YARN-8927. Added support for top level Dockerhub images to trusted registry using library keyword.

Contributed by Zhankun Tang
This commit is contained in:
Eric Yang 2019-02-15 11:18:07 -05:00
parent de934ba2dc
commit 7c1b561e33
2 changed files with 54 additions and 0 deletions

View File

@ -113,6 +113,7 @@ int check_trusted_image(const struct configuration *command_config, const struct
int found = 0; int found = 0;
int i = 0; int i = 0;
int ret = 0; int ret = 0;
int no_registry_prefix_in_image_name = 0;
char *image_name = get_configuration_value("image", DOCKER_COMMAND_FILE_SECTION, command_config); char *image_name = get_configuration_value("image", DOCKER_COMMAND_FILE_SECTION, command_config);
char **privileged_registry = get_configuration_values_delimiter("docker.trusted.registries", CONTAINER_EXECUTOR_CFG_DOCKER_SECTION, conf, ","); char **privileged_registry = get_configuration_values_delimiter("docker.trusted.registries", CONTAINER_EXECUTOR_CFG_DOCKER_SECTION, conf, ",");
char *registry_ptr = NULL; char *registry_ptr = NULL;
@ -120,8 +121,20 @@ int check_trusted_image(const struct configuration *command_config, const struct
ret = INVALID_DOCKER_IMAGE_NAME; ret = INVALID_DOCKER_IMAGE_NAME;
goto free_and_exit; goto free_and_exit;
} }
if (strchr(image_name, '/') == NULL) {
no_registry_prefix_in_image_name = 1;
}
if (privileged_registry != NULL) { if (privileged_registry != NULL) {
for (i = 0; privileged_registry[i] != NULL; i++) { for (i = 0; privileged_registry[i] != NULL; i++) {
// "library" means we trust public top
if (strncmp(privileged_registry[i], "library", strlen("library")) == 0) {
if (no_registry_prefix_in_image_name) {
// if image doesn't exists, docker pull will automatically happen
found = 1;
fprintf(LOGFILE, "image: %s is a trusted top-level image.\n", image_name);
break;
}
}
int len = strlen(privileged_registry[i]); int len = strlen(privileged_registry[i]);
if (privileged_registry[i][len - 1] != '/') { if (privileged_registry[i][len - 1] != '/') {
registry_ptr = (char *) alloc_and_clear_memory(len + 2, sizeof(char)); registry_ptr = (char *) alloc_and_clear_memory(len + 2, sizeof(char));

View File

@ -1921,4 +1921,45 @@ namespace ContainerExecutor {
run_docker_command_test(file_cmd_vec, bad_file_cmd_vec, get_docker_exec_command); run_docker_command_test(file_cmd_vec, bad_file_cmd_vec, get_docker_exec_command);
free_configuration(&container_executor_cfg); free_configuration(&container_executor_cfg);
} }
TEST_F(TestDockerUtil, test_trusted_top_level_image) {
struct configuration container_cfg, cmd_cfg;
std::string container_executor_contents = "[docker]\n"
" docker.trusted.registries=library\n";
write_file(container_executor_cfg_file, container_executor_contents);
int ret = read_config(container_executor_cfg_file.c_str(), &container_cfg);
if (ret != 0) {
FAIL();
}
ret = create_ce_file();
if (ret != 0) {
std::cerr << "Could not create ce file, skipping test" << std::endl;
return;
}
std::vector<std::pair<std::string, std::string> > file_cmd_vec;
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
"[docker-command-execution]\n"
" image=centos",
"centos"));
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
"[docker-command-execution]\n"
" image=ubuntu:latest",
"centos"));
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
"[docker-command-execution]\n"
" image=library/centos",
"centos"));
std::vector<std::pair<std::string, std::string> >::const_iterator itr;
for (itr = file_cmd_vec.begin(); itr != file_cmd_vec.end(); ++itr) {
write_command_file(itr->first);
ret = read_config(docker_command_file.c_str(), &cmd_cfg);
if (ret != 0) {
FAIL();
}
ret = check_trusted_image(&cmd_cfg, &container_cfg);
ASSERT_EQ(0, ret);
}
free_configuration(&container_cfg);
}
} }