YARN-5042. Mount /sys/fs/cgroup into Docker containers as read only mount. Contributed by luhuichun.

This commit is contained in:
Varun Vasudev 2016-08-25 12:56:11 +05:30
parent 79603f5882
commit 525d52bf7c
3 changed files with 14 additions and 4 deletions

View File

@ -447,7 +447,8 @@ public class DockerLinuxContainerRuntime implements LinuxContainerRuntime {
.detachOnRun() .detachOnRun()
.setContainerWorkDir(containerWorkDir.toString()) .setContainerWorkDir(containerWorkDir.toString())
.setNetworkType(network) .setNetworkType(network)
.setCapabilities(capabilities); .setCapabilities(capabilities)
.addMountLocation("/sys/fs/cgroup", "/sys/fs/cgroup:ro", false);
List<String> allDirs = new ArrayList<>(containerLocalDirs); List<String> allDirs = new ArrayList<>(containerLocalDirs);
allDirs.addAll(filecacheDirs); allDirs.addAll(filecacheDirs);
@ -455,7 +456,7 @@ public class DockerLinuxContainerRuntime implements LinuxContainerRuntime {
allDirs.addAll(containerLogDirs); allDirs.addAll(containerLogDirs);
allDirs.addAll(userLocalDirs); allDirs.addAll(userLocalDirs);
for (String dir: allDirs) { for (String dir: allDirs) {
runCommand.addMountLocation(dir, dir); runCommand.addMountLocation(dir, dir, true);
} }
if (environment.containsKey(ENV_DOCKER_CONTAINER_LOCAL_RESOURCE_MOUNTS)) { if (environment.containsKey(ENV_DOCKER_CONTAINER_LOCAL_RESOURCE_MOUNTS)) {
@ -470,7 +471,7 @@ public class DockerLinuxContainerRuntime implements LinuxContainerRuntime {
} }
String src = validateMount(dir[0], localizedResources); String src = validateMount(dir[0], localizedResources);
String dst = dir[1]; String dst = dir[1];
runCommand.addMountLocation(src, dst + ":ro"); runCommand.addMountLocation(src, dst + ":ro", true);
} }
} }
} }

View File

@ -22,6 +22,7 @@ package org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime
import org.apache.hadoop.util.StringUtils; import org.apache.hadoop.util.StringUtils;
import java.io.File;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import java.util.Set; import java.util.Set;
@ -59,7 +60,11 @@ public class DockerRunCommand extends DockerCommand {
} }
public DockerRunCommand addMountLocation(String sourcePath, String public DockerRunCommand addMountLocation(String sourcePath, String
destinationPath) { destinationPath, boolean createSource) {
boolean sourceExists = new File(sourcePath).exists();
if (!sourceExists && !createSource) {
return this;
}
super.addCommandArguments("-v", sourcePath + ":" + destinationPath); super.addCommandArguments("-v", sourcePath + ":" + destinationPath);
return this; return this;
} }

View File

@ -276,6 +276,7 @@ public class TestDockerContainerRuntime {
.append("--workdir=%3$s ") .append("--workdir=%3$s ")
.append("--net=host ") .append("--net=host ")
.append(getExpectedTestCapabilitiesArgumentString()) .append(getExpectedTestCapabilitiesArgumentString())
.append("-v /sys/fs/cgroup:/sys/fs/cgroup:ro ")
.append("-v %4$s:%4$s ") .append("-v %4$s:%4$s ")
.append("-v %5$s:%5$s ") .append("-v %5$s:%5$s ")
.append("-v %6$s:%6$s ") .append("-v %6$s:%6$s ")
@ -381,6 +382,7 @@ public class TestDockerContainerRuntime {
.append("--workdir=%3$s ") .append("--workdir=%3$s ")
.append("--net=" + allowedNetwork + " ") .append("--net=" + allowedNetwork + " ")
.append(getExpectedTestCapabilitiesArgumentString()) .append(getExpectedTestCapabilitiesArgumentString())
.append("-v /sys/fs/cgroup:/sys/fs/cgroup:ro ")
.append("-v %4$s:%4$s ").append("-v %5$s:%5$s ") .append("-v %4$s:%4$s ").append("-v %5$s:%5$s ")
.append("-v %6$s:%6$s ").append("-v %7$s:%7$s ") .append("-v %6$s:%6$s ").append("-v %7$s:%7$s ")
.append("-v %8$s:%8$s ").append("%9$s ") .append("-v %8$s:%8$s ").append("%9$s ")
@ -435,6 +437,7 @@ public class TestDockerContainerRuntime {
.append("--workdir=%3$s ") .append("--workdir=%3$s ")
.append("--net=" + customNetwork1 + " ") .append("--net=" + customNetwork1 + " ")
.append(getExpectedTestCapabilitiesArgumentString()) .append(getExpectedTestCapabilitiesArgumentString())
.append("-v /sys/fs/cgroup:/sys/fs/cgroup:ro ")
.append("-v %4$s:%4$s ").append("-v %5$s:%5$s ") .append("-v %4$s:%4$s ").append("-v %5$s:%5$s ")
.append("-v %6$s:%6$s ").append("-v %7$s:%7$s ") .append("-v %6$s:%6$s ").append("-v %7$s:%7$s ")
.append("-v %8$s:%8$s ").append("%9$s ") .append("-v %8$s:%8$s ").append("%9$s ")
@ -471,6 +474,7 @@ public class TestDockerContainerRuntime {
.append("--workdir=%3$s ") .append("--workdir=%3$s ")
.append("--net=" + customNetwork2 + " ") .append("--net=" + customNetwork2 + " ")
.append(getExpectedTestCapabilitiesArgumentString()) .append(getExpectedTestCapabilitiesArgumentString())
.append("-v /sys/fs/cgroup:/sys/fs/cgroup:ro ")
.append("-v %4$s:%4$s ").append("-v %5$s:%5$s ") .append("-v %4$s:%4$s ").append("-v %5$s:%5$s ")
.append("-v %6$s:%6$s ").append("-v %7$s:%7$s ") .append("-v %6$s:%6$s ").append("-v %7$s:%7$s ")
.append("-v %8$s:%8$s ").append("%9$s ") .append("-v %8$s:%8$s ").append("%9$s ")