||||
dockerCommands.get(counter++));
|
dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" mounts="
|
||||||
|
+ "/test_container_log_dir:/test_container_log_dir:rw,"
|
||||||
|
+ "/test_application_local_dir:/test_application_local_dir:rw,"
|
||||||
|
+ "/test_filecache_dir:/test_filecache_dir:ro,"
|
||||||
|
+ "/test_user_filecache_dir:/test_user_filecache_dir:ro,"
|
||||||
|
+ "/tmp/foo:/tmp/foo:ro,/tmp/bar:/tmp/bar:ro",
|
||||||
|
dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(
|
Assert.assertEquals(
|
||||||
" name=container_e11_1518975676334_14532816_01_000001",
|
" name=container_e11_1518975676334_14532816_01_000001",
|
||||||
dockerCommands.get(counter++));
|
dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" net=host", dockerCommands.get(counter++));
|
Assert.assertEquals(" net=host", dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" ro-mounts=/test_filecache_dir:/test_filecache_dir,"
|
|
||||||
+ "/test_user_filecache_dir:/test_user_filecache_dir,"
|
|
||||||
+ "/tmp/foo:/tmp/foo,/tmp/bar:/tmp/bar",
|
|
||||||
dockerCommands.get(counter++));
|
|
||||||
Assert.assertEquals(
|
|
||||||
" rw-mounts=/test_container_log_dir:/test_container_log_dir,"
|
|
||||||
+ "/test_application_local_dir:/test_application_local_dir",
|
|
||||||
dockerCommands.get(counter++));
|
|
||||||
Assert.assertEquals(" user=" + uidGidPair, dockerCommands.get(counter++));
|
Assert.assertEquals(" user=" + uidGidPair, dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" workdir=/test_container_work_dir",
|
Assert.assertEquals(" workdir=/test_container_work_dir",
|
||||||
dockerCommands.get(counter));
|
dockerCommands.get(counter));
|
||||||
|
@ -1420,7 +1408,7 @@ public class TestDockerContainerRuntime {
|
||||||
List<String> dockerCommands = Files.readAllLines(
|
List<String> dockerCommands = Files.readAllLines(
|
||||||
Paths.get(dockerCommandFile), Charset.forName("UTF-8"));
|
Paths.get(dockerCommandFile), Charset.forName("UTF-8"));
|
||||||
|
|
||||||
int expected = 14;
|
int expected = 13;
|
||||||
int counter = 0;
|
int counter = 0;
|
||||||
Assert.assertEquals(expected, dockerCommands.size());
|
Assert.assertEquals(expected, dockerCommands.size());
|
||||||
Assert.assertEquals("[docker-command-execution]",
|
Assert.assertEquals("[docker-command-execution]",
|
||||||
|
@ -1437,18 +1425,17 @@ public class TestDockerContainerRuntime {
|
||||||
Assert.assertEquals(
|
Assert.assertEquals(
|
||||||
" launch-command=bash,/test_container_work_dir/launch_container.sh",
|
" launch-command=bash,/test_container_work_dir/launch_container.sh",
|
||||||
dockerCommands.get(counter++));
|
dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" mounts="
|
||||||
|
+ "/test_container_log_dir:/test_container_log_dir:rw,"
|
||||||
|
+ "/test_application_local_dir:/test_application_local_dir:rw,"
|
||||||
|
+ "/test_filecache_dir:/test_filecache_dir:ro,"
|
||||||
|
+ "/test_user_filecache_dir:/test_user_filecache_dir:ro,"
|
||||||
|
+ "/tmp/foo:/tmp/foo:rw,/tmp/bar:/tmp/bar:rw",
|
||||||
|
dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(
|
Assert.assertEquals(
|
||||||
" name=container_e11_1518975676334_14532816_01_000001",
|
" name=container_e11_1518975676334_14532816_01_000001",
|
||||||
dockerCommands.get(counter++));
|
dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" net=host", dockerCommands.get(counter++));
|
