YARN-9561. Add C changes for the new RuncContainerRuntime. Contributed by Eric Badger

This commit is contained in:
Eric Badger 2019-12-09 01:11:43 +00:00
parent ab2cc5ac92
commit 8dffd8dc89
27 changed files with 8483 additions and 141 deletions

View File

@ -256,3 +256,26 @@ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/webapps/st
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/webapps/static/jquery hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/webapps/static/jquery
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/webapps/static/jt/jquery.jstree.js hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/webapps/static/jt/jquery.jstree.js
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/resources/TERMINAL hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/resources/TERMINAL
=======
For hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/cJSON.[ch]:
Copyright (c) 2009-2017 Dave Gamble and cJSON contributors
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.

View File

@ -16,12 +16,15 @@
cmake_minimum_required(VERSION 3.1 FATAL_ERROR) cmake_minimum_required(VERSION 3.1 FATAL_ERROR)
list(APPEND CMAKE_MODULE_PATH ${CMAKE_SOURCE_DIR}/../../../../../hadoop-common-project/hadoop-common) set(HADOOP_COMMON_PATH ${CMAKE_SOURCE_DIR}/../../../../../hadoop-common-project/hadoop-common)
list(APPEND CMAKE_MODULE_PATH ${HADOOP_COMMON_PATH})
include(HadoopCommon) include(HadoopCommon)
# Set gtest path # Set gtest path
set(GTEST_SRC_DIR ${CMAKE_SOURCE_DIR}/../../../../../hadoop-common-project/hadoop-common/src/main/native/gtest) set(GTEST_SRC_DIR ${CMAKE_SOURCE_DIR}/../../../../../hadoop-common-project/hadoop-common/src/main/native/gtest)
set(HADOOP_COMMON_SEC_PATH ${HADOOP_COMMON_PATH}/src/main/native/src/org/apache/hadoop/security)
# determine if container-executor.conf.dir is an absolute # determine if container-executor.conf.dir is an absolute
# path in case the OS we're compiling on doesn't have # path in case the OS we're compiling on doesn't have
# a hook in get_executable. We'll use this define # a hook in get_executable. We'll use this define
@ -115,6 +118,7 @@ include_directories(
main/native/container-executor main/native/container-executor
main/native/container-executor/impl main/native/container-executor/impl
main/native/oom-listener/impl main/native/oom-listener/impl
${HADOOP_COMMON_SEC_PATH}
) )
# add gtest as system library to suppress gcc warnings # add gtest as system library to suppress gcc warnings
include_directories(SYSTEM ${GTEST_SRC_DIR}/include) include_directories(SYSTEM ${GTEST_SRC_DIR}/include)
@ -129,6 +133,7 @@ add_library(container
main/native/container-executor/impl/configuration.c main/native/container-executor/impl/configuration.c
main/native/container-executor/impl/container-executor.c main/native/container-executor/impl/container-executor.c
main/native/container-executor/impl/get_executable.c main/native/container-executor/impl/get_executable.c
main/native/container-executor/impl/utils/file-utils.c
main/native/container-executor/impl/utils/string-utils.c main/native/container-executor/impl/utils/string-utils.c
main/native/container-executor/impl/utils/path-utils.c main/native/container-executor/impl/utils/path-utils.c
main/native/container-executor/impl/modules/cgroups/cgroups-operations.c main/native/container-executor/impl/modules/cgroups/cgroups-operations.c
@ -138,6 +143,14 @@ add_library(container
main/native/container-executor/impl/modules/devices/devices-module.c main/native/container-executor/impl/modules/devices/devices-module.c
main/native/container-executor/impl/utils/docker-util.c main/native/container-executor/impl/utils/docker-util.c
main/native/container-executor/impl/utils/mount-utils.c main/native/container-executor/impl/utils/mount-utils.c
main/native/container-executor/impl/utils/cJSON/cJSON.c
main/native/container-executor/impl/runc/runc.c
main/native/container-executor/impl/runc/runc_base_ctx.c
main/native/container-executor/impl/runc/runc_launch_cmd.c
main/native/container-executor/impl/runc/runc_reap.c
main/native/container-executor/impl/runc/runc_write_config.c
${HADOOP_COMMON_SEC_PATH}/hadoop_user_info.c
${HADOOP_COMMON_SEC_PATH}/hadoop_group_info.c
) )
add_executable(container-executor add_executable(container-executor
@ -146,6 +159,7 @@ add_executable(container-executor
target_link_libraries(container-executor target_link_libraries(container-executor
container container
crypto
) )
output_directory(container-executor target/usr/local/bin) output_directory(container-executor target/usr/local/bin)
@ -155,7 +169,9 @@ add_executable(test-container-executor
main/native/container-executor/test/test-container-executor.c main/native/container-executor/test/test-container-executor.c
) )
target_link_libraries(test-container-executor target_link_libraries(test-container-executor
container ${EXTRA_LIBS} container
${EXTRA_LIBS}
crypto
) )
output_directory(test-container-executor target/usr/local/bin) output_directory(test-container-executor target/usr/local/bin)
@ -173,8 +189,15 @@ add_executable(cetest
main/native/container-executor/test/modules/fpga/test-fpga-module.cc main/native/container-executor/test/modules/fpga/test-fpga-module.cc
main/native/container-executor/test/modules/devices/test-devices-module.cc main/native/container-executor/test/modules/devices/test-devices-module.cc
main/native/container-executor/test/test_util.cc main/native/container-executor/test/test_util.cc
main/native/container-executor/test/utils/test_docker_util.cc) main/native/container-executor/test/utils/test_docker_util.cc
target_link_libraries(cetest gtest container) main/native/container-executor/test/utils/test_runc_util.cc
)
target_link_libraries(cetest
gtest
container
crypto
)
output_directory(cetest test) output_directory(cetest test)
# CGroup OOM listener # CGroup OOM listener

View File

@ -21,6 +21,7 @@
#include "utils/docker-util.h" #include "utils/docker-util.h"
#include "utils/path-utils.h" #include "utils/path-utils.h"
#include "utils/string-utils.h" #include "utils/string-utils.h"
#include "runc/runc.h"
#include "util.h" #include "util.h"
#include "config.h" #include "config.h"
@ -78,6 +79,7 @@ static const int DEFAULT_DOCKER_SUPPORT_ENABLED = 0;
static const int DEFAULT_TC_SUPPORT_ENABLED = 0; static const int DEFAULT_TC_SUPPORT_ENABLED = 0;
static const int DEFAULT_MOUNT_CGROUP_SUPPORT_ENABLED = 0; static const int DEFAULT_MOUNT_CGROUP_SUPPORT_ENABLED = 0;
static const int DEFAULT_YARN_SYSFS_SUPPORT_ENABLED = 0; static const int DEFAULT_YARN_SYSFS_SUPPORT_ENABLED = 0;
static const int DEFAULT_RUNC_SUPPORT_ENABLED = 0;
static const char* PROC_PATH = "/proc"; static const char* PROC_PATH = "/proc";
@ -191,7 +193,7 @@ int check_executor_permissions(char *executable_file) {
/** /**
* Change the effective user id to limit damage. * Change the effective user id to limit damage.
*/ */
static int change_effective_user(uid_t user, gid_t group) { int change_effective_user(uid_t user, gid_t group) {
if (geteuid() == user) { if (geteuid() == user) {
return 0; return 0;
} }
@ -211,6 +213,10 @@ static int change_effective_user(uid_t user, gid_t group) {
return 0; return 0;
} }
int change_effective_user_to_nm() {
return change_effective_user(nm_uid, nm_gid);
}
#ifdef __linux #ifdef __linux
/** /**
* Write the pid of the current process to the cgroup file. * Write the pid of the current process to the cgroup file.
@ -408,7 +414,7 @@ static int wait_and_get_exit_code(pid_t pid) {
* the exit code file. * the exit code file.
* Returns the exit code of the container process. * Returns the exit code of the container process.
*/ */
static int wait_and_write_exit_code(pid_t pid, const char* exit_code_file) { int wait_and_write_exit_code(pid_t pid, const char* exit_code_file) {
int exit_code = -1; int exit_code = -1;
exit_code = wait_and_get_exit_code(pid); exit_code = wait_and_get_exit_code(pid);
@ -510,6 +516,12 @@ int is_yarn_sysfs_support_enabled() {
DEFAULT_YARN_SYSFS_SUPPORT_ENABLED, &executor_cfg); DEFAULT_YARN_SYSFS_SUPPORT_ENABLED, &executor_cfg);
} }
int is_runc_support_enabled() {
return is_feature_enabled(RUNC_SUPPORT_ENABLED_KEY,
DEFAULT_RUNC_SUPPORT_ENABLED, &executor_cfg)
|| runc_module_enabled(&CFG);
}
/** /**
* Utility function to concatenate argB to argA using the concat_pattern. * Utility function to concatenate argB to argA using the concat_pattern.
*/ */
@ -642,6 +654,20 @@ char *get_tmp_directory(const char *work_dir) {
return concatenate("%s/%s", "tmp dir", 2, work_dir, TMP_DIR); return concatenate("%s/%s", "tmp dir", 2, work_dir, TMP_DIR);
} }
/**
* Get the private /tmp directory under the working directory
*/
char *get_privatetmp_directory(const char *work_dir) {
return concatenate("%s/%s", "private /tmp dir", 2, work_dir, ROOT_TMP_DIR);
}
/**
* Get the private /tmp directory under the working directory
*/
char *get_private_var_tmp_directory(const char *work_dir) {
return concatenate("%s/%s", "private /var/tmp dir", 2, work_dir, ROOT_VAR_TMP_DIR);
}
/** /**
* Ensure that the given path and all of the parent directories are created * Ensure that the given path and all of the parent directories are created
* with the desired permissions. * with the desired permissions.
@ -810,17 +836,51 @@ static int create_container_directories(const char* user, const char *app_id,
return result; return result;
} }
result = COULD_NOT_CREATE_TMP_DIRECTORIES;
// also make the tmp directory // also make the tmp directory
char *tmp_dir = get_tmp_directory(work_dir); char *tmp_dir = get_tmp_directory(work_dir);
char *private_tmp_dir = get_privatetmp_directory(work_dir);
char *private_var_tmp_dir = get_private_var_tmp_directory(work_dir);
if (tmp_dir == NULL) { if (tmp_dir == NULL || private_tmp_dir == NULL || private_var_tmp_dir == NULL) {
return OUT_OF_MEMORY; return OUT_OF_MEMORY;
} }
if (mkdirs(tmp_dir, perms) == 0) {
result = 0; if (mkdirs(tmp_dir, perms) != 0) {
fprintf(ERRORFILE, "Could not create tmp_dir: %s\n", tmp_dir);
result = COULD_NOT_CREATE_TMP_DIRECTORIES;
goto cleanup;
} }
if (mkdirs(private_tmp_dir, perms) != 0) {
fprintf(ERRORFILE, "Could not create private_tmp_dir: %s\n", private_tmp_dir);
result = COULD_NOT_CREATE_TMP_DIRECTORIES;
goto cleanup;
}
// clear group sticky bit on private_tmp_dir
if (chmod(private_tmp_dir, perms) != 0) {
fprintf(ERRORFILE, "Could not chmod private_tmp_dir: %s\n", private_tmp_dir);
result = COULD_NOT_CREATE_TMP_DIRECTORIES;
goto cleanup;
}
if (mkdirs(private_var_tmp_dir, perms) != 0) {
fprintf(ERRORFILE, "Could not create private_var_tmp_dir: %s\n", private_var_tmp_dir);
result = COULD_NOT_CREATE_TMP_DIRECTORIES;
goto cleanup;
}
// clear group sticky bit on private_tmp_dir
if (chmod(private_var_tmp_dir, perms) != 0) {
fprintf(ERRORFILE, "Could not chmod private_var_tmp_dir: %s\n", private_var_tmp_dir);
result = COULD_NOT_CREATE_TMP_DIRECTORIES;
goto cleanup;
}
cleanup:
free(tmp_dir); free(tmp_dir);
free(private_tmp_dir);
free(private_var_tmp_dir);
return result; return result;
} }
@ -1051,6 +1111,36 @@ static int open_file_as_nm(const char* filename) {
return result; return result;
} }
/**
* Check the pidfile as the node manager. File should not exist.
* Returns 0 on file doesn't exist and -1 on file does exist.
*/
int check_pidfile_as_nm(const char* pidfile) {
int result = 0;
uid_t user = geteuid();
gid_t group = getegid();
if (change_effective_user(nm_uid, nm_gid) != 0) {
return -1;
}
struct stat statbuf;
if (stat(pidfile, &statbuf) == 0) {
fprintf(ERRORFILE, "pid file already exists: %s\n", pidfile);
result = -1;
}
if (errno != ENOENT) {
fprintf(ERRORFILE, "Error accessing %s : %s\n", pidfile,
strerror(errno));
result = -1;
}
if (change_effective_user(user, group)) {
result = -1;
}
return result;
}
/** /**
* Copy a file from a fd to a given filename. * Copy a file from a fd to a given filename.
* The new file must not exist and it is created with permissions perm. * The new file must not exist and it is created with permissions perm.
@ -1863,6 +1953,61 @@ int create_yarn_sysfs(const char* user, const char *app_id,
return result; return result;
} }
int setup_container_paths(const char* user, const char* app_id,
const char *container_id, const char *work_dir, const char *script_name,
const char *cred_file, int https, const char *keystore_file, const char *truststore_file,
char* const* local_dirs, char* const* log_dirs) {
char *script_file_dest = NULL;
char *cred_file_dest = NULL;
char *keystore_file_dest = NULL;
char *truststore_file_dest = NULL;
int container_file_source = -1;
int cred_file_source = -1;
int keystore_file_source = -1;
int truststore_file_source = -1;
int result = initialize_user(user, local_dirs);
if (result != 0) {
return result;
}
int rc = create_script_paths(
work_dir, script_name, cred_file, https, keystore_file, truststore_file, &script_file_dest, &cred_file_dest,
&keystore_file_dest, &truststore_file_dest, &container_file_source, &cred_file_source, &keystore_file_source, &truststore_file_source);
if (rc != 0) {
fputs("Could not create script path\n", ERRORFILE);
goto cleanup;
}
rc = create_log_dirs(app_id, log_dirs);
if (rc != 0) {
fputs("Could not create log files and directories\n", ERRORFILE);
goto cleanup;
}
rc = create_local_dirs(user, app_id, container_id,
work_dir, script_name, cred_file, https, keystore_file, truststore_file, local_dirs, log_dirs,
1, script_file_dest, cred_file_dest, keystore_file_dest, truststore_file_dest,
container_file_source, cred_file_source, keystore_file_source, truststore_file_source);
if (rc != 0) {
fputs("Could not create local files and directories\n", ERRORFILE);
goto cleanup;
}
rc = create_yarn_sysfs(user, app_id, container_id, work_dir, local_dirs);
if (rc != 0) {
fputs("Could not create user yarn sysfs directory\n", ERRORFILE);
goto cleanup;
}
cleanup:
free(script_file_dest);
free(cred_file_dest);
return rc;
}
int launch_docker_container_as_user(const char * user, const char *app_id, int launch_docker_container_as_user(const char * user, const char *app_id,
const char *container_id, const char *work_dir, const char *container_id, const char *work_dir,
const char *script_name, const char *cred_file, const char *script_name, const char *cred_file,

View File

@ -52,7 +52,9 @@ enum operations {
REMOVE_DOCKER_CONTAINER = 13, REMOVE_DOCKER_CONTAINER = 13,
INSPECT_DOCKER_CONTAINER = 14, INSPECT_DOCKER_CONTAINER = 14,
RUN_AS_USER_SYNC_YARN_SYSFS = 15, RUN_AS_USER_SYNC_YARN_SYSFS = 15,
EXEC_CONTAINER = 16 EXEC_CONTAINER = 16,
RUN_RUNC_CONTAINER = 17,
REAP_RUNC_LAYER_MOUNTS = 18
}; };
#define NM_GROUP_KEY "yarn.nodemanager.linux-container-executor.group" #define NM_GROUP_KEY "yarn.nodemanager.linux-container-executor.group"
@ -72,10 +74,14 @@ enum operations {
#define TC_SUPPORT_ENABLED_KEY "feature.tc.enabled" #define TC_SUPPORT_ENABLED_KEY "feature.tc.enabled"
#define MOUNT_CGROUP_SUPPORT_ENABLED_KEY "feature.mount-cgroup.enabled" #define MOUNT_CGROUP_SUPPORT_ENABLED_KEY "feature.mount-cgroup.enabled"
#define YARN_SYSFS_SUPPORT_ENABLED_KEY "feature.yarn.sysfs.enabled" #define YARN_SYSFS_SUPPORT_ENABLED_KEY "feature.yarn.sysfs.enabled"
#define RUNC_SUPPORT_ENABLED_KEY "feature.runc.enabled"
#define TMP_DIR "tmp" #define TMP_DIR "tmp"
#define ROOT_TMP_DIR "private_slash_tmp"
#define ROOT_VAR_TMP_DIR "private_var_slash_tmp"
#define COMMAND_FILE_SECTION "command-execution" #define COMMAND_FILE_SECTION "command-execution"
extern struct passwd *user_detail; extern struct passwd *user_detail;
extern struct section executor_cfg;
//function used to load the configurations present in the secure config //function used to load the configurations present in the secure config
void read_executor_config(const char* file_name); void read_executor_config(const char* file_name);
@ -175,6 +181,9 @@ int delete_as_user(const char *user,
// assumed to be an absolute path. // assumed to be an absolute path.
int list_as_user(const char *target_dir); int list_as_user(const char *target_dir);
// Check the pidfile as the node manager. File should not exist.
int check_pidfile_as_nm(const char* filename);
// set the uid and gid of the node manager. This is used when doing some // set the uid and gid of the node manager. This is used when doing some
// priviledged operations for setting the effective uid and gid. // priviledged operations for setting the effective uid and gid.
void set_nm_uid(uid_t user, gid_t group); void set_nm_uid(uid_t user, gid_t group);
@ -244,6 +253,10 @@ int create_directory_for_user(const char* path);
int change_user(uid_t user, gid_t group); int change_user(uid_t user, gid_t group);
int change_effective_user(uid_t user, gid_t group);
int change_effective_user_to_nm();
int mount_cgroup(const char *pair, const char *hierarchy); int mount_cgroup(const char *pair, const char *hierarchy);
int check_dir(const char* npath, mode_t st_mode, mode_t desired, int check_dir(const char* npath, mode_t st_mode, mode_t desired,
@ -255,6 +268,14 @@ int create_validate_dir(const char* npath, mode_t perm, const char* path,
/** Check if a feature is enabled in the specified configuration. */ /** Check if a feature is enabled in the specified configuration. */
int is_feature_enabled(const char* feature_key, int default_value, int is_feature_enabled(const char* feature_key, int default_value,
struct section *cfg); struct section *cfg);
char* get_exit_code_file(const char* pid_file);
int wait_and_write_exit_code(pid_t pid, const char* exit_code_file);
int setup_container_paths(const char* user, const char* app_id,
const char *container_id, const char* work_dir, const char* script_path,
const char *cred_path, int https, const char *keystore_file, const char *truststore_file,
char * const* local_dirs, char* const* log_dirs);
/** Check if tc (traffic control) support is enabled in configuration. */ /** Check if tc (traffic control) support is enabled in configuration. */
int is_tc_support_enabled(); int is_tc_support_enabled();
@ -341,3 +362,9 @@ int remove_docker_container(char **argv, int argc);
* Check if terminal feature is enabled * Check if terminal feature is enabled
*/ */
int is_terminal_support_enabled(); int is_terminal_support_enabled();
/**
* Check if runC feature is enabled
*/
int is_runc_support_enabled();

