diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java index 49448217e9c..eb3afeaa74d 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java @@ -1464,6 +1464,23 @@ public class YarnConfiguration extends Configuration { /** Prefix for runtime configuration constants. */ public static final String LINUX_CONTAINER_RUNTIME_PREFIX = NM_PREFIX + "runtime.linux."; + + /** + * Comma separated list of runtimes that are allowed when using + * LinuxContainerExecutor. The allowed values are: + * + */ + public static final String LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES = + LINUX_CONTAINER_RUNTIME_PREFIX + "allowed-runtimes"; + + /** The default list of allowed runtimes when using LinuxContainerExecutor. */ + public static final String[] DEFAULT_LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES + = {"default"}; + public static final String DOCKER_CONTAINER_RUNTIME_PREFIX = LINUX_CONTAINER_RUNTIME_PREFIX + "docker."; diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml index 0cad1672ba9..afde222c54b 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml @@ -1571,6 +1571,14 @@ false + + Comma separated list of runtimes that are allowed when using + LinuxContainerExecutor. The allowed values are default, docker, and + javasandbox. + yarn.nodemanager.runtime.linux.allowed-runtimes + default + + This configuration setting determines the capabilities assigned to docker containers when they are launched. While these may not diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/ContainerExecutor.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/ContainerExecutor.java index b6fb4ecf47d..072cca7a3f6 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/ContainerExecutor.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/ContainerExecutor.java @@ -51,6 +51,7 @@ import org.apache.hadoop.yarn.exceptions.ConfigurationException; import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container; import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.ContainerDiagnosticsUpdateEvent; import org.apache.hadoop.yarn.server.nodemanager.containermanager.launcher.ContainerLaunch; +import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerExecutionException; import org.apache.hadoop.yarn.server.nodemanager.executor.ContainerPrepareContext; import org.apache.hadoop.yarn.server.nodemanager.util.NodeManagerHardwareUtils; import org.apache.hadoop.yarn.server.nodemanager.executor.ContainerLivenessContext; @@ -663,7 +664,8 @@ public abstract class ContainerExecutor implements Configurable { } // LinuxContainerExecutor overrides this method and behaves differently. - public String[] getIpAndHost(Container container) { + public String[] getIpAndHost(Container container) + throws ContainerExecutionException { return getLocalIpAndHost(container); } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java index dc686801424..2971f83d3dc 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java @@ -625,7 +625,8 @@ public class LinuxContainerExecutor extends ContainerExecutor { } @Override - public String[] getIpAndHost(Container container) { + public String[] getIpAndHost(Container container) + throws ContainerExecutionException { return linuxContainerRuntime.getIpAndHost(container); } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DelegatingLinuxContainerRuntime.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DelegatingLinuxContainerRuntime.java index 52733344199..9fe4927b6e3 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DelegatingLinuxContainerRuntime.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DelegatingLinuxContainerRuntime.java @@ -20,9 +20,11 @@ package org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime; +import com.google.common.annotations.VisibleForTesting; import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.classification.InterfaceStability; import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.yarn.conf.YarnConfiguration; import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container; import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.privileged.PrivilegedOperationExecutor; import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerExecutionException; @@ -31,6 +33,7 @@ import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.Contai import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import java.util.EnumSet; import java.util.Map; /** @@ -50,34 +53,62 @@ public class DelegatingLinuxContainerRuntime implements LinuxContainerRuntime { private DefaultLinuxContainerRuntime defaultLinuxContainerRuntime; private DockerLinuxContainerRuntime dockerLinuxContainerRuntime; private JavaSandboxLinuxContainerRuntime javaSandboxLinuxContainerRuntime; + private EnumSet allowedRuntimes = + EnumSet.noneOf(LinuxContainerRuntimeConstants.RuntimeType.class); @Override public void initialize(Configuration conf) throws ContainerExecutionException { - PrivilegedOperationExecutor privilegedOperationExecutor = - PrivilegedOperationExecutor.getInstance(conf); - defaultLinuxContainerRuntime = new DefaultLinuxContainerRuntime( - privilegedOperationExecutor); - defaultLinuxContainerRuntime.initialize(conf); - dockerLinuxContainerRuntime = new DockerLinuxContainerRuntime( - privilegedOperationExecutor); - dockerLinuxContainerRuntime.initialize(conf); - javaSandboxLinuxContainerRuntime = new JavaSandboxLinuxContainerRuntime( - privilegedOperationExecutor); - javaSandboxLinuxContainerRuntime.initialize(conf); + String[] configuredRuntimes = conf.getTrimmedStrings( + YarnConfiguration.LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES, + YarnConfiguration.DEFAULT_LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES); + for (String configuredRuntime : configuredRuntimes) { + try { + allowedRuntimes.add( + LinuxContainerRuntimeConstants.RuntimeType.valueOf( + configuredRuntime.toUpperCase())); + } catch (IllegalArgumentException e) { + throw new ContainerExecutionException("Invalid runtime set in " + + YarnConfiguration.LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES + " : " + + configuredRuntime); + } + } + if (isRuntimeAllowed( + LinuxContainerRuntimeConstants.RuntimeType.JAVASANDBOX)) { + javaSandboxLinuxContainerRuntime = new JavaSandboxLinuxContainerRuntime( + PrivilegedOperationExecutor.getInstance(conf)); + javaSandboxLinuxContainerRuntime.initialize(conf); + } + if (isRuntimeAllowed( + LinuxContainerRuntimeConstants.RuntimeType.DOCKER)) { + dockerLinuxContainerRuntime = new DockerLinuxContainerRuntime( + PrivilegedOperationExecutor.getInstance(conf)); + dockerLinuxContainerRuntime.initialize(conf); + } + if (isRuntimeAllowed( + LinuxContainerRuntimeConstants.RuntimeType.DEFAULT)) { + defaultLinuxContainerRuntime = new DefaultLinuxContainerRuntime( + PrivilegedOperationExecutor.getInstance(conf)); + defaultLinuxContainerRuntime.initialize(conf); + } } - private LinuxContainerRuntime pickContainerRuntime( - Map environment){ + @VisibleForTesting + LinuxContainerRuntime pickContainerRuntime( + Map environment) throws ContainerExecutionException { LinuxContainerRuntime runtime; //Sandbox checked first to ensure DockerRuntime doesn't circumvent controls - if (javaSandboxLinuxContainerRuntime.isSandboxContainerRequested()){ - runtime = javaSandboxLinuxContainerRuntime; - } else if (DockerLinuxContainerRuntime - .isDockerContainerRequested(environment)){ + if (javaSandboxLinuxContainerRuntime != null && + javaSandboxLinuxContainerRuntime.isSandboxContainerRequested()){ + runtime = javaSandboxLinuxContainerRuntime; + } else if (dockerLinuxContainerRuntime != null && + DockerLinuxContainerRuntime.isDockerContainerRequested(environment)){ runtime = dockerLinuxContainerRuntime; - } else { + } else if (defaultLinuxContainerRuntime != null && + !DockerLinuxContainerRuntime.isDockerContainerRequested(environment)) { runtime = defaultLinuxContainerRuntime; + } else { + throw new ContainerExecutionException("Requested runtime not allowed."); } if (LOG.isDebugEnabled()) { @@ -88,7 +119,8 @@ public class DelegatingLinuxContainerRuntime implements LinuxContainerRuntime { return runtime; } - private LinuxContainerRuntime pickContainerRuntime(Container container) { + private LinuxContainerRuntime pickContainerRuntime(Container container) + throws ContainerExecutionException { return pickContainerRuntime(container.getLaunchContext().getEnvironment()); } @@ -127,8 +159,15 @@ public class DelegatingLinuxContainerRuntime implements LinuxContainerRuntime { } @Override - public String[] getIpAndHost(Container container) { + public String[] getIpAndHost(Container container) + throws ContainerExecutionException { LinuxContainerRuntime runtime = pickContainerRuntime(container); return runtime.getIpAndHost(container); } + + @VisibleForTesting + boolean isRuntimeAllowed( + LinuxContainerRuntimeConstants.RuntimeType runtimeType) { + return allowedRuntimes.contains(runtimeType); + } } \ No newline at end of file diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/LinuxContainerRuntimeConstants.