Assert.assertEquals(" net=host", dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" ro-mounts=/test_filecache_dir:/test_filecache_dir,"
|
|
||||||
+ "/test_user_filecache_dir:/test_user_filecache_dir",
|
|
||||||
dockerCommands.get(counter++));
|
|
||||||
Assert.assertEquals(
|
|
||||||
" rw-mounts=/test_container_log_dir:/test_container_log_dir,"
|
|
||||||
+ "/test_application_local_dir:/test_application_local_dir,"
|
|
||||||
+ "/tmp/foo:/tmp/foo,/tmp/bar:/tmp/bar",
|
|
||||||
dockerCommands.get(counter++));
|
|
||||||
Assert.assertEquals(" user=" + uidGidPair, dockerCommands.get(counter++));
|
Assert.assertEquals(" user=" + uidGidPair, dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" workdir=/test_container_work_dir",
|
Assert.assertEquals(" workdir=/test_container_work_dir",
|
||||||
dockerCommands.get(counter));
|
dockerCommands.get(counter));
|
||||||
|
@ -2005,7 +1992,7 @@ public class TestDockerContainerRuntime {
|
||||||
List<String> dockerCommands = Files.readAllLines(Paths.get
|
List<String> dockerCommands = Files.readAllLines(Paths.get
|
||||||
(dockerCommandFile), Charset.forName("UTF-8"));
|
(dockerCommandFile), Charset.forName("UTF-8"));
|
||||||
|
|
||||||
int expected = 15;
|
int expected = 14;
|
||||||
int counter = 0;
|
int counter = 0;
|
||||||
Assert.assertEquals(expected, dockerCommands.size());
|
Assert.assertEquals(expected, dockerCommands.size());
|
||||||
Assert.assertEquals("[docker-command-execution]",
|
Assert.assertEquals("[docker-command-execution]",
|
||||||
|
@ -2022,18 +2009,17 @@ public class TestDockerContainerRuntime {
|
||||||
Assert.assertEquals(
|
Assert.assertEquals(
|
||||||
" launch-command=bash,/test_container_work_dir/launch_container.sh",
|
" launch-command=bash,/test_container_work_dir/launch_container.sh",
|
||||||
dockerCommands.get(counter++));
|
dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" mounts="
|
||||||
|
+ "/test_container_log_dir:/test_container_log_dir:rw,"
|
||||||
|
+ "/test_application_local_dir:/test_application_local_dir:rw,"
|
||||||
|
+ "/test_filecache_dir:/test_filecache_dir:ro,"
|
||||||
|
+ "/test_user_filecache_dir:/test_user_filecache_dir:ro,"
|
||||||
|
+ "/source/path:/destination/path:ro",
|
||||||
|
dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(
|
Assert.assertEquals(
|
||||||
" name=container_e11_1518975676334_14532816_01_000001",
|
" name=container_e11_1518975676334_14532816_01_000001",
|
||||||
dockerCommands.get(counter++));
|
dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" net=host", dockerCommands.get(counter++));
|
Assert.assertEquals(" net=host", dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" ro-mounts=/test_filecache_dir:/test_filecache_dir,"
|
|
||||||
+ "/test_user_filecache_dir:/test_user_filecache_dir,"
|
|
||||||
+ "/source/path:/destination/path",
|
|
||||||
dockerCommands.get(counter++));
|
|
||||||
Assert.assertEquals(
|
|
||||||
" rw-mounts=/test_container_log_dir:/test_container_log_dir,"
|
|
||||||
+ "/test_application_local_dir:/test_application_local_dir",
|
|
||||||
dockerCommands.get(counter++));
|
|
||||||
Assert.assertEquals(" user=" + uidGidPair, dockerCommands.get(counter++));
|
Assert.assertEquals(" user=" + uidGidPair, dockerCommands.get(counter++));
|
||||||
|
|
||||||
// Verify volume-driver is set to expected value.
|
// Verify volume-driver is set to expected value.