View File

@ -26,6 +26,8 @@
#include "modules/cgroups/cgroups-operations.h" #include "modules/cgroups/cgroups-operations.h"
#include "modules/devices/devices-module.h" #include "modules/devices/devices-module.h"
#include "utils/string-utils.h" #include "utils/string-utils.h"
#include "runc/runc.h"
#include "runc/runc_reap.h"
#include <errno.h> #include <errno.h>
#include <grp.h> #include <grp.h>
@ -35,45 +37,33 @@
#include <signal.h> #include <signal.h>
static void display_usage(FILE *stream) { static void display_usage(FILE *stream) {
const char* disabled = "[DISABLED]";
const char* enabled = " ";
fputs("Usage: container-executor --checksetup\n"
" container-executor --mount-cgroups <hierarchy> "
"<controller=path>...\n", stream);
const char* de = is_tc_support_enabled() ? enabled : disabled;
fprintf(stream, fprintf(stream,
"Usage: container-executor --checksetup\n" "%s container-executor --tc-modify-state <command-file>\n"
" container-executor --mount-cgroups <hierarchy> " "%s container-executor --tc-read-state <command-file>\n"
"<controller=path>\n" ); "%s container-executor --tc-read-stats <command-file>\n",
de, de, de);
if(is_tc_support_enabled()) { de = is_terminal_support_enabled() ? enabled : disabled;
fprintf(stream, fprintf(stream, "%s container-executor --exec-container <command-file>\n", de);
" container-executor --tc-modify-state <command-file>\n"
" container-executor --tc-read-state <command-file>\n"
" container-executor --tc-read-stats <command-file>\n" );
} else {
fprintf(stream,
"[DISABLED] container-executor --tc-modify-state <command-file>\n"
"[DISABLED] container-executor --tc-read-state <command-file>\n"
"[DISABLED] container-executor --tc-read-stats <command-file>\n");
}
if(is_docker_support_enabled()) { de = is_docker_support_enabled() ? enabled : disabled;
fprintf(stream, fprintf(stream, "%s container-executor --run-docker <command-file>\n", de);
" container-executor --run-docker <command-file>\n" fprintf(stream, "%s container-executor --remove-docker-container [hierarchy] <container_id>\n", de);
" container-executor --remove-docker-container [hierarchy] " fprintf(stream, "%s container-executor --inspect-docker-container <container_id>\n", de);
"<container_id>\n"
" container-executor --inspect-docker-container <container_id>\n");
} else {
fprintf(stream,
"[DISABLED] container-executor --run-docker <command-file>\n"
"[DISABLED] container-executor --remove-docker-container [hierarchy] "
"<container_id>\n"
"[DISABLED] container-executor --inspect-docker-container "
"<format> ... <container_id>\n");
}
if (is_terminal_support_enabled()) { de = is_runc_support_enabled() ? enabled : disabled;
fprintf(stream, fprintf(stream,
" container-executor --exec-container <command-file>\n"); "%s container-executor --run-runc-container <command-file>\n", de);
} else { fprintf(stream,
fprintf(stream, "%s container-executor --reap-runc-layer-mounts <retain-count>\n", de);
"[DISABLED] container-executor --exec-container <command-file>\n");
}
fprintf(stream, fprintf(stream,
" container-executor <user> <yarn-user> <command> <command-args>\n" " container-executor <user> <yarn-user> <command> <command-args>\n"
@ -85,27 +75,21 @@ static void display_usage(FILE *stream) {
INITIALIZE_CONTAINER, LAUNCH_CONTAINER); INITIALIZE_CONTAINER, LAUNCH_CONTAINER);
if(is_tc_support_enabled()) { if(is_tc_support_enabled()) {
fprintf(stream, "optional-tc-command-file\n"); fputs("optional-tc-command-file\n", stream);
} else { } else {
fprintf(stream, "\n"); fputs("\n", stream);
} }
if(is_docker_support_enabled()) { de = is_docker_support_enabled() ? enabled : disabled;
fprintf(stream, fprintf(stream,
" launch docker container: %2d appid containerid workdir " "%11s launch docker container: %2d appid containerid workdir "
"container-script tokens pidfile nm-local-dirs nm-log-dirs " "container-script tokens pidfile nm-local-dirs nm-log-dirs "
"docker-command-file resources ", LAUNCH_DOCKER_CONTAINER); "docker-command-file resources ", de, LAUNCH_DOCKER_CONTAINER);
} else {
fprintf(stream,
"[DISABLED] launch docker container: %2d appid containerid workdir "
"container-script tokens pidfile nm-local-dirs nm-log-dirs "
"docker-command-file resources ", LAUNCH_DOCKER_CONTAINER);
}
if(is_tc_support_enabled()) { if(is_tc_support_enabled()) {
fprintf(stream, "optional-tc-command-file\n"); fputs("optional-tc-command-file\n", stream);
} else { } else {
fprintf(stream, "\n"); fputs("\n", stream);
} }
fprintf(stream, fprintf(stream,
@ -244,7 +228,7 @@ static void display_feature_disabled_message(const char* name) {
fprintf(ERRORFILE, "Feature disabled: %s\n", name); fprintf(ERRORFILE, "Feature disabled: %s\n", name);
} }
/* Use to store parsed input parmeters for various operations */ /* Use to store parsed input parameters for various operations */
static struct { static struct {
char *cgroups_hierarchy; char *cgroups_hierarchy;
char *traffic_control_command_file; char *traffic_control_command_file;
@ -267,6 +251,7 @@ static struct {
const char *target_dir; const char *target_dir;
int container_pid; int container_pid;
int signal; int signal;
int runc_layer_count;
const char *command_file; const char *command_file;
} cmd_input; } cmd_input;
@ -435,6 +420,44 @@ static int validate_arguments(int argc, char **argv , int *operation) {
} }
} }
if (strcmp("--run-runc-container", argv[1]) == 0) {
if (is_runc_support_enabled()) {
if (argc != 3) {
display_usage(stdout);
return INVALID_ARGUMENT_NUMBER;
}
optind++;
cmd_input.command_file = argv[optind++];
*operation = RUN_RUNC_CONTAINER;
return 0;
} else {
display_feature_disabled_message("runc");
return FEATURE_DISABLED;
}
}
if (strcmp("--reap-runc-layer-mounts", argv[1]) == 0) {
if (is_runc_support_enabled()) {
if (argc != 3) {
display_usage(stdout);
return INVALID_ARGUMENT_NUMBER;
}
optind++;
const char* valstr = argv[optind++];
if (sscanf(valstr, "%d", &cmd_input.runc_layer_count) != 1
|| cmd_input.runc_layer_count < 0) {
fprintf(ERRORFILE, "Bad runc layer count: %s\n", valstr);
return INVALID_COMMAND_PROVIDED;
}
*operation = REAP_RUNC_LAYER_MOUNTS;
return 0;
} else {
display_feature_disabled_message("runc");
return FEATURE_DISABLED;
}
}
/* Now we have to validate 'run as user' operations that don't use /* Now we have to validate 'run as user' operations that don't use
a 'long option' - we should fix this at some point. The validation/argument a 'long option' - we should fix this at some point. The validation/argument
parsing here is extensive enough that it done in a separate function */ parsing here is extensive enough that it done in a separate function */
@ -786,6 +809,16 @@ int main(int argc, char **argv) {
exit_code = FEATURE_DISABLED; exit_code = FEATURE_DISABLED;
} }
break; break;
case RUN_RUNC_CONTAINER:
exit_code = run_runc_container(cmd_input.command_file);
break;
case REAP_RUNC_LAYER_MOUNTS:
exit_code = reap_runc_layer_mounts(cmd_input.runc_layer_count);
break;
default:
fprintf(ERRORFILE, "Unexpected operation code: %d\n", operation);
exit_code = INVALID_COMMAND_PROVIDED;
break;
} }
if (exit_code) { if (exit_code) {