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/LinuxContainerRuntimeConstants.java index 2e632faccc1..3a47523ba12 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/LinuxContainerRuntimeConstants.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/LinuxContainerRuntimeConstants.java @@ -31,6 +31,15 @@ public final class LinuxContainerRuntimeConstants { private LinuxContainerRuntimeConstants() { } + /** + * Linux container runtime types for {@link DelegatingLinuxContainerRuntime}. + */ + public enum RuntimeType { + DEFAULT, + DOCKER, + JAVASANDBOX; + } + public static final Attribute LOCALIZED_RESOURCES = Attribute .attribute(Map.class, "localized_resources"); public static final Attribute CONTAINER_LAUNCH_PREFIX_COMMANDS = diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/monitor/ContainersMonitorImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/monitor/ContainersMonitorImpl.java index d764e1dd498..2b99cc7254b 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/monitor/ContainersMonitorImpl.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/monitor/ContainersMonitorImpl.java @@ -38,6 +38,7 @@ import org.apache.hadoop.yarn.server.nodemanager.Context; import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container; import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.ContainerImpl; import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.ContainerKillEvent; +import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerExecutionException; import org.apache.hadoop.yarn.server.nodemanager.timelineservice.NMTimelinePublisher; import org.apache.hadoop.yarn.server.nodemanager.util.NodeManagerHardwareUtils; import org.apache.hadoop.yarn.util.ResourceCalculatorPlugin; @@ -502,7 +503,8 @@ public class ContainersMonitorImpl extends AbstractService implements * @param entry process tree entry to fill in */ private void initializeProcessTrees( - Entry entry) { + Entry entry) + throws ContainerExecutionException { ContainerId containerId = entry.getKey(); ProcessTreeInfo ptInfo = entry.getValue(); String pId = ptInfo.getPID(); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/runtime/ContainerRuntime.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/runtime/ContainerRuntime.java index b15690f808d..7caa0edf4de 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/runtime/ContainerRuntime.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/runtime/ContainerRuntime.java @@ -77,6 +77,10 @@ public interface ContainerRuntime { /** * Return the host and ip of the container + * + * @param container the {@link Container} + * @throws ContainerExecutionException if an error occurs while getting the ip + * and hostname */ - String[] getIpAndHost(Container container); + String[] getIpAndHost(Container container) throws ContainerExecutionException; } \ No newline at end of file diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/TestDelegatingLinuxContainerRuntime.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/TestDelegatingLinuxContainerRuntime.java new file mode 100644 index 00000000000..7f4bbc4d375 --- /dev/null +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/TestDelegatingLinuxContainerRuntime.java @@ -0,0 +1,137 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.yarn.conf.YarnConfiguration; +import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntime; +import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntimeConstants; +import org.junit.Before; +import org.junit.Test; + +import java.util.HashMap; +import java.util.Map; + +import static org.junit.Assert.*; + +/** + * Test container runtime delegation. + */ +public class TestDelegatingLinuxContainerRuntime { + + private DelegatingLinuxContainerRuntime delegatingLinuxContainerRuntime; + private Configuration conf; + private Map env = new HashMap<>(); + + @Before + public void setUp() throws Exception { + delegatingLinuxContainerRuntime = new DelegatingLinuxContainerRuntime(); + conf = new Configuration(); + env.clear(); + } + + @Test + public void testIsRuntimeAllowedDefault() throws Exception { + conf.set(YarnConfiguration.LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES, + YarnConfiguration.DEFAULT_LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES[0]); + System.out.println(conf.get( + YarnConfiguration.LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES)); + delegatingLinuxContainerRuntime.initialize(conf); + assertTrue(delegatingLinuxContainerRuntime.isRuntimeAllowed( + LinuxContainerRuntimeConstants.RuntimeType.DEFAULT)); + assertFalse(delegatingLinuxContainerRuntime.isRuntimeAllowed( + LinuxContainerRuntimeConstants.RuntimeType.DOCKER)); + assertFalse(delegatingLinuxContainerRuntime.isRuntimeAllowed( + LinuxContainerRuntimeConstants.RuntimeType.JAVASANDBOX)); + } + + @Test + public void testIsRuntimeAllowedDocker() throws Exception { + conf.set(YarnConfiguration.LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES, + "docker"); + delegatingLinuxContainerRuntime.initialize(conf); + assertTrue(delegatingLinuxContainerRuntime.isRuntimeAllowed( + LinuxContainerRuntimeConstants.RuntimeType.DOCKER)); + assertFalse(delegatingLinuxContainerRuntime.isRuntimeAllowed( + LinuxContainerRuntimeConstants.RuntimeType.DEFAULT)); + assertFalse(delegatingLinuxContainerRuntime.isRuntimeAllowed( + LinuxContainerRuntimeConstants.RuntimeType.JAVASANDBOX)); + } + + @Test + public void testIsRuntimeAllowedJavaSandbox() throws Exception { + conf.set(YarnConfiguration.LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES, + "javasandbox"); + delegatingLinuxContainerRuntime.initialize(conf); + assertTrue(delegatingLinuxContainerRuntime.isRuntimeAllowed( + LinuxContainerRuntimeConstants.RuntimeType.JAVASANDBOX)); + assertFalse(delegatingLinuxContainerRuntime.isRuntimeAllowed( + LinuxContainerRuntimeConstants.RuntimeType.DEFAULT)); + assertFalse(delegatingLinuxContainerRuntime.isRuntimeAllowed( + LinuxContainerRuntimeConstants.RuntimeType.DOCKER)); + } + + @Test + public void testIsRuntimeAllowedMultiple() throws Exception { + conf.set(YarnConfiguration.LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES, + "docker,javasandbox"); + delegatingLinuxContainerRuntime.initialize(conf); + assertTrue(delegatingLinuxContainerRuntime.isRuntimeAllowed( + LinuxContainerRuntimeConstants.RuntimeType.DOCKER)); + assertTrue(delegatingLinuxContainerRuntime.isRuntimeAllowed( + LinuxContainerRuntimeConstants.RuntimeType.JAVASANDBOX)); + assertFalse(delegatingLinuxContainerRuntime.isRuntimeAllowed( + LinuxContainerRuntimeConstants.RuntimeType.DEFAULT)); + } + + @Test + public void testIsRuntimeAllowedAll() throws Exception { + conf.set(YarnConfiguration.LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES, + "default,docker,javasandbox"); + delegatingLinuxContainerRuntime.initialize(conf); + assertTrue(delegatingLinuxContainerRuntime.isRuntimeAllowed( + LinuxContainerRuntimeConstants.RuntimeType.DEFAULT)); + assertTrue(delegatingLinuxContainerRuntime.isRuntimeAllowed( + LinuxContainerRuntimeConstants.RuntimeType.DOCKER)); + assertTrue(delegatingLinuxContainerRuntime.isRuntimeAllowed( + LinuxContainerRuntimeConstants.RuntimeType.JAVASANDBOX)); + } + + @Test + public void testJavaSandboxNotAllowedButPermissive() throws Exception { + conf.set(YarnConfiguration.LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES, + "default,docker"); + conf.set(YarnConfiguration.YARN_CONTAINER_SANDBOX, "permissive"); + delegatingLinuxContainerRuntime.initialize(conf); + ContainerRuntime runtime = + delegatingLinuxContainerRuntime.pickContainerRuntime(env); + assertTrue(runtime instanceof DefaultLinuxContainerRuntime); + } + + @Test + public void testJavaSandboxNotAllowedButPermissiveDockerRequested() + throws Exception { + env.put(ContainerRuntimeConstants.ENV_CONTAINER_TYPE, "docker"); + conf.set(YarnConfiguration.LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES, + "default,docker"); + conf.set(YarnConfiguration.YARN_CONTAINER_SANDBOX, "permissive"); + delegatingLinuxContainerRuntime.initialize(conf); + ContainerRuntime runtime = + delegatingLinuxContainerRuntime.pickContainerRuntime(env); + assertTrue(runtime instanceof DockerLinuxContainerRuntime); + } +} \ No newline at end of file diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md index 4de0a6ae489..bf94169f619 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md @@ -71,68 +71,83 @@ request. For example: The following properties should be set in yarn-site.xml: ```xml - - yarn.nodemanager.container-executor.class - org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor - - This is the container executor setting that ensures that all applications - are started with the LinuxContainerExecutor. - - + + + yarn.nodemanager.container-executor.class + org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor + + This is the container executor setting that ensures that all applications + are started with the LinuxContainerExecutor. + + - - yarn.nodemanager.linux-container-executor.group - hadoop - - The POSIX group of the NodeManager. It should match the setting in - "container-executor.cfg". This configuration is required for validating - the secure access of the container-executor binary. - - + + yarn.nodemanager.linux-container-executor.group + hadoop + + The POSIX group of the NodeManager. It should match the setting in + "container-executor.cfg". This configuration is required for validating + the secure access of the container-executor binary. + + - - yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users - false - - Whether all applications should be run as the NodeManager process' owner. - When false, applications are launched instead as the application owner. - - + + yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users + false + + Whether all applications should be run as the NodeManager process' owner. + When false, applications are launched instead as the application owner. + + - - yarn.nodemanager.runtime.linux.docker.allowed-container-networks - host,none,bridge - - Optional. A comma-separated set of networks allowed when launching - containers. Valid values are determined by Docker networks available from - `docker network ls` - - + + yarn.nodemanager.runtime.linux.allowed-runtimes + default,docker + + Comma separated list of runtimes that are allowed when using + LinuxContainerExecutor. The allowed values are default, docker, and + javasandbox. + + - - The network used when launching Docker containers when no - network is specified in the request. This network must be one of the - (configurable) set of allowed container networks. - yarn.nodemanager.runtime.linux.docker.default-container-network - host - + + yarn.nodemanager.runtime.linux.docker.allowed-container-networks + host,none,bridge + + Optional. A comma-separated set of networks allowed when launching + containers. Valid values are determined by Docker networks available from + `docker network ls` + + - - yarn.nodemanager.runtime.linux.docker.privileged-containers.allowed - false - - Optional. Whether applications are allowed to run in privileged containers. - - + + yarn.nodemanager.runtime.linux.docker.default-container-network + host + + The network used when launching Docker containers when no + network is specified in the request. This network must be one of the + (configurable) set of allowed container networks. + + - - yarn.nodemanager.runtime.linux.docker.privileged-containers.acl - - - Optional. A comma-separated list of users who are allowed to request - privileged contains if privileged containers are allowed. - - + + yarn.nodemanager.runtime.linux.docker.privileged-containers.allowed + false + + Optional. Whether applications are allowed to run in privileged + containers. + + + + + yarn.nodemanager.runtime.linux.docker.privileged-containers.acl + + + Optional. A comma-separated list of users who are allowed to request + privileged contains if privileged containers are allowed. + + + ``` In addition, a container-executer.cfg file must exist and contain settings for