|
||||||
|
@ -2146,7 +2132,7 @@ public class TestDockerContainerRuntime {
|
||||||
List<String> dockerCommands = Files
|
List<String> dockerCommands = Files
|
||||||
.readAllLines(Paths.get(dockerCommandFile), Charset.forName("UTF-8"));
|
.readAllLines(Paths.get(dockerCommandFile), Charset.forName("UTF-8"));
|
||||||
|
|
||||||
int expected = 15;
|
int expected = 14;
|
||||||
int counter = 0;
|
int counter = 0;
|
||||||
Assert.assertEquals(expected, dockerCommands.size());
|
Assert.assertEquals(expected, dockerCommands.size());
|
||||||
Assert.assertEquals("[docker-command-execution]",
|
Assert.assertEquals("[docker-command-execution]",
|
||||||
|
@ -2165,17 +2151,16 @@ public class TestDockerContainerRuntime {
|
||||||
Assert.assertEquals(
|
Assert.assertEquals(
|
||||||
" launch-command=bash,/test_container_work_dir/launch_container.sh",
|
" launch-command=bash,/test_container_work_dir/launch_container.sh",
|
||||||
dockerCommands.get(counter++));
|
dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" mounts="
|
||||||
|
+ "/test_container_log_dir:/test_container_log_dir:rw,"
|
||||||
|
+ "/test_application_local_dir:/test_application_local_dir:rw,"
|
||||||
|
+ "/test_filecache_dir:/test_filecache_dir:ro,"
|
||||||
|
+ "/test_user_filecache_dir:/test_user_filecache_dir:ro",
|
||||||
|
dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(
|
Assert.assertEquals(
|
||||||
" name=container_e11_1518975676334_14532816_01_000001",
|
" name=container_e11_1518975676334_14532816_01_000001",
|
||||||
dockerCommands.get(counter++));
|
dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" net=host", dockerCommands.get(counter++));
|
Assert.assertEquals(" net=host", dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" ro-mounts=/test_filecache_dir:/test_filecache_dir,"
|
|
||||||
+ "/test_user_filecache_dir:/test_user_filecache_dir",
|
|
||||||
dockerCommands.get(counter++));
|
|
||||||
Assert.assertEquals(
|
|
||||||
" rw-mounts=/test_container_log_dir:/test_container_log_dir,"
|
|
||||||
+ "/test_application_local_dir:/test_application_local_dir",
|
|
||||||
dockerCommands.get(counter++));
|
|
||||||
Assert.assertEquals(" user=" + uidGidPair, dockerCommands.get(counter++));
|
Assert.assertEquals(" user=" + uidGidPair, dockerCommands.get(counter++));
|
||||||
Assert.assertEquals(" workdir=/test_container_work_dir",
|
Assert.assertEquals(" workdir=/test_container_work_dir",
|
||||||
dockerCommands.get(counter++));
|
dockerCommands.get(counter++));
|
||||||
|
|
|
@ -196,7 +196,7 @@ public class TestNvidiaDockerV1CommandPlugin {
|
||||||
// Volume driver should not be included by final commandline
|
// Volume driver should not be included by final commandline
|
||||||
Assert.assertFalse(newCommandLine.containsKey("volume-driver"));
|
Assert.assertFalse(newCommandLine.containsKey("volume-driver"));
|
||||||
Assert.assertTrue(newCommandLine.containsKey("devices"));
|
Assert.assertTrue(newCommandLine.containsKey("devices"));
|
||||||
Assert.assertTrue(newCommandLine.containsKey("ro-mounts"));
|
Assert.assertTrue(newCommandLine.containsKey("mounts"));
|
||||||
|
|
||||||
/* Test get docker volume command */
|
/* Test get docker volume command */
|
||||||
commandPlugin = new MyNvidiaDockerV1CommandPlugin(conf);
|
commandPlugin = new MyNvidiaDockerV1CommandPlugin(conf);
|
||||||
|
|
|
@ -304,7 +304,7 @@ environment variables in the application's environment:
|
||||||
| `YARN_CONTAINER_RUNTIME_DOCKER_CONTAINER_NETWORK` | Sets the network type to be used by the Docker container. It must be a valid value as determined by the yarn.nodemanager.runtime.linux.docker.allowed-container-networks property. |
|
| `YARN_CONTAINER_RUNTIME_DOCKER_CONTAINER_NETWORK` | Sets the network type to be used by the Docker container. It must be a valid value as determined by the yarn.nodemanager.runtime.linux.docker.allowed-container-networks property. |
|
||||||
| `YARN_CONTAINER_RUNTIME_DOCKER_CONTAINER_PID_NAMESPACE` | Controls which PID namespace will be used by the Docker container. By default, each Docker container has its own PID namespace. To share the namespace of the host, the yarn.nodemanager.runtime.linux.docker.host-pid-namespace.allowed property must be set to true. If the host PID namespace is allowed and this environment variable is set to host, the Docker container will share the host's PID namespace. No other value is allowed. |
|
| `YARN_CONTAINER_RUNTIME_DOCKER_CONTAINER_PID_NAMESPACE` | Controls which PID namespace will be used by the Docker container. By default, each Docker container has its own PID namespace. To share the namespace of the host, the yarn.nodemanager.runtime.linux.docker.host-pid-namespace.allowed property must be set to true. If the host PID namespace is allowed and this environment variable is set to host, the Docker container will share the host's PID namespace. No other value is allowed. |
|
||||||