View File

@ -0,0 +1,910 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <linux/loop.h>
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <time.h>
#include "../modules/common/module-configs.h"
// TODO: Figure out how to address new openssl dependency for container-executor
#include <openssl/evp.h>
// workaround for building on RHEL6 but running on RHEL7
#ifndef LOOP_CTL_GET_FREE
#define LOOP_CTL_GET_FREE 0x4C82
#endif
#include "utils/string-utils.h"
#include "util.h"
#include "configuration.h"
#include "container-executor.h"
#include "runc.h"
#include "runc_base_ctx.h"
#include "runc_config.h"
#include "runc_launch_cmd.h"
#include "runc_reap.h"
#include "runc_write_config.h"
#define NUM_ROOTFS_UNMOUNT_ATTEMPTS 40
#define MAX_ROOTFS_UNMOUNT_BACKOFF_MSEC 1000
// NOTE: Update init_runc_overlay_desc and destroy_runc_overlay_desc
// when this is changed.
typedef struct runc_overlay_desc_struct {
char* top_path; // top-level directory
char* mount_path; // overlay mount point under top_path
char* upper_path; // root path of upper layer under top_path
char* work_path; // overlay work path under top_path
} runc_overlay_desc;
// NOTE: Update init_runc_mount_context and destroy_runc_mount_context
// when this is changed.
typedef struct runc_mount_context_struct {
char* src_path; // path to raw layer data
char* layer_path; // path under layer database for this layer
char* mount_path; // mount point of filesystem under layer_path
int fd; // opened file descriptor or -1
} runc_mount_ctx;
// NOTE: Update init_runc_launch_cmd_ctx and destroy_runc_launch_cmd_ctx
// when this is changed.
typedef struct runc_launch_cmd_context_struct {
runc_base_ctx base_ctx; // run root and layer lock
runc_overlay_desc upper; // writable upper layer descriptor
runc_mount_ctx* layers; // layer mount info
unsigned int num_layers; // number of layer mount contexts
} runc_launch_cmd_ctx;
int runc_module_enabled(const struct configuration *conf) {
struct section *section = get_configuration_section(CONTAINER_EXECUTOR_CFG_RUNC_SECTION, conf);
if (section != NULL) {
return module_enabled(section, CONTAINER_EXECUTOR_CFG_RUNC_SECTION);
}
return 0;
}
static void init_runc_overlay_desc(runc_overlay_desc* desc) {
memset(desc, 0, sizeof(*desc));
}
static void destroy_runc_overlay_desc(runc_overlay_desc* desc) {
if (desc != NULL) {
free(desc->top_path);
free(desc->mount_path);
free(desc->upper_path);
free(desc->work_path);
}
}
static void init_runc_mount_ctx(runc_mount_ctx* ctx) {
memset(ctx, 0, sizeof(*ctx));
ctx->fd = -1;
}
static void destroy_runc_mount_ctx(runc_mount_ctx* ctx) {
if (ctx != NULL) {
free(ctx->src_path);
free(ctx->layer_path);
free(ctx->mount_path);
if (ctx->fd != -1) {
close(ctx->fd);
}
}
}
static void init_runc_launch_cmd_ctx(runc_launch_cmd_ctx* ctx) {
memset(ctx, 0, sizeof(*ctx));
init_runc_base_ctx(&ctx->base_ctx);
init_runc_overlay_desc(&ctx->upper);
}
static void destroy_runc_launch_cmd_ctx(runc_launch_cmd_ctx* ctx) {
if (ctx != NULL) {
if (ctx->layers != NULL) {
for (unsigned int i = 0; i < ctx->num_layers; ++i) {
destroy_runc_mount_ctx(&ctx->layers[i]);
}
free(ctx->layers);
}
destroy_runc_overlay_desc(&ctx->upper);
destroy_runc_base_ctx(&ctx->base_ctx);
}
}
static runc_launch_cmd_ctx* alloc_runc_launch_cmd_ctx() {
runc_launch_cmd_ctx* ctx = malloc(sizeof(*ctx));
if (ctx != NULL) {
init_runc_launch_cmd_ctx(ctx);
}
return ctx;
}
static void free_runc_launch_cmd_ctx(runc_launch_cmd_ctx* ctx) {
if (ctx != NULL) {
destroy_runc_launch_cmd_ctx(ctx);
free(ctx);
}
}
static runc_launch_cmd_ctx* setup_runc_launch_cmd_ctx() {
runc_launch_cmd_ctx* ctx = alloc_runc_launch_cmd_ctx();
if (ctx == NULL) {
fputs("Cannot allocate memory\n", ERRORFILE);
return NULL;
}
if (!open_runc_base_ctx(&ctx->base_ctx)) {
free_runc_launch_cmd_ctx(ctx);
return NULL;
}
return ctx;
}
/**
* Compute a digest of a layer based on the layer's pathname.
* Returns the malloc'd digest hexstring or NULL if there was an error.
*/
static char* compute_layer_hash(const char* path) {
char* digest = NULL;
EVP_MD_CTX* mdctx = EVP_MD_CTX_create();
if (mdctx == NULL) {
fputs("Unable to create EVP MD context\n", ERRORFILE);
goto cleanup;
}
if (!EVP_DigestInit_ex(mdctx, EVP_sha256(), NULL)) {
fputs("Unable to initialize SHA256 digester\n", ERRORFILE);
goto cleanup;
}
if (!EVP_DigestUpdate(mdctx, path, strlen(path))) {
fputs("Unable to compute layer path digest\n", ERRORFILE);
goto cleanup;
}
unsigned char raw_digest[EVP_MAX_MD_SIZE];
unsigned int raw_digest_len = 0;
if (!EVP_DigestFinal_ex(mdctx, raw_digest, &raw_digest_len)) {
fputs("Unable to compute layer path digest\n", ERRORFILE);
goto cleanup;
}
digest = to_hexstring(raw_digest, raw_digest_len);
cleanup:
if (mdctx != NULL) {
EVP_MD_CTX_destroy(mdctx);
}
return digest;
}
/**
* Open the specified path which is expected to be a mount point.
*
* Returns an valid file descriptor when the path exists and is a mount point
* or -1 if the path does not exist or is not a mount point.
*
* NOTE: The corresponding read lock must be acquired.
*/
static int open_mountpoint(const char* path) {
int fd = open(path, O_RDONLY | O_CLOEXEC);
if (fd == -1) {
if (errno != ENOENT) {
fprintf(ERRORFILE, "Error accessing mount point at %s : %s\n", path,
strerror(errno));
}
return fd;
}
struct stat mstat, pstat;
if (fstat(fd, &mstat) == -1) {
fprintf(ERRORFILE, "Error accessing mount point at %s : %s\n", path,
strerror(errno));
goto close_fail;
}
if (!S_ISDIR(mstat.st_mode)) {
fprintf(ERRORFILE, "Mount point %s is not a directory\n", path);
goto close_fail;
}
if (fstatat(fd, "..", &pstat, 0) == -1) {
fprintf(ERRORFILE, "Error accessing mount point parent of %s : %s\n", path,
strerror(errno));
goto close_fail;
}
// If the parent directory's device matches the child directory's device
// then we didn't cross a device boundary in the filesystem and therefore
// this is likely not a mount point.
// TODO: This assumption works for loopback mounts but would not work for
// bind mounts or some other situations. Worst case would need to
// walk the mount table and otherwise replicate the mountpoint(1) cmd.
if (mstat.st_dev == pstat.st_dev) {
goto close_fail;
}
return fd;
close_fail:
close(fd);
return -1;
}
static bool init_overlay_descriptor(runc_overlay_desc* desc,
const char* run_root, const char* container_id) {
if (asprintf(&desc->top_path, "%s/%s", run_root, container_id) == -1) {
return false;
}
if (asprintf(&desc->mount_path, "%s/rootfs", desc->top_path) == -1) {
return false;
}
if (asprintf(&desc->upper_path, "%s/upper", desc->top_path) == -1) {
return false;
}
if (asprintf(&desc->work_path, "%s/work", desc->top_path) == -1) {
return false;
}
return true;
}
static bool init_layer_mount_ctx(runc_mount_ctx* ctx, const rlc_layer_spec* spec,
const char* run_root) {
char* hash = compute_layer_hash(spec->path);
if (hash == NULL) {
return false;
}
ctx->layer_path = get_runc_layer_path(run_root, hash);
free(hash);
if (ctx->layer_path == NULL) {
return false;
}
ctx->mount_path = get_runc_layer_mount_path(ctx->layer_path);
if (ctx->mount_path == NULL) {
return false;
}
ctx->fd = open(spec->path, O_RDONLY | O_CLOEXEC);
if (ctx->fd == -1) {
fprintf(ERRORFILE, "Error opening layer image at %s : %s\n", spec->path,
strerror(errno));
return false;
}
ctx->src_path = strdup(spec->path);
return ctx->src_path != NULL;
}
/**
* Initialize the layers mount contexts and open each layer image as the user
* to validate the user should be allowed to access the image composed of
* these layers.
*/
static bool init_layer_mount_ctxs(runc_launch_cmd_ctx* ctx,
const rlc_layer_spec* layer_specs, unsigned int num_layers) {
ctx->layers = malloc(num_layers * sizeof(*ctx->layers));
if (ctx->layers == NULL) {
fputs("Unable to allocate memory\n", ERRORFILE);
return false;
}
for (unsigned int i = 0; i < num_layers; ++i) {
init_runc_mount_ctx(&ctx->layers[i]);
}
ctx->num_layers = num_layers;
for (unsigned int i = 0; i < num_layers; ++i) {
if (!init_layer_mount_ctx(&ctx->layers[i], &layer_specs[i],
ctx->base_ctx.run_root)) {
return false;
}
}
return true;
}
/**
* Allocate a loop device and assruncate it with a file descriptor.
* Returns the file descriptor of the opened loop device or -1 on error.
*/
static int allocate_and_open_loop_device(char** loopdev_name_out, int src_fd) {
*loopdev_name_out = NULL;
int loopctl = open("/dev/loop-control", O_RDWR);
if (loopctl == -1) {
fprintf(ERRORFILE, "Error opening /dev/loop-control : %s\n",
strerror(errno));
return -1;
}
char* loopdev_name = NULL;
int loop_fd = -1;
while (true) {
int loop_num = ioctl(loopctl, LOOP_CTL_GET_FREE);
if (loop_num < 0) {
fprintf(ERRORFILE, "Error allocating a new loop device: %s\n",
strerror(errno));
goto fail;
}
if (asprintf(&loopdev_name, "/dev/loop%d", loop_num) == -1) {
fputs("Unable to allocate memory\n", ERRORFILE);
goto fail;
}
loop_fd = open(loopdev_name, O_RDWR | O_CLOEXEC);
if (loop_fd == -1) {
fprintf(ERRORFILE, "Unable to open loop device at %s : %s\n",
loopdev_name, strerror(errno));
goto fail;
}
if (ioctl(loop_fd, LOOP_SET_FD, src_fd) != -1) {
break;
}
// EBUSY indicates another process stole this loop device
if (errno != EBUSY) {
fprintf(ERRORFILE, "Error setting loop source file: %s\n",
strerror(errno));
goto fail;
}
close(loop_fd);
loop_fd = -1;
free(loopdev_name);
loopdev_name = NULL;
}
struct loop_info64 loop_info;
memset(&loop_info, 0, sizeof(loop_info));
loop_info.lo_flags = LO_FLAGS_READ_ONLY | LO_FLAGS_AUTOCLEAR;
if (ioctl(loop_fd, LOOP_SET_STATUS64, &loop_info) == -1) {
fprintf(ERRORFILE, "Error setting loop flags: %s\n", strerror(errno));
goto fail;
}
close(loopctl);
*loopdev_name_out = loopdev_name;
return loop_fd;
fail:
if (loop_fd != -1) {
close(loop_fd);
}
close(loopctl);
free(loopdev_name);
return -1;
}
/**
* Mount a filesystem with the specified arguments, see the mount(2) manpage.
* If the mount fails an error message is printed to ERRORFILE.
* Returns true for success or false on failure.
*/
static bool do_mount(const char* src, const char* target,
const char* fs_type, unsigned long mount_flags, const char* mount_options) {
if (mount(src, target, fs_type, mount_flags, mount_options) == -1) {
const char* nullstr = "NULL";
src = (src != NULL) ? src : nullstr;
fs_type = (fs_type != NULL) ? fs_type : nullstr;
mount_options = (mount_options != NULL) ? mount_options : nullstr;
fprintf(ERRORFILE, "Error mounting %s at %s type %s with options %s : %s\n",
src, target, fs_type, mount_options, strerror(errno));
return false;
}
return true;
}
/**
* Mount a filesystem and return a file descriptor opened to the mount point.
* The mount point directory will be created if necessary.
* Returns a file descriptor to the mount point or -1 if there was an error.
*/
static int mount_and_open(const char* src, const char* target,
const char* fs_type, unsigned long mount_flags, const char* mount_options) {
if (mkdir(target, S_IRWXU) == -1 && errno != EEXIST) {
fprintf(ERRORFILE, "Error creating mountpoint directory at %s : %s\n",
target, strerror(errno));
return -1;
}
if (!do_mount(src, target, fs_type, mount_flags, mount_options)) {
return -1;
}
return open_mountpoint(target);
}
static int mount_layer_and_open(const runc_mount_ctx* layer) {
if (mkdir(layer->layer_path, S_IRWXU) == -1) {
if (errno != EEXIST) {
fprintf(ERRORFILE, "Error creating layer directory at %s : %s\n",
layer->layer_path, strerror(errno));
return -1;
}
}
char *loopdev_name = NULL;
int loopfd = allocate_and_open_loop_device(&loopdev_name, layer->fd);
if (loopfd == -1) {
return -1;
}
int mount_fd = mount_and_open(loopdev_name, layer->mount_path, "squashfs",
MS_RDONLY, NULL);
// If the mount worked then the mount holds the loop device open. If the mount
// failed then the loop device is no longer needed, so close it either way.
close(loopfd);
free(loopdev_name);
return mount_fd;
}
static bool do_mount_layers_with_lock(runc_launch_cmd_ctx* ctx) {
bool have_write_lock = false;
for (unsigned int i = 0; i < ctx->num_layers; ++i) {
int layer_mount_fd = open_mountpoint(ctx->layers[i].mount_path);
if (layer_mount_fd != -1) {
// Touch layer directory to show this existing layer was recently used.
if (utimes(ctx->layers[i].layer_path, NULL) == -1) {
// Error is not critical to container launch so just print a warning.
fprintf(ERRORFILE, "Error updating timestamps of %s : %s\n",
ctx->layers[i].layer_path, strerror(errno));
}
} else {
if (!have_write_lock) {
if (!acquire_runc_layers_write_lock(&ctx->base_ctx)) {
return false;
}
have_write_lock = true;
// Try to open the mount point again in case another process created it
// while we were waiting for the write lock.
layer_mount_fd = open_mountpoint(ctx->layers[i].mount_path);
}
if (layer_mount_fd == -1) {
layer_mount_fd = mount_layer_and_open(&ctx->layers[i]);
if (layer_mount_fd == -1) {
fprintf(ERRORFILE, "Unable to mount layer data from %s\n",
ctx->layers[i].src_path);
return false;
}
}
}
// Now that the layer is mounted we can start tracking the open mount point
// for the layer rather than the descriptor to the layer image.
// The mount point references the underlying image, so we no longer need
// a direct reference to the layer image.
close(ctx->layers[i].fd);
ctx->layers[i].fd = layer_mount_fd;
}
return true;
}
static bool mount_layers(runc_launch_cmd_ctx* ctx) {
if (!acquire_runc_layers_read_lock(&ctx->base_ctx)) {
return false;
}
bool result = do_mount_layers_with_lock(ctx);
if (!release_runc_layers_lock(&ctx->base_ctx)) {
return false;
}
return result;
}
static char* build_overlay_options(runc_mount_ctx* layers,
unsigned int num_layers, const runc_overlay_desc* upper) {
char* result = NULL;
const int sb_incr = 16*1024;
strbuf sb;
if (!strbuf_init(&sb, sb_incr)) {
fputs("Unable to allocate memory\n", ERRORFILE);
goto cleanup;
}
if (!strbuf_append_fmt(&sb, sb_incr, "upperdir=%s,workdir=%s,lowerdir=",
upper->upper_path, upper->work_path)) {
goto cleanup;
}
// Overlay expects the base layer to be the last layer listed, but the
// OCI image manifest specifies the base layer first.
bool need_separator = false;
for (int i = num_layers - 1; i >= 0; --i) {
char* fmt = need_separator ? ":%s" : "%s";
if (!strbuf_append_fmt(&sb, sb_incr, fmt, layers[i].mount_path)) {
goto cleanup;
}
need_separator = true;
}
result = strbuf_detach_buffer(&sb);
cleanup:
strbuf_destroy(&sb);
return result;
}
static bool create_overlay_dirs(runc_overlay_desc* od) {
if (mkdir(od->top_path, S_IRWXU) != 0) {
fprintf(ERRORFILE, "Error creating %s : %s\n", od->top_path,
strerror(errno));
return false;
}
if (mkdir(od->mount_path, S_IRWXU) != 0) {
fprintf(ERRORFILE, "Error creating %s : %s\n", od->mount_path,
strerror(errno));
return false;
}
mode_t upper_mode = S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH;
if (mkdir(od->upper_path, upper_mode) != 0) {
fprintf(ERRORFILE, "Error creating %s : %s\n", od->upper_path,
strerror(errno));
return false;
}
if (mkdir(od->work_path, S_IRWXU) != 0) {
fprintf(ERRORFILE, "Error creating %s : %s\n", od->work_path,
strerror(errno));
return false;
}
return true;
}
static bool mount_container_rootfs(runc_launch_cmd_ctx* ctx) {
if (!create_overlay_dirs(&ctx->upper)) {
return false;
}
if (!mount_layers(ctx)) {
return false;
}
char* overlay_opts = build_overlay_options(ctx->layers, ctx->num_layers,
&ctx->upper);
if (overlay_opts == NULL) {
return false;
}
bool mount_ok = do_mount("overlay", ctx->upper.mount_path, "overlay", 0,
overlay_opts);
free(overlay_opts);
if (!mount_ok) {
return false;
}
// It would be tempting to close the layer file descriptors here since the
// overlay should also be holding references to all the layers. However
// overlay somehow does NOT hold a hard reference to underlying filesystems,
// so the layer file descriptors need to be kept open in order to prevent
// other containers from unmounting shared layers when they cleanup.
return true;
}
static bool unmount_and_remove(const char* path) {
if (umount(path) == -1 && errno != EINVAL && errno != ENOENT) {
if (errno == EBUSY) {
// Layer is in use by another container.
return false;
}
fprintf(ERRORFILE, "Error unmounting %s : %s\n", path, strerror(errno));
return false;
}
if (rmdir(path) == -1 && errno != ENOENT) {
fprintf(ERRORFILE, "Error removing mount directory %s : %s\n", path,
strerror(errno));
return false;
}
return true;
}
static bool unmount_and_remove_with_retry(const char* path, int max_attempts,
long max_backoff_msec) {
long backoff_msec = 1;
for (int i = 0; i < max_attempts - 1; ++i) {
if (unmount_and_remove(path)) {
return true;
}
struct timespec ts;
memset(&ts, 0, sizeof(ts));
ts.tv_sec = backoff_msec / 1000;
ts.tv_nsec = (backoff_msec % 1000) * 1000 * 1000;
nanosleep(&ts, NULL);
backoff_msec *= 2;
if (backoff_msec > max_backoff_msec) {
backoff_msec = max_backoff_msec;
}
}
return unmount_and_remove(path);
}
static bool rmdir_recursive_fd(int fd) {
int dirfd = dup(fd);
if (dirfd == -1) {
fputs("Unable to duplicate file descriptor\n", ERRORFILE);
return false;
}
DIR* dir = fdopendir(dirfd);
if (dir == NULL) {
fprintf(ERRORFILE, "Error deleting directory: %s\n", strerror(errno));
return false;
}
bool result = false;
struct dirent* de;
while ((de = readdir(dir)) != NULL) {
if (strcmp(".", de->d_name) == 0 || strcmp("..", de->d_name) == 0) {
continue;
}
struct stat statbuf;
if (fstatat(dirfd, de->d_name, &statbuf, AT_SYMLINK_NOFOLLOW) == -1) {
if (errno == ENOENT) {
continue;
}
fprintf(ERRORFILE, "Error accessing %s : %s\n", de->d_name,
strerror(errno));
goto cleanup;
}
int rmflags = 0;
if (S_ISDIR(statbuf.st_mode)) {
rmflags = AT_REMOVEDIR;
int de_fd = openat(dirfd, de->d_name, O_RDONLY | O_NOFOLLOW);
if (de_fd == -1) {
if (errno == ENOENT) {
continue;
}
fprintf(ERRORFILE, "Error opening %s for delete: %s\n", de->d_name,
strerror(errno));
goto cleanup;
}
bool ok = rmdir_recursive_fd(de_fd);
close(de_fd);
if (!ok) {
goto cleanup;
}
}
if (unlinkat(dirfd, de->d_name, rmflags) == -1 && errno != ENOENT) {
fprintf(ERRORFILE, "Error removing %s : %s\n", de->d_name,
strerror(errno));
goto cleanup;
}
}
result = true;
cleanup:
closedir(dir);
return result;
}
static bool rmdir_recursive(const char* path) {
int fd = open(path, O_RDONLY | O_NOFOLLOW);
if (fd == -1) {
if (errno == ENOENT) {
return true;
}
fprintf(ERRORFILE, "Error opening %s for delete: %s\n", path,
strerror(errno));
return false;
}
bool result = rmdir_recursive_fd(fd);
close(fd);
if (rmdir(path) == -1) {
fprintf(ERRORFILE, "Error deleting %s : %s\n", path, strerror(errno));
result = false;
}
return result;
}
static void close_layer_fds(runc_launch_cmd_ctx* ctx) {
for (unsigned int i = 0; i < ctx->num_layers; ++i) {
if (ctx->layers[i].fd != -1) {
close(ctx->layers[i].fd);
ctx->layers[i].fd = -1;
}
}
}
/**
* Unmounts the container rootfs directory and MAY unmount layers on the host
* based on the specified number of total layer mounts on the host specified.
*/
static void cleanup_container_mounts(runc_launch_cmd_ctx* ctx,
int num_reap_layers_keep) {
unmount_and_remove_with_retry(ctx->upper.mount_path,
NUM_ROOTFS_UNMOUNT_ATTEMPTS, MAX_ROOTFS_UNMOUNT_BACKOFF_MSEC);
rmdir_recursive(ctx->upper.top_path);
reap_runc_layer_mounts_with_ctx(&ctx->base_ctx, num_reap_layers_keep);
}
/**
* Unmounts the container rootfs directory and MAY unmount layers on the host
* based on the specified number of total layer mounts on the host specified.
*
* IMPORTANT NOTE: This method may perform the unmount in a background process
* and can return before that has completed!
*/
static void background_cleanup_container_mounts(runc_launch_cmd_ctx* ctx,
int num_reap_layers_keep) {
pid_t child_pid = fork();
if (child_pid == -1) {
fprintf(ERRORFILE, "Error forking child process: %s\n", strerror(errno));
// try to clean it up in the foreground process
child_pid = 0;
}
if (child_pid == 0) {
cleanup_container_mounts(ctx, num_reap_layers_keep);
}
}
static void exec_runc(const char* container_id, const char* runc_config_path,
const char* pid_file_path) {
char* runc_path = get_configuration_value(RUNC_BINARY_KEY, CONTAINER_EXECUTOR_CFG_RUNC_SECTION, get_cfg());
if (runc_path == NULL) {
runc_path = strdup(DEFAULT_RUNC_BINARY);
if (runc_path == NULL) {
fputs("Unable to allocate memory\n", ERRORFILE);
exit(1);
}
}
char* dir_end = strrchr(runc_config_path, '/');
if (dir_end == NULL) {
fprintf(ERRORFILE, "Error getting bundle path from config path %s\n",
runc_config_path);
exit(1);
}
char* bundle_path = strndup(runc_config_path, dir_end - runc_config_path);
const char* const runc_args[] = {
runc_path, "run",
"--pid-file", pid_file_path,
"-b", bundle_path,
container_id,
NULL
};
const char* const runc_env[] = { NULL };
if (execve(runc_path, (char* const*)runc_args, (char* const*)runc_env) == -1) {
char* errstr = strerror(errno);
fputs("Failed to exec:", ERRORFILE);
for (const char* const* argp = runc_args; *argp != NULL; ++argp) {
fprintf(ERRORFILE, " %s", *argp);
}
fprintf(ERRORFILE, " : %s\n", errstr);
}
exit(1);
}
int run_runc_container(const char* command_file) {
int rc = 0;
char* exit_code_file = NULL;
char* runc_config_path = NULL;
runc_launch_cmd* rlc = NULL;
runc_launch_cmd_ctx* ctx = setup_runc_launch_cmd_ctx();
if (ctx == NULL) {
rc = ERROR_RUNC_SETUP_FAILED;
goto cleanup;
}
rlc = parse_runc_launch_cmd(command_file);
if (rlc == NULL) {
rc = ERROR_RUNC_SETUP_FAILED;
goto cleanup;
}
rc = set_user(rlc->run_as_user);
if (rc != 0) {
goto cleanup;
}
exit_code_file = get_exit_code_file(rlc->pid_file);
if (exit_code_file == NULL) {
rc = OUT_OF_MEMORY;
goto cleanup;
}
const char* work_dir = rlc->config.process.cwd->valuestring;
rc = setup_container_paths(rlc->username, rlc->app_id, rlc->container_id,
work_dir, rlc->script_path, rlc->cred_path, rlc->https, rlc->keystore_path,
rlc->truststore_path, rlc->local_dirs, rlc->log_dirs);
if (rc != 0) {
goto cleanup;
}
rc = ERROR_RUNC_RUN_FAILED;
if (!is_valid_runc_launch_cmd(rlc)) {
goto cleanup;
}
if (!init_layer_mount_ctxs(ctx, rlc->layers, rlc->num_layers)) {
goto cleanup;
}
if (!init_overlay_descriptor(&ctx->upper, ctx->base_ctx.run_root,
rlc->container_id)) {
goto cleanup;
}
runc_config_path = write_runc_runc_config(rlc, ctx->upper.mount_path);
if (runc_config_path == NULL) {
goto cleanup;
}
if (seteuid(0) != 0) {
fputs("Unable to become root\n", ERRORFILE);
goto cleanup;
}
if (!mount_container_rootfs(ctx)) {
goto umount_and_cleanup;
}
pid_t child_pid = fork();
if (child_pid == 0) {
exec_runc(rlc->container_id, runc_config_path, rlc->pid_file);
exit(1); // just in case exec_runc returns somehow
} else if (child_pid == -1) {
fprintf(ERRORFILE, "Error cannot fork: %s\n", strerror(errno));
rc = OUT_OF_MEMORY;
goto umount_and_cleanup;
}
rc = wait_and_write_exit_code(child_pid, exit_code_file);
umount_and_cleanup:
// Container is no longer running, so layer references are no longer desired.
close_layer_fds(ctx);
// Cleanup mounts in a background process to keep it off the critical path.
background_cleanup_container_mounts(ctx, rlc->num_reap_layers_keep);
cleanup:
free(exit_code_file);
free(runc_config_path);
free_runc_launch_cmd(rlc);
free_runc_launch_cmd_ctx(ctx);
return rc;
}

View File

@ -0,0 +1,33 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef RUNC_RUNC_H
#define RUNC_RUNC_H
#include <stdbool.h>
/**
* Check to see if runC is enabled.
*/
int runc_module_enabled(const struct configuration *conf);
/**
* Run a container via runC.
*/
int run_runc_container(const char* command_file);
#endif /* RUNC_RUNC_H */

View File

@ -0,0 +1,307 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <sys/types.h>
#include <sys/stat.h>
#include <errno.h>
#include <fcntl.h>
#include <stdbool.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include "configuration.h"
#include "container-executor.h"
#include "util.h"
#include "runc_base_ctx.h"
#include "runc_config.h"
#define LAYER_MOUNT_SUFFIX "/mnt"
#define LAYER_MOUNT_SUFFIX_LEN (sizeof(LAYER_MOUNT_SUFFIX) -1)
/**
* Get the path to the runtime layers directory.
*
* Returns the heap-allocated path to the layers directory or NULL on error.
*/
char* get_runc_layers_path(const char* run_root) {
char* layers_path = NULL;
if (asprintf(&layers_path, "%s/layers", run_root) == -1) {
layers_path = NULL;
}
return layers_path;
}
/**
* Get the path to a layer directory.
*
* Returns the heap-allocated path to the layer directory or NULL on error.
*/
char* get_runc_layer_path(const char* run_root, const char* layer_name) {
char* layer_path = NULL;
if (asprintf(&layer_path, "%s/layers/%s", run_root, layer_name) == -1) {
layer_path = NULL;
}
return layer_path;
}
/**
* Get the path to a layer's mountpoint.
*
* Returns the heap-allocated path to the layer's mountpoint or NULL on error.
*/
char* get_runc_layer_mount_path(const char* layer_path) {
char* mount_path = NULL;
if (asprintf(&mount_path, "%s" LAYER_MOUNT_SUFFIX, layer_path) == -1) {
mount_path = NULL;
}
return mount_path;
}
/**
* Get the layer path from a layer's mountpoint.
*
* Returns the heap-allocated path to the layer directory or NULL on error.
*/
char* get_runc_layer_path_from_mount_path(const char* mount_path) {
size_t mount_path_len = strlen(mount_path);
if (mount_path_len <= LAYER_MOUNT_SUFFIX_LEN) {
return NULL;
}
size_t layer_path_len = mount_path_len - LAYER_MOUNT_SUFFIX_LEN;
const char* suffix = mount_path + layer_path_len;
if (strcmp(suffix, LAYER_MOUNT_SUFFIX)) {
return NULL;
}
return strndup(mount_path, layer_path_len);
}
/**
* Creates the run root directory and layers directory structure
* underneath if necessary.
* Returns the malloc'd run root path or NULL if there was an error.
*/
static char* setup_runc_run_root_directories() {
char* layers_path = NULL;
char* run_root = get_configuration_value(RUNC_RUN_ROOT_KEY,
CONTAINER_EXECUTOR_CFG_RUNC_SECTION, get_cfg());
if (run_root == NULL) {
run_root = strdup(DEFAULT_RUNC_ROOT);
if (run_root == NULL) {
goto mem_fail;
}
}
if (mkdir(run_root, S_IRWXU) != 0 && errno != EEXIST) {
fprintf(ERRORFILE, "Error creating runC run root at %s : %s\n", run_root,
strerror(errno));
goto fail;
}
layers_path = get_runc_layers_path(run_root);
if (layers_path == NULL) {
goto mem_fail;
}
if (mkdir(layers_path, S_IRWXU) != 0 && errno != EEXIST) {
fprintf(ERRORFILE, "Error creating layers directory at %s : %s\n",
layers_path, strerror(errno));
goto fail;
}
free(layers_path);
return run_root;
fail:
free(layers_path);
free(run_root);
return NULL;
mem_fail:
fputs("Cannot allocate memory\n", ERRORFILE);
goto fail;
}
/**
* Initialize an uninitialized runC base context.
*/
void init_runc_base_ctx(runc_base_ctx* ctx) {
memset(ctx, 0, sizeof(*ctx));
ctx->layers_lock_fd = -1;
ctx->layers_lock_state = F_UNLCK;
}
/**
* Releases the resources underneath a runC base context but does NOT free the
* structure itself. This is particularly useful for stack-allocated contexts
* or structures that embed the context.
* free_runc_base_ctx should be used for heap-allocated contexts.
*/
void destroy_runc_base_ctx(runc_base_ctx* ctx) {
if (ctx != NULL) {
free(ctx->run_root);
if (ctx->layers_lock_fd != -1) {
close(ctx->layers_lock_fd);
}
}
}
/**
* Allocates and initializes a runC base context.
*
* Returns a pointer to the allocated and initialized context or NULL on error.
*/
runc_base_ctx* alloc_runc_base_ctx() {
runc_base_ctx* ctx = malloc(sizeof(*ctx));
if (ctx != NULL) {
init_runc_base_ctx(ctx);
}
return ctx;
}
/**
* Free a runC base context and all memory assruncated with it.
*/
void free_runc_base_ctx(runc_base_ctx* ctx) {
destroy_runc_base_ctx(ctx);
free(ctx);
}
/**
* Opens the base context for use. This will create the container runtime
* root directory and layer lock files, if necessary.
*
* Returns true on success or false if there was an error.
*/
bool open_runc_base_ctx(runc_base_ctx* ctx) {
ctx->run_root = setup_runc_run_root_directories();
if (ctx->run_root == NULL) {
return false;
}
char* lock_path = get_runc_layer_path(ctx->run_root, "lock");
if (lock_path == NULL) {
fputs("Cannot allocate memory\n", ERRORFILE);
return false;
}
bool result = true;
ctx->layers_lock_fd = open(lock_path, O_RDWR | O_CREAT | O_CLOEXEC, S_IRWXU);
if (ctx->layers_lock_fd == -1) {
fprintf(ERRORFILE, "Cannot open lock file %s : %s\n", lock_path,
strerror(errno));
result = false;
}
free(lock_path);
return result;
}
/**
* Allocates and opens a base context.
*
* Returns a pointer to the context or NULL on error.
*/
runc_base_ctx* setup_runc_base_ctx() {
runc_base_ctx* ctx = alloc_runc_base_ctx();
if (ctx != NULL) {
if (!open_runc_base_ctx(ctx)) {
free_runc_base_ctx(ctx);
ctx = NULL;
}
}
return ctx;
}
static bool do_lock_cmd(int fd, int lock_cmd) {
struct flock fl;
memset(&fl, 0, sizeof(fl));
fl.l_type = lock_cmd;
fl.l_whence = SEEK_SET;
fl.l_start = 0;
fl.l_len = 0;
while (true) {
int rc = fcntl(fd, F_SETLKW, &fl);
if (rc == 0) {
return true;
}
if (errno != EINTR) {
fprintf(ERRORFILE, "Error updating lock: %s\n", strerror(errno));
return false;
}
}
}
/**
* Acquire the layer read lock.
*
* Returns true on success or false on error.
*/
bool acquire_runc_layers_read_lock(runc_base_ctx* ctx) {
if (ctx->layers_lock_state == F_RDLCK) {
return true;
}
if (do_lock_cmd(ctx->layers_lock_fd, F_RDLCK)) {
ctx->layers_lock_state = F_RDLCK;
return true;
}
return false;
}
/**
* Acquire the layer write lock.
*
* Returns true on success or false on error.
*/
bool acquire_runc_layers_write_lock(runc_base_ctx* ctx) {
if (ctx->layers_lock_state == F_WRLCK) {
return true;
}
if (ctx->layers_lock_state == F_RDLCK) {
// Release before trying to acquire write lock, otherwise two processes
// attempting to upgrade from read lock to a write lock can deadlock.
if (!release_runc_layers_lock(ctx)) {
return false;
}
}
if (do_lock_cmd(ctx->layers_lock_fd, F_WRLCK)) {
ctx->layers_lock_state = F_WRLCK;
return true;
}
return false;
}
/**
* Release the layer lock.
*
* Returns true on success or false on error.
*/
bool release_runc_layers_lock(runc_base_ctx* ctx) {
if (ctx->layers_lock_state == F_UNLCK) {
return true;
}
if (do_lock_cmd(ctx->layers_lock_fd, F_UNLCK)) {
ctx->layers_lock_state = F_UNLCK;
return true;
}
return false;
}

