YARN-11364. Docker Container to accept docker Image name with sha256 digest (#5092)
Co-authored-by: Ashutosh Gupta <ashugpt@amazon.com> Reviewed-by: slfan1989 <55643692+slfan1989@users.noreply.github.com> Signed-off-by: Chris Nauroth <cnauroth@apache.org>
This commit is contained in:
parent
69225ae5b9
commit
83acb55981
|
@ -208,6 +208,8 @@ public class DockerLinuxContainerRuntime extends OCIContainerRuntime {
|
||||||
private static final Pattern dockerImagePattern =
|
private static final Pattern dockerImagePattern =
|
||||||
Pattern.compile(DOCKER_IMAGE_PATTERN);
|
Pattern.compile(DOCKER_IMAGE_PATTERN);
|
||||||
|
|
||||||
|
private static final Pattern DOCKER_DIGEST_PATTERN = Pattern.compile("^sha256:[a-z0-9]{12,64}$");
|
||||||
|
|
||||||
private static final String DEFAULT_PROCFS = "/proc";
|
private static final String DEFAULT_PROCFS = "/proc";
|
||||||
|
|
||||||
@InterfaceAudience.Private
|
@InterfaceAudience.Private
|
||||||
|
@ -1201,9 +1203,17 @@ public class DockerLinuxContainerRuntime extends OCIContainerRuntime {
|
||||||
throw new ContainerExecutionException(
|
throw new ContainerExecutionException(
|
||||||
ENV_DOCKER_CONTAINER_IMAGE + " not set!");
|
ENV_DOCKER_CONTAINER_IMAGE + " not set!");
|
||||||
}
|
}
|
||||||
if (!dockerImagePattern.matcher(imageName).matches()) {
|
// check if digest is part of imageName, extract and validate it.
|
||||||
throw new ContainerExecutionException("Image name '" + imageName
|
String digest = null;
|
||||||
+ "' doesn't match docker image name pattern");
|
if (imageName.contains("@sha256")) {
|
||||||
|
String[] digestParts = imageName.split("@");
|
||||||
|
digest = digestParts[1];
|
||||||
|
imageName = digestParts[0];
|
||||||
|
}
|
||||||
|
if (!dockerImagePattern.matcher(imageName).matches() || (digest != null
|
||||||
|
&& !DOCKER_DIGEST_PATTERN.matcher(digest).matches())) {
|
||||||
|
throw new ContainerExecutionException(
|
||||||
|
"Image name '" + imageName + "' doesn't match docker image name pattern");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -2033,19 +2033,27 @@ public class TestDockerContainerRuntime {
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testDockerImageNamePattern() throws Exception {
|
public void testDockerImageNamePattern() throws Exception {
|
||||||
String[] validNames =
|
String[] validNames = {"ubuntu", "fedora/httpd:version1.0", "fedora/httpd:version1.0.test",
|
||||||
{ "ubuntu", "fedora/httpd:version1.0",
|
"fedora/httpd:version1.0.TEST", "myregistryhost:5000/ubuntu",
|
||||||
"fedora/httpd:version1.0.test",
|
"myregistryhost:5000/fedora/httpd:version1.0",
|
||||||
"fedora/httpd:version1.0.TEST",
|
"myregistryhost:5000/fedora/httpd:version1.0.test",
|
||||||
"myregistryhost:5000/ubuntu",
|
"myregistryhost:5000/fedora/httpd:version1.0.TEST",
|
||||||
"myregistryhost:5000/fedora/httpd:version1.0",
|
"123456789123.dkr.ecr.us-east-1.amazonaws.com/emr-docker-examples:pyspark-example"
|
||||||
"myregistryhost:5000/fedora/httpd:version1.0.test",
|
+ "@sha256:f1d4ae3f7261a72e98c6ebefe9985cf10a0ea5bd762585a43e0700ed99863807"};
|
||||||
"myregistryhost:5000/fedora/httpd:version1.0.TEST"};
|
|
||||||
|
|
||||||
String[] invalidNames = { "Ubuntu", "ubuntu || fedora", "ubuntu#",
|
String[] invalidNames = {"Ubuntu", "ubuntu || fedora", "ubuntu#", "myregistryhost:50AB0/ubuntu",
|
||||||
"myregistryhost:50AB0/ubuntu", "myregistry#host:50AB0/ubuntu",
|
"myregistry#host:50AB0/ubuntu", ":8080/ubuntu",
|
||||||
":8080/ubuntu"
|
|
||||||
};
|
// Invalid: contains "@sha256" but doesn't really contain a digest.
|
||||||
|
"123456789123.dkr.ecr.us-east-1.amazonaws.com/emr-docker-examples:pyspark-example@sha256",
|
||||||
|
|
||||||
|
// Invalid: digest is too short.
|
||||||
|
"123456789123.dkr.ecr.us-east-1.amazonaws.com/emr-docker-examples:pyspark-example"
|
||||||
|
+ "@sha256:f1d4",
|
||||||
|
|
||||||
|
// Invalid: digest is too long
|
||||||
|
"123456789123.dkr.ecr.us-east-1.amazonaws.com/emr-docker-examples:pyspark-example"
|
||||||
|
+ "@sha256:f1d4ae3f7261a72e98c6ebefe9985cf10a0ea5bd762585a43e0700ed99863807f"};
|
||||||
|
|
||||||
for (String name : validNames) {
|
for (String name : validNames) {
|
||||||
DockerLinuxContainerRuntime.validateImageName(name);
|
DockerLinuxContainerRuntime.validateImageName(name);
|
||||||
|
|
Loading…
Reference in New Issue