| `YARN_CONTAINER_RUNTIME_DOCKER_RUN_PRIVILEGED_CONTAINER` | Controls whether the Docker container is a privileged container. In order to use privileged containers, the yarn.nodemanager.runtime.linux.docker.privileged-containers.allowed property must be set to true, and the application owner must appear in the value of the yarn.nodemanager.runtime.linux.docker.privileged-containers.acl property. If this environment variable is set to true, a privileged Docker container will be used if allowed. No other value is allowed, so the environment variable should be left unset rather than setting it to false. |
|
| `YARN_CONTAINER_RUNTIME_DOCKER_RUN_PRIVILEGED_CONTAINER` | Controls whether the Docker container is a privileged container. In order to use privileged containers, the yarn.nodemanager.runtime.linux.docker.privileged-containers.allowed property must be set to true, and the application owner must appear in the value of the yarn.nodemanager.runtime.linux.docker.privileged-containers.acl property. If this environment variable is set to true, a privileged Docker container will be used if allowed. No other value is allowed, so the environment variable should be left unset rather than setting it to false. |
|
||||||
| `YARN_CONTAINER_RUNTIME_DOCKER_MOUNTS` | Adds additional volume mounts to the Docker container. The value of the environment variable should be a comma-separated list of mounts. All such mounts must be given as "source:dest:mode" and the mode must be "ro" (read-only) or "rw" (read-write) to specify the type of access being requested. The requested mounts will be validated by container-executor based on the values set in container-executor.cfg for docker.allowed.ro-mounts and docker.allowed.rw-mounts. |
|
| `YARN_CONTAINER_RUNTIME_DOCKER_MOUNTS` | Adds additional volume mounts to the Docker container. The value of the environment variable should be a comma-separated list of mounts. All such mounts must be given as `source:dest[:mode]` and the mode must be "ro" (read-only) or "rw" (read-write) to specify the type of access being requested. If neither is specified, read-write will be assumed. The mode may include a bind propagation option. In that case, the mode should either be of the form `[option]`, `rw+[option]`, or `ro+[option]`. Valid bind propagation options are shared, rshared, slave, rslave, private, and rprivate. The requested mounts will be validated by container-executor based on the values set in container-executor.cfg for `docker.allowed.ro-mounts` and `docker.allowed.rw-mounts`. |
|
||||||
| `YARN_CONTAINER_RUNTIME_DOCKER_DELAYED_REMOVAL` | Allows a user to request delayed deletion of the Docker container on a per container basis. If true, Docker containers will not be removed until the duration defined by yarn.nodemanager.delete.debug-delay-sec has elapsed. Administrators can disable this feature through the yarn-site property yarn.nodemanager.runtime.linux.docker.delayed-removal.allowed. This feature is disabled by default. When this feature is disabled or set to false, the container will be removed as soon as it exits. |
|
| `YARN_CONTAINER_RUNTIME_DOCKER_DELAYED_REMOVAL` | Allows a user to request delayed deletion of the Docker container on a per container basis. If true, Docker containers will not be removed until the duration defined by yarn.nodemanager.delete.debug-delay-sec has elapsed. Administrators can disable this feature through the yarn-site property yarn.nodemanager.runtime.linux.docker.delayed-removal.allowed. This feature is disabled by default. When this feature is disabled or set to false, the container will be removed as soon as it exits. |
|
||||||
|
|
||||||
The first two are required. The remainder can be set as needed. While
|
The first two are required. The remainder can be set as needed. While
|
||||||
|
@ -347,10 +347,13 @@ supplied by the user must either match or be a child of the specified
|
||||||
directory.
|
directory.
|
||||||
|
|
||||||
The user supplied mount list is defined as a comma separated list in the form
|
The user supplied mount list is defined as a comma separated list in the form
|
||||||
*source*:*destination*:*mode*. The source is the file or directory on the host.
|
*source*:*destination* or *source*:*destination*:*mode*. The source is the file
|
||||||
The destination is the path within the contatiner where the source will be bind
|
or directory on the host. The destination is the path within the container
|
||||||
mounted. The mode defines the mode the user expects for the mount, which can be
|
where the source will be bind mounted. The mode defines the mode the user
|
||||||
ro (read-only) or rw (read-write).
|
expects for the mount, which can be ro (read-only) or rw (read-write). If not
|
||||||
|
specified, rw is assumed. The mode may also include a bind propagation option
|
||||||
|
(shared, rshared, slave, rslave, private, or rprivate). In that case, the
|
||||||
|
mode should be of the form *option*, rw+*option*, or ro+*option*.
|
||||||
|
|
||||||
The following example outlines how to use this feature to mount the commonly
|
The following example outlines how to use this feature to mount the commonly
|
||||||
needed /sys/fs/cgroup directory into the container running on YARN.
|
needed /sys/fs/cgroup directory into the container running on YARN.
|
||||||
|
|
Loading…
Reference in New Issue