View File

@ -0,0 +1,123 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef RUNC_RUNC_BASE_CTX_H
#define RUNC_RUNC_BASE_CTX_H
#include <stdbool.h>
// Length of layer basename, equal to the hexstring length of SHA256
#define LAYER_NAME_LENGTH 64
// NOTE: Update init_runc_base_ctx and destroy_runc_base_ctx when this is changed.
typedef struct runc_base_ctx_struct {
char* run_root; // root directory of filesystem database
int layers_lock_fd; // file descriptor for layers lock file
int layers_lock_state; // lock state: F_RDLCK, F_WRLCK, or F_UNLCK
} runc_base_ctx;
/**
* Allocates and initializes a runC base context.
*
* Returns a pointer to the allocated and initialized context or NULL on error.
*/
runc_base_ctx* alloc_runc_base_ctx();
/**
* Free a runC base context and all memory assruncated with it.
*/
void free_runc_base_ctx(runc_base_ctx* ctx);
/**
* Initialize an uninitialized runC base context.
*/
void init_runc_base_ctx(runc_base_ctx* ctx);
/**
* Releases the resources underneath a runC base context but does NOT free the
* structure itself. This is particularly useful for stack-allocated contexts
* or structures that embed the context.
* free_runc_base_ctx should be used for heap-allocated contexts.
*/
void destroy_runc_base_ctx(runc_base_ctx* ctx);
/**
* Opens the base context for use. This will create the container runtime
* root directory and layer lock files, if necessary.
*
* Returns true on success or false if there was an error.
*/
bool open_runc_base_ctx(runc_base_ctx* ctx);
/**
* Allocates and opens a base context.
*
* Returns a pointer to the context or NULL on error.
*/
runc_base_ctx* setup_runc_base_ctx();
/**
* Acquire the layers read lock.
*
* Returns true on success or false on error.
*/
bool acquire_runc_layers_read_lock(runc_base_ctx* ctx);
/**
* Acquire the layers write lock.
*
* Returns true on success or false on error.
*/
bool acquire_runc_layers_write_lock(runc_base_ctx* ctx);
/**
* Release the layers lock.
*
* Returns true on success or false on error.
*/
bool release_runc_layers_lock(runc_base_ctx* ctx);
/**
* Get the path to the runtime layers directory.
*
* Returns the heap-allocated path to the layers directory or NULL on error.
*/
char* get_runc_layers_path(const char* run_root);
/**
* Get the path to a layer directory.
*
* Returns the heap-allocated path to the layer directory or NULL on error.
*/
char* get_runc_layer_path(const char* run_root, const char* layer_name);
/**
* Get the path to a layer's mountpoint.
*
* Returns the heap-allocated path to the layer's mountpoint or NULL on error.
*/
char* get_runc_layer_mount_path(const char* layer_path);
/**
* Get the layer path from a layer's mountpoint.
*
* Returns the heap-allocated path to the layer directory or NULL on error.
*/
char* get_runc_layer_path_from_mount_path(const char* mount_path);
#endif /* RUNC_RUNC_BASE_CTX_H */

View File

@ -0,0 +1,33 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef RUNC_RUNC_CONFIG_H
#define RUNC_RUNC_CONFIG_H
// Section for all runC config keys
#define CONTAINER_EXECUTOR_CFG_RUNC_SECTION "runc"
// Configuration for top-level directory of runtime database
// Ideally this should be configured to a tmpfs or other RAM-based filesystem.
#define RUNC_RUN_ROOT_KEY "runc.run-root"
#define DEFAULT_RUNC_ROOT "/run/yarn-container-executor"
// Configuration for the path to the runC executable on the host
#define RUNC_BINARY_KEY "runc.binary"
#define DEFAULT_RUNC_BINARY "/usr/bin/runc"
#endif /* RUNC_RUNC_CONFIG_H */

View File

@ -0,0 +1,765 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <sys/types.h>
#include <sys/stat.h>
#include <errno.h>
#include <stdbool.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include "util.h"
#include "utils/cJSON/cJSON.h"
#include "utils/file-utils.h"
#include "utils/string-utils.h"
#include "utils/mount-utils.h"
#include "configuration.h"
#include "container-executor.h"
#include "runc_config.h"
#include "runc_launch_cmd.h"
#define SQUASHFS_MEDIA_TYPE "application/vnd.squashfs"
static void free_rlc_layers(rlc_layer_spec* layers, unsigned int num_layers) {
for (unsigned int i = 0; i < num_layers; ++i) {
free(layers[i].media_type);
free(layers[i].path);
}
free(layers);
}
/**
* Free a NULL-terminated array of pointers
*/
static void free_ntarray(char** parray) {
if (parray != NULL) {
for (char** p = parray; *p != NULL; ++p) {
free(*p);
}
free(parray);
}
}
/**
* Free a runC launch command structure and all memory assruncated with it.
*/
void free_runc_launch_cmd(runc_launch_cmd* rlc) {
if (rlc != NULL) {
free(rlc->run_as_user);
free(rlc->username);
free(rlc->app_id);
free(rlc->container_id);
free(rlc->pid_file);
free(rlc->script_path);
free(rlc->cred_path);
free_ntarray(rlc->local_dirs);
free_ntarray(rlc->log_dirs);
free_rlc_layers(rlc->layers, rlc->num_layers);
cJSON_Delete(rlc->config.hostname);
cJSON_Delete(rlc->config.linux_config);
cJSON_Delete(rlc->config.mounts);
cJSON_Delete(rlc->config.process.args);
cJSON_Delete(rlc->config.process.cwd);
cJSON_Delete(rlc->config.process.env);
free(rlc);
}
}
static cJSON* parse_json_file(const char* filename) {
char* data = read_file_to_string_as_nm_user(filename);
if (data == NULL) {
fprintf(ERRORFILE, "Cannot read command file %s\n", filename);
return NULL;
}
const char* parse_error_location = NULL;
cJSON* json = cJSON_ParseWithOpts(data, &parse_error_location, 1);
if (json == NULL) {
fprintf(ERRORFILE, "Error parsing command file %s at byte offset %ld\n",
filename, parse_error_location - data);
}
free(data);
return json;
}
static char** parse_dir_list(const cJSON* dirs_json) {
if (!cJSON_IsArray(dirs_json)) {
return NULL;
}
int num_dirs = cJSON_GetArraySize(dirs_json);
if (num_dirs <= 0) {
return NULL;
}
char** dirs = calloc(num_dirs + 1, sizeof(*dirs)); // +1 for terminating NULL
int i = 0;
const cJSON* e;
cJSON_ArrayForEach(e, dirs_json) {
if (!cJSON_IsString(e)) {
free_ntarray(dirs);
return NULL;
}
dirs[i++] = strdup(e->valuestring);
}
return dirs;
}
static bool parse_runc_launch_cmd_layer(rlc_layer_spec* layer_out,
const cJSON* layer_json) {
if (!cJSON_IsObject(layer_json)) {
fputs("runC launch command layer is not an object\n", ERRORFILE);
return false;
}
const cJSON* media_type_json = cJSON_GetObjectItemCaseSensitive(layer_json,
"mediaType");
if (!cJSON_IsString(media_type_json)) {
fputs("Bad/Missing media type for runC launch command layer\n", ERRORFILE);
return false;
}
const cJSON* path_json = cJSON_GetObjectItemCaseSensitive(layer_json, "path");
if (!cJSON_IsString(path_json)) {
fputs("Bad/Missing path for runC launch command layer\n", ERRORFILE);
return false;
}
layer_out->media_type = strdup(media_type_json->valuestring);
layer_out->path = strdup(path_json->valuestring);
return true;
}
static rlc_layer_spec* parse_runc_launch_cmd_layers(unsigned int* num_layers_out,
const cJSON* layers_json) {
if (!cJSON_IsArray(layers_json)) {
fputs("Bad/Missing runC launch command layers\n", ERRORFILE);
return NULL;
}
unsigned int num_layers = (unsigned int) cJSON_GetArraySize(layers_json);
if (num_layers <= 0) {
return NULL;
}
rlc_layer_spec* layers = calloc(num_layers, sizeof(*layers));
if (layers == NULL) {
fprintf(ERRORFILE, "Cannot allocate memory for %d layers\n",
num_layers + 1);
return NULL;
}
unsigned int layer_index = 0;
const cJSON* e;
cJSON_ArrayForEach(e, layers_json) {
if (layer_index >= num_layers) {
fputs("Iterating past end of layer array\n", ERRORFILE);
free_rlc_layers(layers, layer_index);
return NULL;
}
if (!parse_runc_launch_cmd_layer(&layers[layer_index], e)) {
free_rlc_layers(layers, layer_index);
return NULL;
}
++layer_index;
}
*num_layers_out = layer_index;
return layers;
}
static int parse_json_int(cJSON* json) {
if (!cJSON_IsNumber(json)) {
fputs("Bad/Missing runC int\n", ERRORFILE);
return -1;
}
return json->valueint;
}
static int parse_runc_launch_cmd_runc_config(runc_config* rc, cJSON* rc_json) {
if (!cJSON_IsObject(rc_json)) {
fputs("Bad/Missing runC runtime config in launch command\n", ERRORFILE);
return -1;
}
rc->hostname = cJSON_DetachItemFromObjectCaseSensitive(rc_json, "hostname");
rc->linux_config = cJSON_DetachItemFromObjectCaseSensitive(rc_json, "linux");
rc->mounts = cJSON_DetachItemFromObjectCaseSensitive(rc_json, "mounts");
cJSON* process_json = cJSON_GetObjectItemCaseSensitive(rc_json, "process");
if (!cJSON_IsObject(process_json)) {
fputs("Bad/Missing process section in runC config\n", ERRORFILE);
return -1;
}
rc->process.args = cJSON_DetachItemFromObjectCaseSensitive(
process_json, "args");
rc->process.cwd = cJSON_DetachItemFromObjectCaseSensitive(
process_json, "cwd");
rc->process.env = cJSON_DetachItemFromObjectCaseSensitive(
process_json, "env");
return 0;
}
static bool is_valid_layer_media_type(char* media_type) {
if (media_type == NULL) {
return false;
}
if (strcmp(SQUASHFS_MEDIA_TYPE, media_type)) {
fprintf(ERRORFILE, "Unrecognized layer media type: %s\n", media_type);
return false;
}
return true;
}
static bool is_valid_runc_launch_cmd_layers(rlc_layer_spec* layers,
unsigned int num_layers) {
if (layers == NULL) {
return false;
}
for (unsigned int i = 0; i < num_layers; ++i) {
if (!is_valid_layer_media_type(layers[i].media_type)) {
return false;
}
if (layers[i].path == NULL) {
return false;
}
}
return true;
}
static bool is_valid_runc_config_linux_resources(const cJSON* rclr) {
if (!cJSON_IsObject(rclr)) {
fputs("runC config linux resources missing or not an object\n", ERRORFILE);
return false;
}
bool all_sections_ok = true;
const cJSON* e;
cJSON_ArrayForEach(e, rclr) {
if (strcmp("blockIO", e->string) == 0) {
// block I/O settings allowed
} else if (strcmp("cpu", e->string) == 0) {
// cpu settings allowed
} else {
fprintf(ERRORFILE,
"Unrecognized runC config linux resources element: %s\n", e->string);
all_sections_ok = false;
}
}
return all_sections_ok;
}
static bool is_valid_runc_config_linux_seccomp(const cJSON* rcls) {
if (!cJSON_IsObject(rcls)) {
fputs("runC config linux seccomp missing or not an object\n", ERRORFILE);
return false;
}
bool all_sections_ok = true;
const cJSON* e;
cJSON_ArrayForEach(e, rcls) {
if (strcmp("defaultAction", e->string) == 0) {
// defaultAction allowed
} else if (strcmp("architectures", e->string) == 0) {
// architecture settings allowed
} else if (strcmp("flags", e->string) == 0) {
// flags allowed
} else if (strcmp("syscalls", e->string) == 0) {
// syscalls allowed
} else {
fprintf(ERRORFILE,
"Unrecognized runC config linux seccomp element: %s\n", e->string);
all_sections_ok = false;
}
}
return all_sections_ok;
}
static bool is_valid_runc_config_linux(const cJSON* rcl) {
if (!cJSON_IsObject(rcl)) {
fputs("runC config linux section missing or not an object\n", ERRORFILE);
return false;
}
bool all_sections_ok = true;
const cJSON* e;
cJSON_ArrayForEach(e, rcl) {
if (strcmp("cgroupsPath", e->string) == 0) {
if (!cJSON_IsString(e)) {
all_sections_ok = false;
}
} else if (strcmp("resources", e->string) == 0) {
all_sections_ok &= is_valid_runc_config_linux_resources(e);
} else if (strcmp("seccomp", e->string) == 0) {
all_sections_ok &= is_valid_runc_config_linux_seccomp(e);
} else {
fprintf(ERRORFILE, "Unrecognized runC config linux element: %s\n",
e->string);
all_sections_ok = false;
}
}
return all_sections_ok;
}
static bool is_valid_mount_type(const char *type) {
if (strcmp("bind", type)) {
fprintf(ERRORFILE, "Invalid runC mount type '%s'\n", type);
return false;
}
return true;
}
static mount_options* get_mount_options(const cJSON* mo) {
if (!cJSON_IsArray(mo)) {
fputs("runC config mount options not an array\n", ERRORFILE);
return NULL;
}
unsigned int num_options = cJSON_GetArraySize(mo);
mount_options *options = (mount_options *) calloc(1, sizeof(*options));
char **options_array = (char **) calloc(num_options + 1, sizeof(char*));
options->num_opts = num_options;
options->opts = options_array;
bool has_rbind = false;
bool has_rprivate = false;
int i = 0;
const cJSON* e;
cJSON_ArrayForEach(e, mo) {
if (!cJSON_IsString(e)) {
fputs("runC config mount option is not a string\n", ERRORFILE);
free_mount_options(options);
return NULL;
}
if (strcmp("rbind", e->valuestring) == 0) {
has_rbind = true;
} else if (strcmp("rprivate", e->valuestring) == 0) {
has_rprivate = true;
} else if (strcmp("rw", e->valuestring) == 0) {
options->rw = 1;
} else if (strcmp("ro", e->valuestring) == 0) {
options->rw = 0;
}
options->opts[i] = strdup(e->valuestring);
i++;
}
options->opts[i] = NULL;
if (!has_rbind) {
fputs("runC config mount options missing rbind\n", ERRORFILE);
free_mount_options(options);
return NULL;
}
if (!has_rprivate) {
fputs("runC config mount options missing rprivate\n", ERRORFILE);
free_mount_options(options);
return NULL;
}
return options;
}
static int get_runc_mounts(mount* mounts, const cJSON* rcm) {
if (!cJSON_IsArray(rcm)) {
fputs("runC config mount entry is not an object\n", ERRORFILE);
return INVALID_MOUNT;
}
bool has_type = false;
const cJSON *e;
const cJSON *mount;
int i = 0;
int ret = 0;
cJSON_ArrayForEach(mount, rcm) {
cJSON_ArrayForEach(e, mount) {
if (strcmp("type", e->string) == 0) {
if (!cJSON_IsString(e) || !is_valid_mount_type(e->valuestring)) {
ret = INVALID_MOUNT;
goto free_and_exit;
}
has_type = true;
} else if (strcmp("source", e->string) == 0) {
if (!cJSON_IsString(e)) {
ret = INVALID_MOUNT;
goto free_and_exit;
}
mounts[i].src = strdup(e->valuestring);
} else if (strcmp("destination", e->string) == 0) {
if (!cJSON_IsString(e)) {
ret = INVALID_MOUNT;
goto free_and_exit;
}
mounts[i].dest = strdup(e->valuestring);
} else if (strcmp("options", e->string) == 0) {
if (!cJSON_IsArray(e)) {
ret = INVALID_MOUNT;
goto free_and_exit;
}
mounts[i].options = get_mount_options(e);
} else {
fprintf(ERRORFILE, "Unrecognized runC config mount parameter: %s\n",
e->string);
ret = INVALID_MOUNT;
goto free_and_exit;
}
}
if (!has_type) {
fputs("runC config mount missing mount type\n", ERRORFILE);
ret = INVALID_MOUNT;
goto free_and_exit;
}
if (mounts[i].src == NULL) {
fputs("runC config mount missing source\n", ERRORFILE);
ret = INVALID_MOUNT;
goto free_and_exit;
}
if (mounts[i].dest == NULL) {
fputs("runC config mount missing destination\n", ERRORFILE);
ret = INVALID_MOUNT;
goto free_and_exit;
}
if (mounts[i].options == NULL) {
fputs("runC config mount missing mount options\n", ERRORFILE);
ret = INVALID_MOUNT;
goto free_and_exit;
}
i++;
}
free_and_exit:
return ret;
}
static bool is_valid_runc_config_mounts(const cJSON* rcm) {
mount *mounts = NULL;
unsigned int num_mounts = 0;
int ret = 0;
bool all_mounts_ok = true;
char **permitted_ro_mounts = NULL;
char **permitted_rw_mounts = NULL;
if (rcm == NULL) {
return true; // OK to have no extra mounts
}
if (!cJSON_IsArray(rcm)) {
fputs("runC config mounts is not an array\n", ERRORFILE);
return false;
}
permitted_ro_mounts = get_configuration_values_delimiter("runc.allowed.ro-mounts",
CONTAINER_EXECUTOR_CFG_RUNC_SECTION, get_cfg(), ",");
permitted_rw_mounts = get_configuration_values_delimiter("runc.allowed.rw-mounts",
CONTAINER_EXECUTOR_CFG_RUNC_SECTION, get_cfg(), ",");
num_mounts = cJSON_GetArraySize(rcm);
mounts = (mount *) calloc(num_mounts, sizeof(*mounts));
if (mounts == NULL) {
fprintf(ERRORFILE, "Unable to allocate %ld bytes\n", num_mounts * sizeof(*mounts));
all_mounts_ok = false;
goto free_and_exit;
}
ret = get_runc_mounts(mounts, rcm);
if (ret != 0) {
all_mounts_ok = false;
goto free_and_exit;
}
ret = validate_mounts(permitted_ro_mounts, permitted_rw_mounts, mounts, num_mounts);
if (ret != 0) {
all_mounts_ok = false;
goto free_and_exit;
}
free_and_exit:
free_values(permitted_ro_mounts);
free_values(permitted_rw_mounts);
free_mounts(mounts, num_mounts);
return all_mounts_ok;
}
static bool is_valid_runc_config_process(const runc_config_process* rcp) {
if (rcp == NULL) {
return false;
}
if (!cJSON_IsArray(rcp->args)) {
fputs("runC config process args is missing or not an array\n", ERRORFILE);
return false;
}
const cJSON* e;
cJSON_ArrayForEach(e, rcp->args) {
if (!cJSON_IsString(e)) {
fputs("runC config process args has a non-string in array\n", ERRORFILE);
return false;
}
}
if (!cJSON_IsString(rcp->cwd)) {
fputs("Bad/Missing runC config process cwd\n", ERRORFILE);
return false;
}
if (!cJSON_IsArray(rcp->env)) {
fputs("runC config process env is missing or not an array\n", ERRORFILE);
return false;
}
cJSON_ArrayForEach(e, rcp->env) {
if (!cJSON_IsString(e)) {
fputs("runC config process env has a non-string in array\n", ERRORFILE);
return false;
}
}
return true;
}
static bool is_valid_runc_config(const runc_config* rc) {
bool is_valid = true;
if (rc->hostname != NULL && !cJSON_IsString(rc->hostname)) {
fputs("runC config hostname is not a string\n", ERRORFILE);
is_valid = false;
}
is_valid &= is_valid_runc_config_linux(rc->linux_config);
is_valid &= is_valid_runc_config_mounts(rc->mounts);
is_valid &= is_valid_runc_config_process(&rc->process);
return is_valid;
}
bool is_valid_runc_launch_cmd(const runc_launch_cmd* rlc) {
if (rlc == NULL) {
return false;
}
if (rlc->run_as_user == NULL) {
fputs("runC command has bad/missing runAsUser\n", ERRORFILE);
return false;
}
if (rlc->username == NULL) {
fputs("runC command has bad/missing username\n", ERRORFILE);
return false;
}
if (rlc->app_id == NULL) {
fputs("runC command has bad/missing application ID\n", ERRORFILE);
return false;
}
if (rlc->container_id == NULL) {
fputs("runC command has bad/missing container ID\n", ERRORFILE);
return false;
}
if (!validate_container_id(rlc->container_id)) {
fprintf(ERRORFILE, "Bad container id in runC command: %s\n",
rlc->container_id);
return false;
}
if (rlc->pid_file == NULL) {
fputs("runC command has bad/missing pid file\n", ERRORFILE);
return false;
}
if (check_pidfile_as_nm(rlc->pid_file) != 0) {
fprintf(ERRORFILE, "Bad pidfile %s : %s\n", rlc->pid_file,
strerror(errno));
return false;
}
if (rlc->script_path == NULL) {
fputs("runC command has bad/missing container script path\n", ERRORFILE);
return false;
}
if (rlc->cred_path == NULL) {
fputs("runC command has bad/missing container credentials path\n",
ERRORFILE);
return false;
}
if (rlc->local_dirs == NULL) {
fputs("runC command has bad/missing local directories\n", ERRORFILE);
return false;
}
if (rlc->log_dirs == NULL) {
fputs("runC command has bad/missing log directories\n", ERRORFILE);
return false;
}
if (!is_valid_runc_launch_cmd_layers(rlc->layers, rlc->num_layers)) {
return false;
}
if (rlc->num_reap_layers_keep < 0) {
fprintf(ERRORFILE, "Bad number of layers to preserve: %d\n",
rlc->num_reap_layers_keep);
return false;
}
return is_valid_runc_config(&rlc->config);
}
/**
* Read, parse, and validate a runC container launch command.
*
* Returns a pointer to the launch command or NULL on error.
*/
runc_launch_cmd* parse_runc_launch_cmd(const char* command_filename) {
int ret = 0;
runc_launch_cmd* rlc = NULL;
cJSON* rlc_json = NULL;
rlc_json = parse_json_file(command_filename);
if (rlc_json == NULL) {
goto cleanup;
}
rlc = calloc(1, sizeof(*rlc));
if (rlc == NULL) {
fprintf(ERRORFILE, "Unable to allocate %ld bytes\n", sizeof(*rlc));
goto cleanup;
}
char* run_as_user = cJSON_GetStringValue(cJSON_GetObjectItemCaseSensitive(
rlc_json, "runAsUser"));
if (run_as_user== NULL) {
goto fail_and_exit;
}
rlc->run_as_user= strdup(run_as_user);
char* username = cJSON_GetStringValue(cJSON_GetObjectItemCaseSensitive(
rlc_json, "username"));
if (username == NULL) {
goto fail_and_exit;
}
rlc->username = strdup(username);
char* app_id = cJSON_GetStringValue(cJSON_GetObjectItemCaseSensitive(
rlc_json, "applicationId"));
if (app_id == NULL) {
goto fail_and_exit;
}
rlc->app_id = strdup(app_id);
char* container_id = cJSON_GetStringValue(cJSON_GetObjectItemCaseSensitive(
rlc_json, "containerId"));
if (container_id == NULL) {
goto fail_and_exit;
}
rlc->container_id = strdup(container_id);
char* pid_file = cJSON_GetStringValue(cJSON_GetObjectItemCaseSensitive(
rlc_json, "pidFile"));
if (pid_file == NULL) {
goto fail_and_exit;
}
rlc->pid_file = strdup(pid_file);
char* script_path = cJSON_GetStringValue(cJSON_GetObjectItemCaseSensitive(
rlc_json, "containerScriptPath"));
if (script_path == NULL) {
goto fail_and_exit;
}
rlc->script_path = strdup(script_path);
char* cred_path = cJSON_GetStringValue(cJSON_GetObjectItemCaseSensitive(
rlc_json, "containerCredentialsPath"));
if (cred_path == NULL) {
goto fail_and_exit;
}
rlc->cred_path = strdup(cred_path);
rlc->https = parse_json_int(cJSON_GetObjectItemCaseSensitive(rlc_json, "https"));
char* keystore_path = cJSON_GetStringValue(cJSON_GetObjectItemCaseSensitive(
rlc_json, "keystorePath"));
if (keystore_path != NULL) {
rlc->keystore_path = strdup(keystore_path);
}
char* truststore_path = cJSON_GetStringValue(cJSON_GetObjectItemCaseSensitive(
rlc_json, "truststorePath"));
if (truststore_path != NULL) {
rlc->truststore_path = strdup(truststore_path);
}
char **local_dirs = parse_dir_list(cJSON_GetObjectItemCaseSensitive(
rlc_json, "localDirs"));
if (local_dirs == NULL) {
goto fail_and_exit;
}
rlc->local_dirs = local_dirs;
char **log_dirs = parse_dir_list(cJSON_GetObjectItemCaseSensitive(
rlc_json, "logDirs"));
if (log_dirs == NULL) {
goto fail_and_exit;
}
rlc->log_dirs = log_dirs;
rlc_layer_spec* layers = parse_runc_launch_cmd_layers(&rlc->num_layers,
cJSON_GetObjectItemCaseSensitive(rlc_json,"layers"));
if (layers == NULL) {
goto fail_and_exit;
}
rlc->layers = layers;
rlc->num_reap_layers_keep = parse_json_int(
cJSON_GetObjectItemCaseSensitive(rlc_json, "reapLayerKeepCount"));
ret = parse_runc_launch_cmd_runc_config(&rlc->config,
cJSON_GetObjectItemCaseSensitive(rlc_json, "ociRuntimeConfig"));
if (ret < 0) {
goto fail_and_exit;
}
cleanup:
cJSON_Delete(rlc_json);
return rlc;
fail_and_exit:
cJSON_Delete(rlc_json);
free_runc_launch_cmd(rlc);
return NULL;
}

