YARN-8927. Added support for top level Dockerhub images to trusted registry using library keyword.
Contributed by Zhankun Tang
This commit is contained in:
parent
de934ba2dc
commit
7c1b561e33
|
@ -113,6 +113,7 @@ int check_trusted_image(const struct configuration *command_config, const struct
|
|||
int found = 0;
|
||||
int i = 0;
|
||||
int ret = 0;
|
||||
int no_registry_prefix_in_image_name = 0;
|
||||
char *image_name = get_configuration_value("image", DOCKER_COMMAND_FILE_SECTION, command_config);
|
||||
char **privileged_registry = get_configuration_values_delimiter("docker.trusted.registries", CONTAINER_EXECUTOR_CFG_DOCKER_SECTION, conf, ",");
|
||||
char *registry_ptr = NULL;
|
||||
|
@ -120,8 +121,20 @@ int check_trusted_image(const struct configuration *command_config, const struct
|
|||
ret = INVALID_DOCKER_IMAGE_NAME;
|
||||
goto free_and_exit;
|
||||
}
|
||||
if (strchr(image_name, '/') == NULL) {
|
||||
no_registry_prefix_in_image_name = 1;
|
||||
}
|
||||
if (privileged_registry != NULL) {
|
||||
for (i = 0; privileged_registry[i] != NULL; i++) {
|
||||
// "library" means we trust public top
|
||||
if (strncmp(privileged_registry[i], "library", strlen("library")) == 0) {
|
||||
if (no_registry_prefix_in_image_name) {
|
||||
// if image doesn't exists, docker pull will automatically happen
|
||||
found = 1;
|
||||
fprintf(LOGFILE, "image: %s is a trusted top-level image.\n", image_name);
|
||||
break;
|
||||
}
|
||||
}
|
||||
int len = strlen(privileged_registry[i]);
|
||||
if (privileged_registry[i][len - 1] != '/') {
|
||||
registry_ptr = (char *) alloc_and_clear_memory(len + 2, sizeof(char));
|
||||
|
|
|
@ -1921,4 +1921,45 @@ namespace ContainerExecutor {
|
|||
run_docker_command_test(file_cmd_vec, bad_file_cmd_vec, get_docker_exec_command);
|
||||
free_configuration(&container_executor_cfg);
|
||||
}
|
||||
|
||||
TEST_F(TestDockerUtil, test_trusted_top_level_image) {
|
||||
struct configuration container_cfg, cmd_cfg;
|
||||
std::string container_executor_contents = "[docker]\n"
|
||||
" docker.trusted.registries=library\n";
|
||||
write_file(container_executor_cfg_file, container_executor_contents);
|
||||
int ret = read_config(container_executor_cfg_file.c_str(), &container_cfg);
|
||||
if (ret != 0) {
|
||||
FAIL();
|
||||
}
|
||||
ret = create_ce_file();
|
||||
if (ret != 0) {
|
||||
std::cerr << "Could not create ce file, skipping test" << std::endl;
|
||||
return;
|
||||
}
|
||||
std::vector<std::pair<std::string, std::string> > file_cmd_vec;
|
||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||
"[docker-command-execution]\n"
|
||||
" image=centos",
|
||||
"centos"));
|
||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||
"[docker-command-execution]\n"
|
||||
" image=ubuntu:latest",
|
||||
"centos"));
|
||||
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
||||
"[docker-command-execution]\n"
|
||||
" image=library/centos",
|
||||
"centos"));
|
||||
std::vector<std::pair<std::string, std::string> >::const_iterator itr;
|
||||
|
||||
for (itr = file_cmd_vec.begin(); itr != file_cmd_vec.end(); ++itr) {
|
||||
write_command_file(itr->first);
|
||||
ret = read_config(docker_command_file.c_str(), &cmd_cfg);
|
||||
if (ret != 0) {
|
||||
FAIL();
|
||||
}
|
||||
ret = check_trusted_image(&cmd_cfg, &container_cfg);
|
||||
ASSERT_EQ(0, ret);
|
||||
}
|
||||
free_configuration(&container_cfg);
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue