YARN-5042. Mount /sys/fs/cgroup into Docker containers as read only mount. Contributed by luhuichun.
This commit is contained in:
parent
79603f5882
commit
525d52bf7c
|
@ -447,7 +447,8 @@ public class DockerLinuxContainerRuntime implements LinuxContainerRuntime {
|
||||||
.detachOnRun()
|
.detachOnRun()
|
||||||
.setContainerWorkDir(containerWorkDir.toString())
|
.setContainerWorkDir(containerWorkDir.toString())
|
||||||
.setNetworkType(network)
|
.setNetworkType(network)
|
||||||
.setCapabilities(capabilities);
|
.setCapabilities(capabilities)
|
||||||
|
.addMountLocation("/sys/fs/cgroup", "/sys/fs/cgroup:ro", false);
|
||||||
List<String> allDirs = new ArrayList<>(containerLocalDirs);
|
List<String> allDirs = new ArrayList<>(containerLocalDirs);
|
||||||
|
|
||||||
allDirs.addAll(filecacheDirs);
|
allDirs.addAll(filecacheDirs);
|
||||||
|
@ -455,7 +456,7 @@ public class DockerLinuxContainerRuntime implements LinuxContainerRuntime {
|
||||||
allDirs.addAll(containerLogDirs);
|
allDirs.addAll(containerLogDirs);
|
||||||
allDirs.addAll(userLocalDirs);
|
allDirs.addAll(userLocalDirs);
|
||||||
for (String dir: allDirs) {
|
for (String dir: allDirs) {
|
||||||
runCommand.addMountLocation(dir, dir);
|
runCommand.addMountLocation(dir, dir, true);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (environment.containsKey(ENV_DOCKER_CONTAINER_LOCAL_RESOURCE_MOUNTS)) {
|
if (environment.containsKey(ENV_DOCKER_CONTAINER_LOCAL_RESOURCE_MOUNTS)) {
|
||||||
|
@ -470,7 +471,7 @@ public class DockerLinuxContainerRuntime implements LinuxContainerRuntime {
|
||||||
}
|
}
|
||||||
String src = validateMount(dir[0], localizedResources);
|
String src = validateMount(dir[0], localizedResources);
|
||||||
String dst = dir[1];
|
String dst = dir[1];
|
||||||
runCommand.addMountLocation(src, dst + ":ro");
|
runCommand.addMountLocation(src, dst + ":ro", true);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -22,6 +22,7 @@ package org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime
|
||||||
|
|
||||||
import org.apache.hadoop.util.StringUtils;
|
import org.apache.hadoop.util.StringUtils;
|
||||||
|
|
||||||
|
import java.io.File;
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Set;
|
import java.util.Set;
|
||||||
|
@ -59,7 +60,11 @@ public class DockerRunCommand extends DockerCommand {
|
||||||
}
|
}
|
||||||
|
|
||||||
public DockerRunCommand addMountLocation(String sourcePath, String
|
public DockerRunCommand addMountLocation(String sourcePath, String
|
||||||
destinationPath) {
|
destinationPath, boolean createSource) {
|
||||||
|
boolean sourceExists = new File(sourcePath).exists();
|
||||||
|
if (!sourceExists && !createSource) {
|
||||||
|
return this;
|
||||||
|
}
|
||||||
super.addCommandArguments("-v", sourcePath + ":" + destinationPath);
|
super.addCommandArguments("-v", sourcePath + ":" + destinationPath);
|
||||||
return this;
|
return this;
|
||||||
}
|
}
|
||||||
|
|
|
@ -276,6 +276,7 @@ public class TestDockerContainerRuntime {
|
||||||
.append("--workdir=%3$s ")
|
.append("--workdir=%3$s ")
|
||||||
.append("--net=host ")
|
.append("--net=host ")
|
||||||
.append(getExpectedTestCapabilitiesArgumentString())
|
.append(getExpectedTestCapabilitiesArgumentString())
|
||||||
|
.append("-v /sys/fs/cgroup:/sys/fs/cgroup:ro ")
|
||||||
.append("-v %4$s:%4$s ")
|
.append("-v %4$s:%4$s ")
|
||||||
.append("-v %5$s:%5$s ")
|
.append("-v %5$s:%5$s ")
|
||||||
.append("-v %6$s:%6$s ")
|
.append("-v %6$s:%6$s ")
|
||||||
|
@ -381,6 +382,7 @@ public class TestDockerContainerRuntime {
|
||||||
.append("--workdir=%3$s ")
|
.append("--workdir=%3$s ")
|
||||||
.append("--net=" + allowedNetwork + " ")
|
.append("--net=" + allowedNetwork + " ")
|
||||||
.append(getExpectedTestCapabilitiesArgumentString())
|
.append(getExpectedTestCapabilitiesArgumentString())
|
||||||
|
.append("-v /sys/fs/cgroup:/sys/fs/cgroup:ro ")
|
||||||
.append("-v %4$s:%4$s ").append("-v %5$s:%5$s ")
|
.append("-v %4$s:%4$s ").append("-v %5$s:%5$s ")
|
||||||
.append("-v %6$s:%6$s ").append("-v %7$s:%7$s ")
|
.append("-v %6$s:%6$s ").append("-v %7$s:%7$s ")
|
||||||
.append("-v %8$s:%8$s ").append("%9$s ")
|
.append("-v %8$s:%8$s ").append("%9$s ")
|
||||||
|
@ -435,6 +437,7 @@ public class TestDockerContainerRuntime {
|
||||||
.append("--workdir=%3$s ")
|
.append("--workdir=%3$s ")
|
||||||
.append("--net=" + customNetwork1 + " ")
|
.append("--net=" + customNetwork1 + " ")
|
||||||
.append(getExpectedTestCapabilitiesArgumentString())
|
.append(getExpectedTestCapabilitiesArgumentString())
|
||||||
|
.append("-v /sys/fs/cgroup:/sys/fs/cgroup:ro ")
|
||||||
.append("-v %4$s:%4$s ").append("-v %5$s:%5$s ")
|
.append("-v %4$s:%4$s ").append("-v %5$s:%5$s ")
|
||||||
.append("-v %6$s:%6$s ").append("-v %7$s:%7$s ")
|
.append("-v %6$s:%6$s ").append("-v %7$s:%7$s ")
|
||||||
.append("-v %8$s:%8$s ").append("%9$s ")
|
.append("-v %8$s:%8$s ").append("%9$s ")
|
||||||
|
@ -471,6 +474,7 @@ public class TestDockerContainerRuntime {
|
||||||
.append("--workdir=%3$s ")
|
.append("--workdir=%3$s ")
|
||||||
.append("--net=" + customNetwork2 + " ")
|
.append("--net=" + customNetwork2 + " ")
|
||||||
.append(getExpectedTestCapabilitiesArgumentString())
|
.append(getExpectedTestCapabilitiesArgumentString())
|
||||||
|
.append("-v /sys/fs/cgroup:/sys/fs/cgroup:ro ")
|
||||||
.append("-v %4$s:%4$s ").append("-v %5$s:%5$s ")
|
.append("-v %4$s:%4$s ").append("-v %5$s:%5$s ")
|
||||||
.append("-v %6$s:%6$s ").append("-v %7$s:%7$s ")
|
.append("-v %6$s:%6$s ").append("-v %7$s:%7$s ")
|
||||||
.append("-v %8$s:%8$s ").append("%9$s ")
|
.append("-v %8$s:%8$s ").append("%9$s ")
|
||||||
|
|
Loading…
Reference in New Issue