View File

@ -0,0 +1,85 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef RUNC_RUNC_LAUNCH_CMD_H
#define RUNC_RUNC_LAUNCH_CMD_H
#include "utils/cJSON/cJSON.h"
// NOTE: Update free_runc_launch_cmd when this is changed.
typedef struct runc_launch_cmd_layer_spec {
char* media_type; // MIME type for layer data
char* path; // local filesystem location of layer data
} rlc_layer_spec;
// NOTE: Update free_runc_launch_cmd when this is changed.
typedef struct runc_config_process_struct {
cJSON* args; // execve-style command and arguments
cJSON* cwd; // working dir for container
cJSON* env; // execve-style environment
} runc_config_process;
// NOTE: Update free_runc_launch_cmd when this is changed.
typedef struct runc_config_struct {
cJSON* hostname; // hostname for the container
cJSON* linux_config; // Linux section of the runC config
cJSON* mounts; // bind-mounts for the container
runc_config_process process; // process config for the container
} runc_config;
// NOTE: Update free_runc_launch_cmd when this is changed.
typedef struct runc_launch_cmd_struct {
char* run_as_user; // user name of the runAs user
char* username; // user name of the container user
char* app_id; // YARN application ID
char* container_id; // YARN container ID
char* pid_file; // pid file path to create
char* script_path; // path to container launch script
char* cred_path; // path to container credentials file
int https; // whether or not https is enabled
char* keystore_path; // path to keystore file
char* truststore_path; // path to truststore file
char** local_dirs; // NULL-terminated array of local dirs
char** log_dirs; // NULL-terminated array of log dirs
rlc_layer_spec* layers; // array of layers
unsigned int num_layers; // number of entries in the layers array
int num_reap_layers_keep; // number of total layer mounts to preserve
runc_config config; // runC config for the container
} runc_launch_cmd;
/**
* Free a runC launch command structure and all memory assruncated with it.
*/
void free_runc_launch_cmd(runc_launch_cmd* rlc);
/**
*
* Valildate runC container launch command.
* Returns true on valid and false on invalid.
*/
bool is_valid_runc_launch_cmd(const runc_launch_cmd* rlc);
/**
* Read, parse, and validate a runC container launch command.
*
* Returns a pointer to the launch command or NULL on error.
*/
runc_launch_cmd* parse_runc_launch_cmd(const char* command_filename);
#endif /* RUNC_RUNC_LAUNCH_CMD_H */

View File

@ -0,0 +1,622 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
#include <mntent.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include "container-executor.h"
#include "runc_base_ctx.h"
#include "runc_reap.h"
#include "util.h"
#define DEV_LOOP_PREFIX "/dev/loop"
#define DEV_LOOP_PREFIX_LEN (sizeof(DEV_LOOP_PREFIX) - 1)
#define DELETED_SUFFIX " (deleted)\n"
#define DELETED_SUFFIX_LEN (sizeof(DELETED_SUFFIX) - 1)
// The size of the buffer to use when reading the mount table. This should be
// large enough so ideally the mount table is read all at once.
// Otherwise the mount table could change in-between underlying read() calls
// and result in a table with missing or corrupted entries.
#define MOUNT_TABLE_BUFFER_SIZE (1024*1024)
// NOTE: Update destroy_dent_stat when this is updated.
typedef struct dent_stat_struct {
char* basename; // basename of directory entry
struct timespec mtime; // modification time
} dent_stat;
// NOTE: Update init_dent_stats and destroy_dent_stats when this is changed.
typedef struct dent_stats_array_struct {
dent_stat* stats; // array of dent_stat structures
size_t capacity; // capacity of the stats array
size_t length; // number of valid entries in the stats array
} dent_stats_array;
/**
* Releases the resources assruncated with a dent_stat structure but
* does NOT free the structure itself. This is particularly useful for
* stack-allocated structures or other structures that embed this structure.
*/
static void destroy_dent_stat(dent_stat* ds) {
if (ds != NULL) {
free(ds->basename);
ds->basename = NULL;
}
}
/**
* Initialize an uninitialized dent_stats_array with the specified
* number of entries as its initial capacity.
*
* Returns true on success or false on error.
*/
static bool init_dent_stats(dent_stats_array* dsa, size_t initial_size) {
memset(dsa, 0, sizeof(*dsa));
dsa->stats = malloc(sizeof(*dsa->stats) * initial_size);
if (dsa->stats == NULL) {
return false;
}
dsa->capacity = initial_size;
dsa->length = 0;
return true;
}
/**
* Allocates and initializes a dent_stats_array with the specified
* number of entries as its initial capacity.
*
* Returns a pointer to the dent_stats_array or NULL on error.
*/
static dent_stats_array* alloc_dent_stats(size_t initial_size) {
dent_stats_array* dsa = malloc(sizeof(*dsa));
if (dsa != NULL) {
if (!init_dent_stats(dsa, initial_size)) {
free(dsa);
dsa = NULL;
}
}
return dsa;
}
/**
* Grows the capacity of a dent_stats_array to the new specified number of
* elements.
*
* Returns true on success or false on error.
*/
static bool realloc_dent_stats(dent_stats_array* dsa, size_t new_size) {
if (new_size < dsa->length) {
// New capacity would result in a truncation.
return false;
}
dent_stat* new_stats = realloc(dsa->stats, new_size * sizeof(*dsa->stats));
if (new_stats == NULL) {
return false;
}
dsa->stats = new_stats;
dsa->capacity = new_size;
return true;
}
/**
* Append a new dent_stat entry to a dent_stats_array, reallocating the
* array if necessary with the specified increase in capacity.
*
* Returns true on success or false on error.
*/
static bool append_dent_stat(dent_stats_array* dsa, size_t stats_size_incr,
const char* basename, const struct timespec* mtime) {
if (dsa->length == dsa->capacity) {
if (!realloc_dent_stats(dsa, dsa->capacity + stats_size_incr)) {
return false;
}
}
char* ds_name = strdup(basename);
if (ds_name == NULL) {
return false;
}
dent_stat* ds = &dsa->stats[dsa->length++];
ds->basename = ds_name;
ds->mtime = *mtime;
return true;
}
/**
* Releases the resources assruncated with a dent_stats_array structure but
* does NOT free the structure itself. This is particularly useful for
* stack-allocated contexts or other structures that embed this structure.
*/
static void destroy_dent_stats(dent_stats_array* dsa) {
if (dsa != NULL ) {
for (size_t i = 0; i < dsa->length; ++i) {
destroy_dent_stat(&dsa->stats[i]);
}
free(dsa->stats);
dsa->capacity = 0;
dsa->length = 0;
}
}
/**
* Frees a dent_stats_array structure and all memory assruncted with it.
*/
static void free_dent_stats(dent_stats_array* dsa) {
destroy_dent_stats(dsa);
free(dsa);
}
/**
* Get the array of dent_stats for the layers directory.
* Only directory entries that look like layers will be returned.
*
* Returns the array of dent_stats or NULL on error.
*/
static dent_stats_array* get_dent_stats(int layers_fd) {
DIR* layers_dir = NULL;
// number of stat buffers to allocate each time we run out
const size_t stats_size_incr = 8192;
dent_stats_array* dsa = alloc_dent_stats(stats_size_incr);
if (dsa == NULL) {
return NULL;
}
int dir_fd = dup(layers_fd);
if (dir_fd == -1) {
fprintf(ERRORFILE, "Unable to duplicate layer dir fd: %s\n",
strerror(errno));
goto fail;
}
layers_dir = fdopendir(dir_fd);
if (layers_dir == NULL) {
fprintf(ERRORFILE, "Cannot open layers directory: %s\n", strerror(errno));
goto fail;
}
struct dirent* de;
while ((de = readdir(layers_dir)) != NULL) {
// skip entries that don't look like layers
if (strlen(de->d_name) != LAYER_NAME_LENGTH) {
continue;
}
struct stat statbuf;
if (fstatat(layers_fd, de->d_name, &statbuf, AT_SYMLINK_NOFOLLOW) == -1) {
if (errno == ENOENT) {
continue;
}
fprintf(ERRORFILE, "Error getting stats for layer %s : %s\n", de->d_name,
strerror(errno));
goto fail;
}
if (!append_dent_stat(dsa, stats_size_incr, de->d_name,
&statbuf.st_mtim)) {
fputs("Unable to allocate memory\n", ERRORFILE);
goto fail;
}
}
cleanup:
if (layers_dir != NULL) {
closedir(layers_dir);
}
return dsa;
fail:
free_dent_stats(dsa);
dsa = NULL;
goto cleanup;
}
/**
* Umount a layer and remove the directories assruncated with the layer mount.
*
* Returns true on success or false on error.
*/
static bool unmount_layer(const char* layer_dir_path) {
char* mount_path = get_runc_layer_mount_path(layer_dir_path);
if (mount_path == NULL) {
fputs("Unable to allocate memory\n", ERRORFILE);
return false;
}
bool result = false;
if (umount(mount_path) == -1) {
if (errno == EBUSY) {
// Layer is in use by another container.
goto cleanup;
} else if (errno != ENOENT && errno != EINVAL) {
fprintf(ERRORFILE, "Error unmounting %s : %s\n", mount_path,
strerror(errno));
goto cleanup;
}
} else {
// unmount was successful so report success even if directory removals
// fail after this.
result = true;
}
if (rmdir(mount_path) == -1 && errno != ENOENT) {
fprintf(ERRORFILE, "Error removing %s : %s\n", mount_path,
strerror(errno));
goto cleanup;
}
if (rmdir(layer_dir_path) == -1 && errno != ENOENT) {
fprintf(ERRORFILE, "Error removing %s : %s\n", layer_dir_path,
strerror(errno));
goto cleanup;
}
result = true;
cleanup:
free(mount_path);
return result;
}
/**
* Order directory entries by increasing modification time.
*/
static int compare_dent_stats_mtime(const void* va, const void* vb) {
const dent_stat* a = (const dent_stat*)va;
const dent_stat* b = (const dent_stat*)vb;
if (a->mtime.tv_sec < b->mtime.tv_sec) {
return -1;
} else if (a->mtime.tv_sec > b->mtime.tv_sec) {
return 1;
}
return a->mtime.tv_nsec - b->mtime.tv_nsec;
}
static bool do_reap_layer_mounts_with_lock(runc_base_ctx* ctx,
int layers_fd, int num_preserve) {
dent_stats_array* dsa = get_dent_stats(layers_fd);
if (dsa == NULL) {
return false;
}
qsort(&dsa->stats[0], dsa->length, sizeof(*dsa->stats),
compare_dent_stats_mtime);
bool result = false;
size_t num_remain = dsa->length;
if (num_remain <= num_preserve) {
result = true;
goto cleanup;
}
if (!acquire_runc_layers_write_lock(ctx)) {
fputs("Unable to acquire layer write lock\n", ERRORFILE);
goto cleanup;
}
for (size_t i = 0; i < dsa->length && num_remain > num_preserve; ++i) {
char* layer_dir_path = get_runc_layer_path(ctx->run_root,
dsa->stats[i].basename);
if (layer_dir_path == NULL) {
fputs("Unable to allocate memory\n", ERRORFILE);
goto cleanup;
}
if (unmount_layer(layer_dir_path)) {
--num_remain;
printf("Unmounted layer %s\n", dsa->stats[i].basename);
}
free(layer_dir_path);
}
result = true;
cleanup:
free_dent_stats(dsa);
return result;
}
/**
* Determine if the specified loopback device is assruncated with a file that
* has been deleted.
*
* Returns true if the loopback file is deleted or false otherwise or on error.
*/
bool is_loop_file_deleted(const char* loopdev) {
bool result = false;
FILE* f = NULL;
char* path = NULL;
char* linebuf = NULL;
// locate the numeric part of the loop device
const char* loop_num_str = loopdev + DEV_LOOP_PREFIX_LEN;
if (asprintf(&path, "/sys/devices/virtual/block/loop%s/loop/backing_file",
loop_num_str) == -1) {
return false;
}
f = fopen(path, "r");
if (f == NULL) {
goto cleanup;
}
size_t linebuf_len = 0;
ssize_t len = getline(&linebuf, &linebuf_len, f);
if (len <= DELETED_SUFFIX_LEN) {
goto cleanup;
}
result = !strcmp(DELETED_SUFFIX, linebuf + len - DELETED_SUFFIX_LEN);
cleanup:
if (f != NULL) {
fclose(f);
}
free(linebuf);
free(path);
return result;
}
static bool copy_mntent(struct mntent* dest, const struct mntent* src) {
memset(dest, 0, sizeof(*dest));
if (src->mnt_fsname != NULL) {
dest->mnt_fsname = strdup(src->mnt_fsname);
if (dest->mnt_fsname == NULL) {
return false;
}
}
if (src->mnt_dir != NULL) {
dest->mnt_dir = strdup(src->mnt_dir);
if (dest->mnt_dir == NULL) {
return false;
}
}
if (src->mnt_type != NULL) {
dest->mnt_type = strdup(src->mnt_type);
if (dest->mnt_type == NULL) {
return false;
}
}
if (src->mnt_opts != NULL) {
dest->mnt_opts = strdup(src->mnt_opts);
if (dest->mnt_opts == NULL) {
return false;
}
}
dest->mnt_freq = src->mnt_freq;
dest->mnt_passno = src->mnt_passno;
return true;
}
static void free_mntent_array(struct mntent* entries, size_t num_entries) {
if (entries != NULL) {
for (size_t i = 0; i < num_entries; ++i) {
struct mntent* me = entries + i;
free(me->mnt_fsname);
free(me->mnt_dir);
free(me->mnt_type);
free(me->mnt_opts);
}
free(entries);
}
}
/**
* Get the array of mount table entries that are layer mounts.
*
* Returns the heap-allocated array of mount entries or NULL on error.
* The num_entries argument is updated to the number of elements in the array.
*/
static struct mntent* get_layer_mounts(size_t* num_entries_out,
const char* layers_path) {
const size_t layers_path_len = strlen(layers_path);
char* read_buffer = NULL;
FILE* f = NULL;
const size_t num_entries_per_alloc = 8192;
size_t num_entries = 0;
size_t entries_capacity = num_entries_per_alloc;
struct mntent* entries = malloc(sizeof(*entries) * entries_capacity);
if (entries == NULL) {
fputs("Unable to allocate memory\n", ERRORFILE);
goto fail;
}
read_buffer = malloc(MOUNT_TABLE_BUFFER_SIZE);
if (read_buffer == NULL) {
fprintf(ERRORFILE, "Unable to allocate read buffer of %d bytes\n",
MOUNT_TABLE_BUFFER_SIZE);
goto fail;
}
f = fopen("/proc/mounts", "r");
if (f == NULL) {
fprintf(ERRORFILE, "Unable to open /proc/mounts : %s\n", strerror(errno));
goto fail;
}
if (setvbuf(f, read_buffer, _IOFBF, MOUNT_TABLE_BUFFER_SIZE) != 0) {
fprintf(ERRORFILE, "Unable to set mount table buffer to %d\n",
MOUNT_TABLE_BUFFER_SIZE);
goto fail;
}
struct mntent* me;
while ((me = getmntent(f)) != NULL) {
// Skip mounts that are not loopback mounts
if (strncmp(me->mnt_fsname, DEV_LOOP_PREFIX, DEV_LOOP_PREFIX_LEN)) {
continue;
}
// skip destinations that are not under the layers mount area
if (strncmp(layers_path, me->mnt_dir, layers_path_len)) {
continue;
}
if (num_entries == entries_capacity) {
entries_capacity += num_entries_per_alloc;
entries = realloc(entries, sizeof(*entries) * entries_capacity);
if (entries == NULL) {
fputs("Unable to allocate memory\n", ERRORFILE);
goto fail;
}
}
if (!copy_mntent(entries + num_entries, me)) {
goto fail;
}
++num_entries;
}
cleanup:
if (f != NULL) {
fclose(f);
}
free(read_buffer);
*num_entries_out = num_entries;
return entries;
fail:
free_mntent_array(entries, num_entries);
entries = NULL;
num_entries = 0;
goto cleanup;
}
/**
* Search for layer mounts that correspond with deleted files and unmount them.
*/
static bool reap_deleted_mounts_with_lock(runc_base_ctx* ctx) {
const char* layers_path = get_runc_layers_path(ctx->run_root);
if (layers_path == NULL) {
fputs("Unable to allocate memory\n", ERRORFILE);
return false;
}
bool result = false;
size_t num_mnt_entries = 0;
struct mntent* mnt_entries = get_layer_mounts(&num_mnt_entries, layers_path);
if (mnt_entries == NULL) {
fputs("Error parsing mount table\n", ERRORFILE);
goto cleanup;
}
bool have_write_lock = false;
for (size_t i = 0; i < num_mnt_entries; ++i) {
const struct mntent* me = mnt_entries + i;
if (is_loop_file_deleted(me->mnt_fsname)) {
if (!have_write_lock) {
if (!acquire_runc_layers_write_lock(ctx)) {
goto cleanup;
}
have_write_lock = true;
}
char* layer_dir = get_runc_layer_path_from_mount_path(me->mnt_dir);
if (layer_dir != NULL) {
if (unmount_layer(layer_dir)) {
printf("Unmounted layer %s (deleted)\n", basename(layer_dir));
}
free(layer_dir);
}
}
}
result = true;
cleanup:
free_mntent_array(mnt_entries, num_mnt_entries);
return result;
}
/**
* Equivalent to reap_runc_layer_mounts but avoids the need to re-create the
* runC base context.
*/
int reap_runc_layer_mounts_with_ctx(runc_base_ctx* ctx, int num_preserve) {
int rc = ERROR_RUNC_REAP_LAYER_MOUNTS_FAILED;
int layers_fd = -1;
char* layers_path = get_runc_layers_path(ctx->run_root);
if (layers_path == NULL) {
fputs("Unable to allocate memory\n", ERRORFILE);
rc = OUT_OF_MEMORY;
goto cleanup;
}
layers_fd = open(layers_path, O_RDONLY | O_NOFOLLOW);
if (layers_fd == -1) {
fprintf(ERRORFILE, "Unable to open layers directory at %s : %s\n",
layers_path, strerror(errno));
goto cleanup;
}
if (!acquire_runc_layers_read_lock(ctx)) {
fputs("Unable to obtain layer lock\n", ERRORFILE);
goto cleanup;
}
bool reap_deleted_ok = reap_deleted_mounts_with_lock(ctx);
bool reap_layers_ok = do_reap_layer_mounts_with_lock(ctx, layers_fd,
num_preserve);
if (reap_deleted_ok && reap_layers_ok) {
rc = 0;
}
release_runc_layers_lock(ctx);
cleanup:
if (layers_fd != -1) {
close(layers_fd);
}
free(layers_path);
return rc;
}
/**
* Attempt to trim the number of layer mounts to the specified target number to
* preserve. Layers are unmounted in a least-recently-used fashion. Layers that
* are still in use by containers are preserved, so the number of layers mounts
* after trimming may exceed the target number.
*
* Returns 0 on success or a non-zero error code on failure.
*/
int reap_runc_layer_mounts(int num_preserve) {
int rc = ERROR_RUNC_REAP_LAYER_MOUNTS_FAILED;
runc_base_ctx* ctx = setup_runc_base_ctx();
if (ctx == NULL) {
return rc;
}
rc = reap_runc_layer_mounts_with_ctx(ctx, num_preserve);
free_runc_base_ctx(ctx);
return rc;
}

