YARN-5042. Mount /sys/fs/cgroup into Docker containers as read only mount. Contributed by luhuichun.

This commit is contained in:
Varun Vasudev 2016-08-25 12:56:11 +05:30
parent 79603f5882
commit 525d52bf7c
3 changed files with 14 additions and 4 deletions

View File

@ -447,7 +447,8 @@ public class DockerLinuxContainerRuntime implements LinuxContainerRuntime {
.detachOnRun()
.setContainerWorkDir(containerWorkDir.toString())
.setNetworkType(network)
.setCapabilities(capabilities);
.setCapabilities(capabilities)
.addMountLocation("/sys/fs/cgroup", "/sys/fs/cgroup:ro", false);
List<String> allDirs = new ArrayList<>(containerLocalDirs);
allDirs.addAll(filecacheDirs);
@ -455,7 +456,7 @@ public class DockerLinuxContainerRuntime implements LinuxContainerRuntime {
allDirs.addAll(containerLogDirs);
allDirs.addAll(userLocalDirs);
for (String dir: allDirs) {
runCommand.addMountLocation(dir, dir);
runCommand.addMountLocation(dir, dir, true);
}
if (environment.containsKey(ENV_DOCKER_CONTAINER_LOCAL_RESOURCE_MOUNTS)) {
@ -470,7 +471,7 @@ public class DockerLinuxContainerRuntime implements LinuxContainerRuntime {
}
String src = validateMount(dir[0], localizedResources);
String dst = dir[1];
runCommand.addMountLocation(src, dst + ":ro");
runCommand.addMountLocation(src, dst + ":ro", true);
}
}
}

View File

@ -22,6 +22,7 @@ package org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime
import org.apache.hadoop.util.StringUtils;
import java.io.File;
import java.util.ArrayList;
import java.util.List;
import java.util.Set;
@ -59,7 +60,11 @@ public class DockerRunCommand extends DockerCommand {
}
public DockerRunCommand addMountLocation(String sourcePath, String
destinationPath) {
destinationPath, boolean createSource) {
boolean sourceExists = new File(sourcePath).exists();
if (!sourceExists && !createSource) {
return this;
}
super.addCommandArguments("-v", sourcePath + ":" + destinationPath);
return this;
}

View File

@ -276,6 +276,7 @@ public class TestDockerContainerRuntime {
.append("--workdir=%3$s ")
.append("--net=host ")
.append(getExpectedTestCapabilitiesArgumentString())
.append("-v /sys/fs/cgroup:/sys/fs/cgroup:ro ")
.append("-v %4$s:%4$s ")
.append("-v %5$s:%5$s ")
.append("-v %6$s:%6$s ")
@ -381,6 +382,7 @@ public class TestDockerContainerRuntime {
.append("--workdir=%3$s ")
.append("--net=" + allowedNetwork + " ")
.append(getExpectedTestCapabilitiesArgumentString())
.append("-v /sys/fs/cgroup:/sys/fs/cgroup:ro ")
.append("-v %4$s:%4$s ").append("-v %5$s:%5$s ")
.append("-v %6$s:%6$s ").append("-v %7$s:%7$s ")
.append("-v %8$s:%8$s ").append("%9$s ")
@ -435,6 +437,7 @@ public class TestDockerContainerRuntime {
.append("--workdir=%3$s ")
.append("--net=" + customNetwork1 + " ")
.append(getExpectedTestCapabilitiesArgumentString())
.append("-v /sys/fs/cgroup:/sys/fs/cgroup:ro ")
.append("-v %4$s:%4$s ").append("-v %5$s:%5$s ")
.append("-v %6$s:%6$s ").append("-v %7$s:%7$s ")
.append("-v %8$s:%8$s ").append("%9$s ")
@ -471,6 +474,7 @@ public class TestDockerContainerRuntime {
.append("--workdir=%3$s ")
.append("--net=" + customNetwork2 + " ")
.append(getExpectedTestCapabilitiesArgumentString())
.append("-v /sys/fs/cgroup:/sys/fs/cgroup:ro ")
.append("-v %4$s:%4$s ").append("-v %5$s:%5$s ")
.append("-v %6$s:%6$s ").append("-v %7$s:%7$s ")
.append("-v %8$s:%8$s ").append("%9$s ")