View File

@ -0,0 +1,39 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef RUNC_RUNC_REAP_H
#define RUNC_RUNC_REAP_H
#include "runc_base_ctx.h"
/**
* Attempt to trim the number of layer mounts to the specified target number to
* preserve. Layers are unmounted in a least-recently-used fashion. Layers that
* are still in use by containers are preserved, so the number of layers mounts
* after trimming may exceed the target number.
*
* Returns 0 on success or a non-zero error code on failure.
*/
int reap_runc_layer_mounts(int num_preserve);
/**
* Equivalent to reap_runc_layer_mounts but avoids the need to re-create the
* runC base context.
*/
int reap_runc_layer_mounts_with_ctx(runc_base_ctx* ctx, int num_preserve);
#endif /* RUNC_RUNC_REAP_H */

View File

@ -0,0 +1,497 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <sys/utsname.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "hadoop_user_info.h"
#include "container-executor.h"
#include "utils/cJSON/cJSON.h"
#include "utils/file-utils.h"
#include "util.h"
#include "runc_launch_cmd.h"
#include "runc_write_config.h"
#define RUNC_CONFIG_FILENAME "config.json"
#define STARTING_JSON_BUFFER_SIZE (128*1024)
static cJSON* build_runc_config_root(const char* rootfs_path) {
cJSON* root = cJSON_CreateObject();
if (cJSON_AddStringToObject(root, "path", rootfs_path) == NULL) {
goto fail;
}
if (cJSON_AddTrueToObject(root, "readonly") == NULL) {
goto fail;
}
return root;
fail:
cJSON_Delete(root);
return NULL;
}
static cJSON* build_runc_config_process_user(const char* username) {
cJSON* user_json = cJSON_CreateObject();
struct hadoop_user_info* hui = hadoop_user_info_alloc();
if (hui == NULL) {
return NULL;
}
int rc = hadoop_user_info_fetch(hui, username);
if (rc != 0) {
fprintf(ERRORFILE, "Error looking up user %s : %s\n", username,
strerror(rc));
goto fail;
}
if (cJSON_AddNumberToObject(user_json, "uid", hui->pwd.pw_uid) == NULL) {
goto fail;
}
if (cJSON_AddNumberToObject(user_json, "gid", hui->pwd.pw_gid) == NULL) {
goto fail;
}
rc = hadoop_user_info_getgroups(hui);
if (rc != 0) {
fprintf(ERRORFILE, "Error getting groups for user %s : %s\n", username,
strerror(rc));
goto fail;
}
if (hui->num_gids > 1) {
cJSON* garray = cJSON_AddArrayToObject(user_json, "additionalGids");
if (garray == NULL) {
goto fail;
}
// first gid entry is the primary group which is accounted for above
for (int i = 1; i < hui->num_gids; ++i) {
cJSON* g = cJSON_CreateNumber(hui->gids[i]);
if (g == NULL) {
goto fail;
}
cJSON_AddItemToArray(garray, g);
}
}
return user_json;
fail:
hadoop_user_info_free(hui);
cJSON_Delete(user_json);
return NULL;
}
static cJSON* build_runc_config_process(const runc_launch_cmd* rlc) {
cJSON* process = cJSON_CreateObject();
if (process == NULL) {
return NULL;
}
cJSON_AddItemReferenceToObject(process, "args", rlc->config.process.args);
cJSON_AddItemReferenceToObject(process, "cwd", rlc->config.process.cwd);
cJSON_AddItemReferenceToObject(process, "env", rlc->config.process.env);
if (cJSON_AddTrueToObject(process, "noNewPrivileges") == NULL) {
goto fail;
}
cJSON* user_json = build_runc_config_process_user(rlc->run_as_user);
if (user_json == NULL) {
goto fail;
}
cJSON_AddItemToObjectCS(process, "user", user_json);
return process;
fail:
cJSON_Delete(process);
return NULL;
}
static bool add_mount_opts(cJSON* mount_json, va_list opts) {
const char* opt = va_arg(opts, const char*);
if (opt == NULL) {
return true;
}
cJSON* opts_array = cJSON_AddArrayToObject(mount_json, "options");
if (opts_array == NULL) {
return false;
}
do {
cJSON* opt_json = cJSON_CreateString(opt);
if (opt_json == NULL) {
return false;
}
cJSON_AddItemToArray(opts_array, opt_json);
opt = va_arg(opts, const char*);
} while (opt != NULL);
return true;
}
static bool add_mount_json(cJSON* mounts_array, const char* src,
const char* dest, const char* fstype, ...) {
bool result = false;
cJSON* m = cJSON_CreateObject();
if (cJSON_AddStringToObject(m, "source", src) == NULL) {
goto cleanup;
}
if (cJSON_AddStringToObject(m, "destination", dest) == NULL) {
goto cleanup;
}
if (cJSON_AddStringToObject(m, "type", fstype) == NULL) {
goto cleanup;
}
va_list vargs;
va_start(vargs, fstype);
result = add_mount_opts(m, vargs);
va_end(vargs);
if (result) {
cJSON_AddItemToArray(mounts_array, m);
}
cleanup:
if (!result) {
cJSON_Delete(m);
}
return result;
}
static bool add_std_mounts_json(cJSON* mounts_array) {
bool result = true;
result &= add_mount_json(mounts_array, "proc", "/proc", "proc", NULL);
result &= add_mount_json(mounts_array, "tmpfs", "/dev", "tmpfs",
"nosuid", "strictatime", "mode=755", "size=65536k", NULL);
result &= add_mount_json(mounts_array, "devpts", "/dev/pts", "devpts",
"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5",
NULL);
result &= add_mount_json(mounts_array, "shm", "/dev/shm", "tmpfs",
"nosuid", "noexec", "nodev", "mode=1777", "size=8g", NULL);
result &= add_mount_json(mounts_array, "mqueue", "/dev/mqueue", "mqueue",
"nosuid", "noexec", "nodev", NULL);
result &= add_mount_json(mounts_array, "sysfs", "/sys", "sysfs",
"nosuid", "noexec", "nodev", "ro", NULL);
result &= add_mount_json(mounts_array, "cgroup", "/sys/fs/cgroup", "cgroup",
"nosuid", "noexec", "nodev", "relatime", "ro", NULL);
return result;
}
static cJSON* build_runc_config_mounts(const runc_launch_cmd* rlc) {
cJSON* mjson = cJSON_CreateArray();
if (!add_std_mounts_json(mjson)) {
goto fail;
}
cJSON* e;
cJSON_ArrayForEach(e, rlc->config.mounts) {
cJSON_AddItemReferenceToArray(mjson, e);
}
return mjson;
fail:
cJSON_Delete(mjson);
return NULL;
}
static cJSON* get_default_linux_devices_json() {
cJSON* devs = cJSON_CreateArray();
if (devs == NULL) {
return NULL;
}
cJSON* o = cJSON_CreateObject();
if (o == NULL) {
goto fail;
}
cJSON_AddItemToArray(devs, o);
if (cJSON_AddStringToObject(o, "access", "rwm") == NULL) {
goto fail;
}
if (cJSON_AddFalseToObject(o, "allow") == NULL) {
goto fail;
}
return devs;
fail:
cJSON_Delete(devs);
return NULL;
}
static bool add_linux_cgroups_json(cJSON* ljson, const runc_launch_cmd* rlc) {
cJSON* cj = cJSON_GetObjectItemCaseSensitive(rlc->config.linux_config,
"cgroupsPath");
if (cj != NULL) {
cJSON_AddItemReferenceToObject(ljson, "cgroupsPath", cj);
}
return true;
}
static bool add_linux_resources_json(cJSON* ljson, const runc_launch_cmd* rlc) {
cJSON* robj = cJSON_AddObjectToObject(ljson, "resources");
if (robj == NULL) {
return false;
}
cJSON* devs = get_default_linux_devices_json();
if (devs == NULL) {
return false;
}
cJSON_AddItemToObjectCS(robj, "devices", devs);
const cJSON* rlc_rsrc = cJSON_GetObjectItemCaseSensitive(
rlc->config.linux_config, "resources");
cJSON* e;
cJSON_ArrayForEach(e, rlc_rsrc) {
if (strcmp("devices", e->string) == 0) {
cJSON* dev_e;
cJSON_ArrayForEach(dev_e, e) {
cJSON_AddItemReferenceToArray(devs, dev_e);
}
} else {
cJSON_AddItemReferenceToObject(robj, e->string, e);
}
}
return true;
}
static bool add_linux_namespace_json(cJSON* ljson, const char* ns_type) {
cJSON* ns = cJSON_CreateObject();
if (ns == NULL) {
return false;
}
cJSON_AddItemToArray(ljson, ns);
return (cJSON_AddStringToObject(ns, "type", ns_type) != NULL);
}
static bool add_linux_namespaces_json(cJSON* ljson) {
cJSON* ns_array = cJSON_AddArrayToObject(ljson, "namespaces");
if (ns_array == NULL) {
return false;
}
bool result = add_linux_namespace_json(ns_array, "pid");
result &= add_linux_namespace_json(ns_array, "ipc");
result &= add_linux_namespace_json(ns_array, "uts");
result &= add_linux_namespace_json(ns_array, "mount");
return result;
}
static const char* runc_masked_paths[] = {
"/proc/kcore",
"/proc/latency_stats",
"/proc/timer_list",
"/proc/timer_stats",
"/proc/sched_debug",
"/proc/scsi",
"/sys/firmware"
};
static bool add_linux_masked_paths_json(cJSON* ljson) {
size_t num_paths = sizeof(runc_masked_paths) / sizeof(runc_masked_paths[0]);
cJSON* paths = cJSON_CreateStringArray(runc_masked_paths, num_paths);
if (paths == NULL) {
return false;
}
cJSON_AddItemToObject(ljson, "maskedPaths", paths);
return true;
}
static const char* runc_readonly_paths[] = {
"/proc/asound",
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger"
};
static bool add_linux_readonly_paths_json(cJSON* ljson) {
size_t num_paths = sizeof(runc_readonly_paths) / sizeof(runc_readonly_paths[0]);
cJSON* paths = cJSON_CreateStringArray(runc_readonly_paths, num_paths);
if (paths == NULL) {
return false;
}
cJSON_AddItemToObject(ljson, "readonlyPaths", paths);
return true;
}
static bool add_linux_seccomp_json(cJSON* ljson, const runc_launch_cmd* rlc) {
cJSON* sj = cJSON_GetObjectItemCaseSensitive(rlc->config.linux_config,
"seccomp");
if (sj != NULL) {
cJSON_AddItemReferenceToObject(ljson, "seccomp", sj);
}
return true;
}
static cJSON* build_runc_config_linux(const runc_launch_cmd* rlc) {
cJSON* ljson = cJSON_CreateObject();
if (ljson == NULL) {
return NULL;
}
if (!add_linux_cgroups_json(ljson, rlc)) {
goto fail;
}
if (!add_linux_resources_json(ljson, rlc)) {
goto fail;
}
if (!add_linux_namespaces_json(ljson)) {
goto fail;
}
if (!add_linux_masked_paths_json(ljson)) {
goto fail;
}
if (!add_linux_readonly_paths_json(ljson)) {
goto fail;
}
if (!add_linux_seccomp_json(ljson, rlc)) {
goto fail;
}
return ljson;
fail:
cJSON_Delete(ljson);
return NULL;
}
static char* build_runc_config(const runc_launch_cmd* rlc,
const char* rootfs_path) {
char* json_data = NULL;
cJSON* rcj = build_runc_config_json(rlc, rootfs_path);
json_data = cJSON_PrintBuffered(rcj, STARTING_JSON_BUFFER_SIZE, false);
return json_data;
}
cJSON* build_runc_config_json(const runc_launch_cmd* rlc,
const char* rootfs_path) {
cJSON* rcj = cJSON_CreateObject();
if (rcj == NULL) {
goto fail;
}
if (cJSON_AddStringToObject(rcj, "runcVersion", "1.0.0") == NULL) {
goto fail;
}
struct utsname uts;
uname(&uts);
if (cJSON_AddStringToObject(rcj, "hostname", uts.nodename) == NULL) {
goto fail;
}
cJSON* item = build_runc_config_root(rootfs_path);
if (item == NULL) {
goto fail;
}
cJSON_AddItemToObjectCS(rcj, "root", item);
item = build_runc_config_process(rlc);
if (item == NULL) {
goto fail;
}
cJSON_AddItemToObjectCS(rcj, "process", item);
item = build_runc_config_mounts(rlc);
if (item == NULL) {
goto fail;
}
cJSON_AddItemToObjectCS(rcj, "mounts", item);
item = build_runc_config_linux(rlc);
if (item == NULL) {
goto fail;
}
cJSON_AddItemToObjectCS(rcj, "linux", item);
return rcj;
fail:
cJSON_Delete(rcj);
return NULL;
}
static char* get_runc_config_path(const char* pid_file) {
char* dir_end = strrchr(pid_file, '/');
if (dir_end == NULL) {
fprintf(ERRORFILE, "Error pid file %s has no parent directory\n", pid_file);
return NULL;
}
int dir_len = (dir_end + 1) - pid_file; // include trailing slash
char* config_path = malloc(dir_len + strlen(RUNC_CONFIG_FILENAME) + 1);
if (config_path == NULL) {
return NULL;
}
char* cp = stpncpy(config_path, pid_file, dir_len);
stpcpy(cp, RUNC_CONFIG_FILENAME);
return config_path;
}
/**
* Creates the runC runtime configuration file for a container.
*
* Returns the path to the written configuration file or NULL on error.
*/
char* write_runc_runc_config(const runc_launch_cmd* rlc,
const char* rootfs_path) {
char* config_data = build_runc_config(rlc, rootfs_path);
if (config_data == NULL) {
return NULL;
}
char* runc_config_path = get_runc_config_path(rlc->pid_file);
if (runc_config_path == NULL) {
fputs("Unable to generate runc config path\n", ERRORFILE);
free(config_data);
return NULL;
}
bool write_ok = write_file_as_nm(runc_config_path, config_data,
strlen(config_data));
free(config_data);
if (!write_ok) {
free(runc_config_path);
return NULL;
}
return runc_config_path;
}

View File

@ -0,0 +1,36 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef RUNC_RUNC_WRITE_CONFIG_H
#define RUNC_RUNC_WRITE_CONFIG_H
/**
* * Creates a runC runtime configuration JSON
* *
* * Returns the config JSON or NULL on error
* */
cJSON* build_runc_config_json(const runc_launch_cmd* rlc,
const char* rootfs_path);
/**
* Creates the runC runtime configuration file for a container.
*
* Returns the path to the written configuration file or NULL on error.
*/
char* write_runc_runc_config(const runc_launch_cmd* rlc, const char* rootfs_path);
#endif /* RUNC_RUNC_WRITE_CONFIG_H */

View File

@ -323,6 +323,12 @@ const char *get_error_message(const int error_code) {
return "Invalid docker runtime"; return "Invalid docker runtime";
case DOCKER_SERVICE_MODE_DISABLED: case DOCKER_SERVICE_MODE_DISABLED:
return "Docker service mode disabled"; return "Docker service mode disabled";
case ERROR_RUNC_SETUP_FAILED:
return "runC setup failed";
case ERROR_RUNC_RUN_FAILED:
return "runC run failed";
case ERROR_RUNC_REAP_LAYER_MOUNTS_FAILED:
return "runC reap layer mounts failed";
default: default:
return "Unknown error code"; return "Unknown error code";
} }

View File

@ -100,7 +100,10 @@ enum errorcodes {
INVALID_DOCKER_IMAGE_TRUST = 72, INVALID_DOCKER_IMAGE_TRUST = 72,
INVALID_DOCKER_TMPFS_MOUNT = 73, INVALID_DOCKER_TMPFS_MOUNT = 73,
INVALID_DOCKER_RUNTIME = 74, INVALID_DOCKER_RUNTIME = 74,
DOCKER_SERVICE_MODE_DISABLED = 75 DOCKER_SERVICE_MODE_DISABLED = 75,
ERROR_RUNC_SETUP_FAILED = 76,
ERROR_RUNC_RUN_FAILED = 77,
ERROR_RUNC_REAP_LAYER_MOUNTS_FAILED = 78
}; };
/* Macros for min/max. */ /* Macros for min/max. */

View File

@ -0,0 +1,285 @@
/*
Copyright (c) 2009-2017 Dave Gamble and cJSON contributors
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
*/
#ifndef cJSON__h
#define cJSON__h
#ifdef __cplusplus
extern "C"
{
#endif
#if !defined(__WINDOWS__) && (defined(WIN32) || defined(WIN64) || defined(_MSC_VER) || defined(_WIN32))
#define __WINDOWS__
#endif
#ifdef __WINDOWS__
/* When compiling for windows, we specify a specific calling convention to avoid issues where we are being called from a project with a different default calling convention. For windows you have 3 define options:
CJSON_HIDE_SYMBOLS - Define this in the case where you don't want to ever dllexport symbols
CJSON_EXPORT_SYMBOLS - Define this on library build when you want to dllexport symbols (default)
CJSON_IMPORT_SYMBOLS - Define this if you want to dllimport symbol
For *nix builds that support visibility attribute, you can define similar behavior by
setting default visibility to hidden by adding
-fvisibility=hidden (for gcc)
or
-xldscope=hidden (for sun cc)
to CFLAGS
then using the CJSON_API_VISIBILITY flag to "export" the same symbols the way CJSON_EXPORT_SYMBOLS does
*/
#define CJSON_CDECL __cdecl
#define CJSON_STDCALL __stdcall
/* export symbols by default, this is necessary for copy pasting the C and header file */
#if !defined(CJSON_HIDE_SYMBOLS) && !defined(CJSON_IMPORT_SYMBOLS) && !defined(CJSON_EXPORT_SYMBOLS)
#define CJSON_EXPORT_SYMBOLS
#endif
#if defined(CJSON_HIDE_SYMBOLS)
#define CJSON_PUBLIC(type) type CJSON_STDCALL
#elif defined(CJSON_EXPORT_SYMBOLS)
#define CJSON_PUBLIC(type) __declspec(dllexport) type CJSON_STDCALL
#elif defined(CJSON_IMPORT_SYMBOLS)
#define CJSON_PUBLIC(type) __declspec(dllimport) type CJSON_STDCALL
#endif
#else /* !__WINDOWS__ */
#define CJSON_CDECL
#define CJSON_STDCALL
#if (defined(__GNUC__) || defined(__SUNPRO_CC) || defined (__SUNPRO_C)) && defined(CJSON_API_VISIBILITY)
#define CJSON_PUBLIC(type) __attribute__((visibility("default"))) type
#else
#define CJSON_PUBLIC(type) type
#endif
#endif
/* project version */
#define CJSON_VERSION_MAJOR 1
#define CJSON_VERSION_MINOR 7
#define CJSON_VERSION_PATCH 8
#include <stddef.h>
/* cJSON Types: */
#define cJSON_Invalid (0)
#define cJSON_False (1 << 0)
#define cJSON_True (1 << 1)
#define cJSON_NULL (1 << 2)
#define cJSON_Number (1 << 3)
#define cJSON_String (1 << 4)
#define cJSON_Array (1 << 5)
#define cJSON_Object (1 << 6)
#define cJSON_Raw (1 << 7) /* raw json */
#define cJSON_IsReference 256
#define cJSON_StringIsConst 512
/* The cJSON structure: */
typedef struct cJSON
{
/* next/prev allow you to walk array/object chains. Alternatively, use GetArraySize/GetArrayItem/GetObjectItem */
struct cJSON *next;
struct cJSON *prev;
/* An array or object item will have a child pointer pointing to a chain of the items in the array/object. */
struct cJSON *child;
/* The type of the item, as above. */
int type;
/* The item's string, if type==cJSON_String and type == cJSON_Raw */
char *valuestring;
/* writing to valueint is DEPRECATED, use cJSON_SetNumberValue instead */
int valueint;
/* The item's number, if type==cJSON_Number */
double valuedouble;
/* The item's name string, if this item is the child of, or is in the list of subitems of an object. */
char *string;
} cJSON;
typedef struct cJSON_Hooks
{
/* malloc/free are CDECL on Windows regardless of the default calling convention of the compiler, so ensure the hooks allow passing those functions directly. */
void *(CJSON_CDECL *malloc_fn)(size_t sz);
void (CJSON_CDECL *free_fn)(void *ptr);
} cJSON_Hooks;
typedef int cJSON_bool;
/* Limits how deeply nested arrays/objects can be before cJSON rejects to parse them.
* This is to prevent stack overflows. */
#ifndef CJSON_NESTING_LIMIT
#define CJSON_NESTING_LIMIT 1000
#endif
/* returns the version of cJSON as a string */
CJSON_PUBLIC(const char*) cJSON_Version(void);
/* Supply malloc, realloc and free functions to cJSON */
CJSON_PUBLIC(void) cJSON_InitHooks(cJSON_Hooks* hooks);
/* Memory Management: the caller is always responsible to free the results from all variants of cJSON_Parse (with cJSON_Delete) and cJSON_Print (with stdlib free, cJSON_Hooks.free_fn, or cJSON_free as appropriate). The exception is cJSON_PrintPreallocated, where the caller has full responsibility of the buffer. */
/* Supply a block of JSON, and this returns a cJSON object you can interrogate. */
CJSON_PUBLIC(cJSON *) cJSON_Parse(const char *value);
/* ParseWithOpts allows you to require (and check) that the JSON is null terminated, and to retrieve the pointer to the final byte parsed. */
/* If you supply a ptr in return_parse_end and parsing fails, then return_parse_end will contain a pointer to the error so will match cJSON_GetErrorPtr(). */
CJSON_PUBLIC(cJSON *) cJSON_ParseWithOpts(const char *value, const char **return_parse_end, cJSON_bool require_null_terminated);
/* Render a cJSON entity to text for transfer/storage. */
CJSON_PUBLIC(char *) cJSON_Print(const cJSON *item);
/* Render a cJSON entity to text for transfer/storage without any formatting. */
CJSON_PUBLIC(char *) cJSON_PrintUnformatted(const cJSON *item);
/* Render a cJSON entity to text using a buffered strategy. prebuffer is a guess at the final size. guessing well reduces reallocation. fmt=0 gives unformatted, =1 gives formatted */
CJSON_PUBLIC(char *) cJSON_PrintBuffered(const cJSON *item, int prebuffer, cJSON_bool fmt);
/* Render a cJSON entity to text using a buffer already allocated in memory with given length. Returns 1 on success and 0 on failure. */
/* NOTE: cJSON is not always 100% accurate in estimating how much memory it will use, so to be safe allocate 5 bytes more than you actually need */
CJSON_PUBLIC(cJSON_bool) cJSON_PrintPreallocated(cJSON *item, char *buffer, const int length, const cJSON_bool format);
/* Delete a cJSON entity and all subentities. */
CJSON_PUBLIC(void) cJSON_Delete(cJSON *c);
/* Returns the number of items in an array (or object). */
CJSON_PUBLIC(int) cJSON_GetArraySize(const cJSON *array);
/* Retrieve item number "index" from array "array". Returns NULL if unsuccessful. */
CJSON_PUBLIC(cJSON *) cJSON_GetArrayItem(const cJSON *array, int index);
/* Get item "string" from object. Case insensitive. */
CJSON_PUBLIC(cJSON *) cJSON_GetObjectItem(const cJSON * const object, const char * const string);
CJSON_PUBLIC(cJSON *) cJSON_GetObjectItemCaseSensitive(const cJSON * const object, const char * const string);
CJSON_PUBLIC(cJSON_bool) cJSON_HasObjectItem(const cJSON *object, const char *string);
/* For analysing failed parses. This returns a pointer to the parse error. You'll probably need to look a few chars back to make sense of it. Defined when cJSON_Parse() returns 0. 0 when cJSON_Parse() succeeds. */
CJSON_PUBLIC(const char *) cJSON_GetErrorPtr(void);
/* Check if the item is a string and return its valuestring */
CJSON_PUBLIC(char *) cJSON_GetStringValue(cJSON *item);
/* These functions check the type of an item */
CJSON_PUBLIC(cJSON_bool) cJSON_IsInvalid(const cJSON * const item);
CJSON_PUBLIC(cJSON_bool) cJSON_IsFalse(const cJSON * const item);
CJSON_PUBLIC(cJSON_bool) cJSON_IsTrue(const cJSON * const item);
CJSON_PUBLIC(cJSON_bool) cJSON_IsBool(const cJSON * const item);
CJSON_PUBLIC(cJSON_bool) cJSON_IsNull(const cJSON * const item);
CJSON_PUBLIC(cJSON_bool) cJSON_IsNumber(const cJSON * const item);
CJSON_PUBLIC(cJSON_bool) cJSON_IsString(const cJSON * const item);
CJSON_PUBLIC(cJSON_bool) cJSON_IsArray(const cJSON * const item);
CJSON_PUBLIC(cJSON_bool) cJSON_IsObject(const cJSON * const item);
CJSON_PUBLIC(cJSON_bool) cJSON_IsRaw(const cJSON * const item);
/* These calls create a cJSON item of the appropriate type. */
CJSON_PUBLIC(cJSON *) cJSON_CreateNull(void);
CJSON_PUBLIC(cJSON *) cJSON_CreateTrue(void);
CJSON_PUBLIC(cJSON *) cJSON_CreateFalse(void);
CJSON_PUBLIC(cJSON *) cJSON_CreateBool(cJSON_bool boolean);
CJSON_PUBLIC(cJSON *) cJSON_CreateNumber(double num);
CJSON_PUBLIC(cJSON *) cJSON_CreateString(const char *string);
/* raw json */
CJSON_PUBLIC(cJSON *) cJSON_CreateRaw(const char *raw);
CJSON_PUBLIC(cJSON *) cJSON_CreateArray(void);
CJSON_PUBLIC(cJSON *) cJSON_CreateObject(void);
/* Create a string where valuestring references a string so
* it will not be freed by cJSON_Delete */
CJSON_PUBLIC(cJSON *) cJSON_CreateStringReference(const char *string);
/* Create an object/arrray that only references it's elements so
* they will not be freed by cJSON_Delete */
CJSON_PUBLIC(cJSON *) cJSON_CreateObjectReference(const cJSON *child);
CJSON_PUBLIC(cJSON *) cJSON_CreateArrayReference(const cJSON *child);
/* These utilities create an Array of count items. */
CJSON_PUBLIC(cJSON *) cJSON_CreateIntArray(const int *numbers, int count);
CJSON_PUBLIC(cJSON *) cJSON_CreateFloatArray(const float *numbers, int count);
CJSON_PUBLIC(cJSON *) cJSON_CreateDoubleArray(const double *numbers, int count);
CJSON_PUBLIC(cJSON *) cJSON_CreateStringArray(const char **strings, int count);
/* Append item to the specified array/object. */
CJSON_PUBLIC(void) cJSON_AddItemToArray(cJSON *array, cJSON *item);
CJSON_PUBLIC(void) cJSON_AddItemToObject(cJSON *object, const char *string, cJSON *item);
/* Use this when string is definitely const (i.e. a literal, or as good as), and will definitely survive the cJSON object.
* WARNING: When this function was used, make sure to always check that (item->type & cJSON_StringIsConst) is zero before
* writing to `item->string` */
CJSON_PUBLIC(void) cJSON_AddItemToObjectCS(cJSON *object, const char *string, cJSON *item);
/* Append reference to item to the specified array/object. Use this when you want to add an existing cJSON to a new cJSON, but don't want to corrupt your existing cJSON. */
CJSON_PUBLIC(void) cJSON_AddItemReferenceToArray(cJSON *array, cJSON *item);
CJSON_PUBLIC(void) cJSON_AddItemReferenceToObject(cJSON *object, const char *string, cJSON *item);
/* Remove/Detatch items from Arrays/Objects. */
CJSON_PUBLIC(cJSON *) cJSON_DetachItemViaPointer(cJSON *parent, cJSON * const item);
CJSON_PUBLIC(cJSON *) cJSON_DetachItemFromArray(cJSON *array, int which);
CJSON_PUBLIC(void) cJSON_DeleteItemFromArray(cJSON *array, int which);
CJSON_PUBLIC(cJSON *) cJSON_DetachItemFromObject(cJSON *object, const char *string);
CJSON_PUBLIC(cJSON *) cJSON_DetachItemFromObjectCaseSensitive(cJSON *object, const char *string);
CJSON_PUBLIC(void) cJSON_DeleteItemFromObject(cJSON *object, const char *string);
CJSON_PUBLIC(void) cJSON_DeleteItemFromObjectCaseSensitive(cJSON *object, const char *string);
/* Update array items. */
CJSON_PUBLIC(void) cJSON_InsertItemInArray(cJSON *array, int which, cJSON *newitem); /* Shifts pre-existing items to the right. */
CJSON_PUBLIC(cJSON_bool) cJSON_ReplaceItemViaPointer(cJSON * const parent, cJSON * const item, cJSON * replacement);
CJSON_PUBLIC(void) cJSON_ReplaceItemInArray(cJSON *array, int which, cJSON *newitem);
CJSON_PUBLIC(void) cJSON_ReplaceItemInObject(cJSON *object,const char *string,cJSON *newitem);
CJSON_PUBLIC(void) cJSON_ReplaceItemInObjectCaseSensitive(cJSON *object,const char *string,cJSON *newitem);
/* Duplicate a cJSON item */
CJSON_PUBLIC(cJSON *) cJSON_Duplicate(const cJSON *item, cJSON_bool recurse);
/* Duplicate will create a new, identical cJSON item to the one you pass, in new memory that will
need to be released. With recurse!=0, it will duplicate any children connected to the item.
The item->next and ->prev pointers are always zero on return from Duplicate. */
/* Recursively compare two cJSON items for equality. If either a or b is NULL or invalid, they will be considered unequal.
* case_sensitive determines if object keys are treated case sensitive (1) or case insensitive (0) */
CJSON_PUBLIC(cJSON_bool) cJSON_Compare(const cJSON * const a, const cJSON * const b, const cJSON_bool case_sensitive);
CJSON_PUBLIC(void) cJSON_Minify(char *json);
/* Helper functions for creating and adding items to an object at the same time.
* They return the added item or NULL on failure. */
CJSON_PUBLIC(cJSON*) cJSON_AddNullToObject(cJSON * const object, const char * const name);
CJSON_PUBLIC(cJSON*) cJSON_AddTrueToObject(cJSON * const object, const char * const name);
CJSON_PUBLIC(cJSON*) cJSON_AddFalseToObject(cJSON * const object, const char * const name);
CJSON_PUBLIC(cJSON*) cJSON_AddBoolToObject(cJSON * const object, const char * const name, const cJSON_bool boolean);
CJSON_PUBLIC(cJSON*) cJSON_AddNumberToObject(cJSON * const object, const char * const name, const double number);
CJSON_PUBLIC(cJSON*) cJSON_AddStringToObject(cJSON * const object, const char * const name, const char * const string);
CJSON_PUBLIC(cJSON*) cJSON_AddRawToObject(cJSON * const object, const char * const name, const char * const raw);
CJSON_PUBLIC(cJSON*) cJSON_AddObjectToObject(cJSON * const object, const char * const name);
CJSON_PUBLIC(cJSON*) cJSON_AddArrayToObject(cJSON * const object, const char * const name);
/* When assigning an integer value, it needs to be propagated to valuedouble too. */
#define cJSON_SetIntValue(object, number) ((object) ? (object)->valueint = (object)->valuedouble = (number) : (number))
/* helper for the cJSON_SetNumberValue macro */
CJSON_PUBLIC(double) cJSON_SetNumberHelper(cJSON *object, double number);
#define cJSON_SetNumberValue(object, number) ((object != NULL) ? cJSON_SetNumberHelper(object, (double)number) : (number))
/* Macro for iterating over an array or object */
#define cJSON_ArrayForEach(element, array) for(element = (array != NULL) ? (array)->child : NULL; element != NULL; element = element->next)
/* malloc/free objects using the malloc/free functions that have been set with cJSON_InitHooks */
CJSON_PUBLIC(void *) cJSON_malloc(size_t size);
CJSON_PUBLIC(void) cJSON_free(void *object);
#ifdef __cplusplus
}
#endif
#endif

View File

@ -0,0 +1,173 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#define FILE_BUFFER_INCREMENT (128*1024)
#include <sys/types.h>
#include <sys/stat.h>
#include <errno.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include "container-executor.h"
#include "file-utils.h"
#include "util.h"
/**
* Read the contents of the specified file into an allocated buffer and return
* the contents as a NUL-terminated string. NOTE: The file contents must not
* contain a NUL character or the result will appear to be truncated.
*
* Returns a pointer to the allocated, NUL-terminated string or NULL on error.
*/
char* read_file_to_string(const char* filename) {
char* buff = NULL;
int rc = -1;
int fd = open(filename, O_RDONLY);
if (fd < 0) {
fprintf(ERRORFILE, "Error opening %s : %s\n", filename, strerror(errno));
goto cleanup;
}
struct stat filestat;
if (fstat(fd, &filestat) != 0) {
fprintf(ERRORFILE, "Error examining %s : %s\n", filename, strerror(errno));
goto cleanup;
}
size_t buff_size = FILE_BUFFER_INCREMENT;
if (S_ISREG(filestat.st_mode)) {
buff_size = filestat.st_size + 1; // +1 for terminating NUL
}
buff = malloc(buff_size);
if (buff == NULL) {
fprintf(ERRORFILE, "Unable to allocate %ld bytes\n", buff_size);
goto cleanup;
}
int bytes_left = buff_size;
char* cp = buff;
int bytes_read;
while ((bytes_read = read(fd, cp, bytes_left)) > 0) {
cp += bytes_read;
bytes_left -= bytes_read;
if (bytes_left == 0) {
buff_size += FILE_BUFFER_INCREMENT;
bytes_left += FILE_BUFFER_INCREMENT;
buff = realloc(buff, buff_size);
if (buff == NULL) {
fprintf(ERRORFILE, "Unable to allocate %ld bytes\n", buff_size);
goto cleanup;
}
}
}
if (bytes_left < 0) {
fprintf(ERRORFILE, "Error reading %s : %s\n", filename, strerror(errno));
goto cleanup;
}
*cp = '\0';
rc = 0;
cleanup:
if (fd != -1) {
close(fd);
}
if (rc != 0) {
free(buff);
buff = NULL;
}
return buff;
}
/**
* Read a file to a string as the YARN nodemanager user and returns the
* result as a string. See read_file_to_string for more details.
*
* Returns a pointer to the allocated, NUL-terminated string or NULL on error.
*/
char* read_file_to_string_as_nm_user(const char* filename) {
uid_t user = geteuid();
gid_t group = getegid();
if (change_effective_user_to_nm() != 0) {
fputs("Cannot change to nm user\n", ERRORFILE);
return NULL;
}
char* buff = read_file_to_string(filename);
if (change_effective_user(user, group) != 0) {
fputs("Cannot revert to previous user\n", ERRORFILE);
free(buff);
return NULL;
}
return buff;
}
/**
* Write a sequence of bytes to a new file as the YARN nodemanager user.
*
* Returns true on success or false on error.
*/
bool write_file_as_nm(const char* path, const void* data, size_t count) {
bool result = false;
int fd = -1;
uid_t orig_user = geteuid();
gid_t orig_group = getegid();
if (change_effective_user_to_nm() != 0) {
fputs("Error changing to NM user and group\n", ERRORFILE);
return false;
}
fd = open(path, O_CREAT | O_EXCL | O_WRONLY, S_IRUSR | S_IWUSR);
if (fd == -1) {
fprintf(ERRORFILE, "Error creating %s : %s\n", path, strerror(errno));
goto cleanup;
}
const uint8_t* bp = (const uint8_t*)data;
while (count > 0) {
ssize_t bytes_written = write(fd, bp, count);
if (bytes_written == -1) {
fprintf(ERRORFILE, "Error writing to %s : %s\n", path, strerror(errno));
goto cleanup;
}
bp += bytes_written;
count -= bytes_written;
}
result = true;
cleanup:
if (fd != -1) {
if (close(fd) == -1) {
fprintf(ERRORFILE, "Error writing to %s : %s\n", path, strerror(errno));
result = false;
}
}
if (change_effective_user(orig_user, orig_group) != 0) {
fputs("Cannot restore original user/group\n", ERRORFILE);
result = false;
}
return result;
}

View File

@ -0,0 +1,47 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef UTILS_FILE_UTILS_H
#define UTILS_FILE_UTILS_H
#include <stdbool.h>
/**
* Read the contents of the specified file into an allocated buffer and return
* the contents as a NUL-terminated string. NOTE: The file contents must not
* contain a NUL character or the result will appear to be truncated.
*
* Returns a pointer to the allocated, NUL-terminated string or NULL on error.
*/
char* read_file_to_string(const char* filename);
/**
* Read a file to a string as the YARN nodemanager user and returns the
* result as a string. See read_file_to_string for more details.
*
* Returns a pointer to the allocated, NUL-terminated string or NULL on error.
*/
char* read_file_to_string_as_nm_user(const char* filename);
/**
* Write a sequence of bytes to a new file as the YARN nodemanager user.
*
* Returns true on success or false on error.
*/
bool write_file_as_nm(const char* path, const void* data, size_t count);
#endif /* UTILS_FILE_UTILS_H */

View File

@ -22,11 +22,14 @@
#include <dirent.h> #include <dirent.h>
#include <limits.h> #include <limits.h>
#include <errno.h> #include <errno.h>
#include <stdarg.h>
#include <strings.h> #include <strings.h>
#include <string.h> #include <string.h>
#include <stdlib.h> #include <stdlib.h>
#include <stdarg.h> #include <stdarg.h>
#include "string-utils.h"
/* /*
* if all chars in the input str are numbers * if all chars in the input str are numbers
* return true/false * return true/false
@ -189,3 +192,172 @@ int str_ends_with(const char *s, const char *suffix) {
size_t suffix_len = strlen(suffix); size_t suffix_len = strlen(suffix);
return suffix_len <= slen && !strcmp(s + slen - suffix_len, suffix); return suffix_len <= slen && !strcmp(s + slen - suffix_len, suffix);
} }
/* Returns the corresponding hexadecimal character for a nibble. */
static char nibble_to_hex(unsigned char nib) {
return nib < 10 ? '0' + nib : 'a' + nib - 10;
}
/**
* Converts a sequence of bytes into a hexadecimal string.
*
* Returns a pointer to the allocated string on success or NULL on error.
*/
char* to_hexstring(unsigned char* bytes, unsigned int len) {
char* hexstr = malloc(len * 2 + 1);
if (hexstr == NULL) {
return NULL;
}
unsigned char* src = bytes;
char* dest = hexstr;
for (unsigned int i = 0; i < len; ++i) {
unsigned char val = *src++;
*dest++ = nibble_to_hex((val >> 4) & 0xF);
*dest++ = nibble_to_hex(val & 0xF);
}
*dest = '\0';
return hexstr;
}
/**
* Initialize an uninitialized strbuf with the specified initial capacity.
*
* Returns true on success or false if memory could not be allocated.
*/
bool strbuf_init(strbuf* sb, size_t initial_capacity) {
memset(sb, 0, sizeof(*sb));
char* new_buffer = malloc(initial_capacity);
if (new_buffer == NULL) {
return false;
}
sb->buffer = new_buffer;
sb->capacity = initial_capacity;
sb->length = 0;
return true;
}
/**
* Allocate and initialize a strbuf with the specified initial capacity.
*
* Returns a pointer to the allocated and initialized strbuf or NULL on error.
*/
strbuf* strbuf_alloc(size_t initial_capacity) {
strbuf* sb = malloc(sizeof(*sb));
if (sb != NULL) {
if (!strbuf_init(sb, initial_capacity)) {
free(sb);
sb = NULL;
}
}
return sb;
}
/**
* Detach the underlying character buffer from a string buffer.
*
* Returns the heap-allocated, NULL-terminated character buffer.
* NOTE: The caller is responsible for freeing the result.
*/
char* strbuf_detach_buffer(strbuf* sb) {
char* result = NULL;
if (sb != NULL) {
result = sb->buffer;
sb->buffer = NULL;
sb->length = 0;
sb->capacity = 0;
}
return result;
}
/**
* Release memory associated with a strbuf but not the strbuf structure itself.
* Useful for stack-allocated strbuf objects or structures that embed a strbuf.
* Use strbuf_free for heap-allocated string buffers.
*/
void strbuf_destroy(strbuf* sb) {
if (sb != NULL) {
free(sb->buffer);
sb->buffer = NULL;
sb->capacity = 0;
sb->length = 0;
}
}
/**
* Free a strbuf and all memory associated with it.
*/
void strbuf_free(strbuf* sb) {
if (sb != NULL) {
strbuf_destroy(sb);
free(sb);
}
}
/**
* Resize a strbuf to the specified new capacity.
*
* Returns true on success or false if there was an error.
*/
bool strbuf_realloc(strbuf* sb, size_t new_capacity) {
if (new_capacity < sb->length + 1) {
// New capacity would result in a truncation of the existing string.
return false;
}
char* new_buffer = realloc(sb->buffer, new_capacity);
if (!new_buffer) {
return false;
}
sb->buffer = new_buffer;
sb->capacity = new_capacity;
return true;
}
/**
* Append a formatted string to the current contents of a strbuf.
*
* Returns true on success or false if there was an error.
*/
bool strbuf_append_fmt(strbuf* sb, size_t realloc_extra,
const char* fmt, ...) {
if (sb->length > sb->capacity) {
return false;
}
if (sb->length == sb->capacity) {
size_t incr = (realloc_extra == 0) ? 1024 : realloc_extra;
if (!strbuf_realloc(sb, sb->capacity + incr)) {
return false;
}
}
size_t remain = sb->capacity - sb->length;
va_list vargs;
va_start(vargs, fmt);
int needed = vsnprintf(sb->buffer + sb->length, remain, fmt, vargs);
va_end(vargs);
if (needed == -1) {
return false;
}
needed += 1; // vsnprintf result does NOT include terminating NUL
if (needed > remain) {
// result was truncated so need to realloc and reprint
size_t new_size = sb->length + needed + realloc_extra;
if (!strbuf_realloc(sb, new_size)) {
return false;
}
remain = sb->capacity - sb->length;
va_start(vargs, fmt);
needed = vsnprintf(sb->buffer + sb->length, remain, fmt, vargs);
va_end(vargs);
if (needed == -1) {
return false;
}
needed += 1; // vsnprintf result does NOT include terminating NUL
}
sb->length += needed - 1; // length does not include terminating NUL
return true;
}

View File

@ -23,6 +23,16 @@
#ifndef _UTILS_STRING_UTILS_H_ #ifndef _UTILS_STRING_UTILS_H_
#define _UTILS_STRING_UTILS_H_ #define _UTILS_STRING_UTILS_H_
#include <stdbool.h>
#include <stddef.h>
typedef struct strbuf_struct {
char* buffer; // points to beginning of the string
size_t length; // strlen of buffer (sans trailing NUL)
size_t capacity; // capacity of the buffer
} strbuf;
/* /*
* Get numbers split by comma from a input string * Get numbers split by comma from a input string
* return false/true * return false/true
@ -44,4 +54,61 @@ char *make_string(const char *fmt, ...);
* return 1 if succeeded * return 1 if succeeded
*/ */
int str_ends_with(const char *s, const char *suffix); int str_ends_with(const char *s, const char *suffix);
/**
* Converts a sequence of bytes into a hexadecimal string.
*
* Returns a pointer to the allocated string on success or NULL on error.
*/
char* to_hexstring(unsigned char* bytes, unsigned int len);
/**
* Allocate and initialize a strbuf with the specified initial capacity.
*
* Returns a pointer to the allocated and initialized strbuf or NULL on error.
*/
strbuf* strbuf_alloc(size_t initial_capacity);
/**
* Initialize an uninitialized strbuf with the specified initial capacity.
*
* Returns true on success or false if memory could not be allocated.
*/
bool strbuf_init(strbuf* sb, size_t initial_capacity);
/**
* Resize a strbuf to the specified new capacity.
*
* Returns true on success or false if there was an error.
*/
bool strbuf_realloc(strbuf* sb, size_t new_capacity);
/**
* Detach the underlying character buffer from a string buffer.
*
* Returns the heap-allocated, NULL-terminated character buffer.
* NOTE: The caller is responsible for freeing the result.
*/
char* strbuf_detach_buffer(strbuf* sb);
/**
* Releases the memory underneath a string buffer but does NOT free the
* strbuf structure itself. This is particularly useful for stack-allocated
* strbuf objects or structures that embed a strbuf structure.
* strbuf_free should be used for heap-allocated string buffers.
*/
void strbuf_destroy(strbuf* sb);
/**
* Free a strbuf and all memory associated with it.
*/
void strbuf_free(strbuf* sb);
/**
* Append a formatted string to the current contents of a strbuf.
*
* Returns true on success or false if there was an error.
*/
bool strbuf_append_fmt(strbuf* sb, size_t realloc_extra, const char* fmt, ...);
#endif #endif

View File

@ -17,16 +17,86 @@
*/ */
#include <gtest/gtest.h> #include <gtest/gtest.h>
#include <main/native/container-executor/impl/util.h>
#include <cstdio> #include <cstdio>
#include <pwd.h>
extern "C" { extern "C" {
#include "util.h" #include "util.h"
#include "container-executor.h"
}
#define TMPDIR "/tmp"
#define TEST_ROOT TMPDIR "/test-container-executor"
int write_config_file(const char *file_name, int banned) {
FILE *file;
file = fopen(file_name, "w");
if (file == NULL) {
printf("Failed to open %s.\n", file_name);
return EXIT_FAILURE;
}
if (banned != 0) {
fprintf(file, "banned.users=bannedUser\n");
fprintf(file, "min.user.id=500\n");
} else {
fprintf(file, "min.user.id=0\n");
}
fprintf(file, "allowed.system.users=allowedUser,daemon\n");
fprintf(file, "feature.yarn.sysfs.enabled=1\n");
fclose(file);
return 0;
} }
int main(int argc, char **argv) { int main(int argc, char **argv) {
ERRORFILE = stderr; ERRORFILE = stderr;
LOGFILE = stdout; LOGFILE = stdout;
printf("\nMaking test dir\n");
if (mkdirs(TEST_ROOT, 0755) != 0) {
exit(1);
}
if (chmod(TEST_ROOT, 0755) != 0) { // in case of umask
exit(1);
}
// We need a valid config before the test really starts for the check_user
// and set_user calls
printf("\nCreating test.cfg\n");
if (write_config_file(TEST_ROOT "/test.cfg", 1) != 0) {
exit(1);
}
printf("\nLoading test.cfg\n");
read_executor_config(TEST_ROOT "/test.cfg");
printf("\nDetermining user details\n");
char* username = strdup(getpwuid(getuid())->pw_name);
struct passwd *username_info = check_user(username);
printf("\nSetting NM UID\n");
set_nm_uid(username_info->pw_uid, username_info->pw_gid);
// Make sure that username owns all the files now
printf("\nEnsuring ownership of test dir\n");
if (chown(TEST_ROOT, username_info->pw_uid, username_info->pw_gid) != 0) {
exit(1);
}
if (chown(TEST_ROOT "/test.cfg",
username_info->pw_uid, username_info->pw_gid) != 0) {
exit(1);
}
printf("\nSetting effective user\n");
if (set_user(username)) {
exit(1);
}
testing::InitGoogleTest(&argc, argv); testing::InitGoogleTest(&argc, argv);
return RUN_ALL_TESTS(); int rc = RUN_ALL_TESTS();
printf("Attempting to clean up from any previous runs\n");
// clean up any junk from previous run
if (system("chmod -R u=rwx " TEST_ROOT "; rm -fr " TEST_ROOT)) {
exit(1);
return rc;
}
} }

View File

@ -29,6 +29,7 @@
#include <gtest/gtest.h> #include <gtest/gtest.h>
#include <sstream> #include <sstream>
#include <openssl/evp.h>
extern "C" { extern "C" {
#include "utils/string-utils.h" #include "utils/string-utils.h"
@ -36,97 +37,230 @@
namespace ContainerExecutor { namespace ContainerExecutor {
class TestStringUtils : public ::testing::Test { class TestStringUtils : public ::testing::Test {
protected: protected:
virtual void SetUp() { virtual void SetUp() {
} }
virtual void TearDown() { virtual void TearDown() {
} }
}; };
TEST_F(TestStringUtils, test_get_numbers_split_by_comma) { TEST_F(TestStringUtils, test_get_numbers_split_by_comma) {
const char* input = ",1,2,3,-1,,1,,0,"; const char* input = ",1,2,3,-1,,1,,0,";
int* numbers; int* numbers;
size_t n_numbers; size_t n_numbers;
int rc = get_numbers_split_by_comma(input, &numbers, &n_numbers); int rc = get_numbers_split_by_comma(input, &numbers, &n_numbers);
std::cout << "Testing input=" << input << "\n"; std::cout << "Testing input=" << input << "\n";
ASSERT_EQ(0, rc) << "Should succeeded\n"; ASSERT_EQ(0, rc) << "Should succeeded\n";
ASSERT_EQ(6, n_numbers); ASSERT_EQ(6, n_numbers);
ASSERT_EQ(1, numbers[0]); ASSERT_EQ(1, numbers[0]);
ASSERT_EQ(-1, numbers[3]); ASSERT_EQ(-1, numbers[3]);
ASSERT_EQ(0, numbers[5]); ASSERT_EQ(0, numbers[5]);
free(numbers); free(numbers);
input = "3"; input = "3";
rc = get_numbers_split_by_comma(input, &numbers, &n_numbers); rc = get_numbers_split_by_comma(input, &numbers, &n_numbers);
std::cout << "Testing input=" << input << "\n"; std::cout << "Testing input=" << input << "\n";
ASSERT_EQ(0, rc) << "Should succeeded\n"; ASSERT_EQ(0, rc) << "Should succeeded\n";
ASSERT_EQ(1, n_numbers); ASSERT_EQ(1, n_numbers);
ASSERT_EQ(3, numbers[0]); ASSERT_EQ(3, numbers[0]);
free(numbers); free(numbers);
input = ""; input = "";
rc = get_numbers_split_by_comma(input, &numbers, &n_numbers); rc = get_numbers_split_by_comma(input, &numbers, &n_numbers);
std::cout << "Testing input=" << input << "\n"; std::cout << "Testing input=" << input << "\n";
ASSERT_EQ(0, rc) << "Should succeeded\n"; ASSERT_EQ(0, rc) << "Should succeeded\n";
ASSERT_EQ(0, n_numbers); ASSERT_EQ(0, n_numbers);
free(numbers); free(numbers);
input = ",,"; input = ",,";
rc = get_numbers_split_by_comma(input, &numbers, &n_numbers); rc = get_numbers_split_by_comma(input, &numbers, &n_numbers);
std::cout << "Testing input=" << input << "\n"; std::cout << "Testing input=" << input << "\n";
ASSERT_EQ(0, rc) << "Should succeeded\n"; ASSERT_EQ(0, rc) << "Should succeeded\n";
ASSERT_EQ(0, n_numbers); ASSERT_EQ(0, n_numbers);
free(numbers); free(numbers);
input = "1,2,aa,bb"; input = "1,2,aa,bb";
rc = get_numbers_split_by_comma(input, &numbers, &n_numbers); rc = get_numbers_split_by_comma(input, &numbers, &n_numbers);
std::cout << "Testing input=" << input << "\n"; std::cout << "Testing input=" << input << "\n";
ASSERT_TRUE(0 != rc) << "Should failed\n"; ASSERT_TRUE(0 != rc) << "Should failed\n";
free(numbers); free(numbers);
input = "1,2,3,-12312312312312312312321311231231231"; input = "1,2,3,-12312312312312312312321311231231231";
rc = get_numbers_split_by_comma(input, &numbers, &n_numbers); rc = get_numbers_split_by_comma(input, &numbers, &n_numbers);
std::cout << "Testing input=" << input << "\n"; std::cout << "Testing input=" << input << "\n";
ASSERT_TRUE(0 != rc) << "Should failed\n"; ASSERT_TRUE(0 != rc) << "Should failed\n";
free(numbers); free(numbers);
} }
TEST_F(TestStringUtils, test_validate_container_id) { TEST_F(TestStringUtils, test_validate_container_id) {
const char *good_input[] = { const char *good_input[] = {
"container_e134_1499953498516_50875_01_000007", "container_e134_1499953498516_50875_01_000007",
"container_1499953498516_50875_01_000007", "container_1499953498516_50875_01_000007",
"container_e1_12312_11111_02_000001" "container_e1_12312_11111_02_000001"
}; };
const char *bad_input[] = { const char *bad_input[] = {
"CONTAINER", "CONTAINER",
"container_e1_12312_11111_02_000001 | /tmp/file" "container_e1_12312_11111_02_000001 | /tmp/file"
"container_e1_12312_11111_02_000001 || # /tmp/file", "container_e1_12312_11111_02_000001 || # /tmp/file",
"container_e1_12312_11111_02_000001 # /tmp/file", "container_e1_12312_11111_02_000001 # /tmp/file",
"container_e1_12312_11111_02_000001' || touch /tmp/file #", "container_e1_12312_11111_02_000001' || touch /tmp/file #",
"ubuntu || touch /tmp/file #", "ubuntu || touch /tmp/file #",
"''''''''" "''''''''"
}; };
int good_input_size = sizeof(good_input) / sizeof(char *); int good_input_size = sizeof(good_input) / sizeof(char *);
int i = 0; int i = 0;
for (i = 0; i < good_input_size; i++) { for (i = 0; i < good_input_size; i++) {
int op = validate_container_id(good_input[i]); int op = validate_container_id(good_input[i]);
ASSERT_EQ(1, op); ASSERT_EQ(1, op);
} }
int bad_input_size = sizeof(bad_input) / sizeof(char *); int bad_input_size = sizeof(bad_input) / sizeof(char *);
int j = 0; int j = 0;
for (j = 0; j < bad_input_size; j++) { for (j = 0; j < bad_input_size; j++) {
int op = validate_container_id(bad_input[j]); int op = validate_container_id(bad_input[j]);
ASSERT_EQ(0, op); ASSERT_EQ(0, op);
} }
} }
TEST_F(TestStringUtils, test_to_hexstring) {
const char* input = "hello";
char* digest = NULL;
unsigned char raw_digest[EVP_MAX_MD_SIZE];
unsigned int raw_digest_len = 0;
int rc = 0;
EVP_MD_CTX* mdctx = EVP_MD_CTX_create();
ASSERT_NE(nullptr, mdctx) << "Unable to create EVP MD context\n";
rc = EVP_DigestInit_ex(mdctx, EVP_sha256(), NULL);
ASSERT_EQ(1, rc) << "Unable to initialize SHA256 digester\n";
rc = EVP_DigestFinal_ex(mdctx, raw_digest, &raw_digest_len);
ASSERT_EQ(1, rc) << "Unable to compute digest\n";
rc = EVP_DigestUpdate(mdctx, input, strlen(input));
ASSERT_EQ(1, rc) << "Unable to compute digest\n";
digest = to_hexstring(raw_digest, raw_digest_len);
ASSERT_STREQ("e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
digest) << "Digest is not equal to expected hash\n";
EVP_MD_CTX_destroy(mdctx);
free(digest);
}
TEST_F(TestStringUtils, test_strbuf_on_stack) {
const int sb_incr = 16;
strbuf sb;
bool rc;
rc = strbuf_init(&sb, sb_incr);
ASSERT_EQ(true, rc) << "Unable to init strbuf\n";
rc = strbuf_append_fmt(&sb, sb_incr, "%s%s%s", "hello", "foo", "bar");
ASSERT_EQ(true, rc) << "Unable to append format to strbuf\n";
ASSERT_STREQ("hellofoobar", sb.buffer);
rc = strbuf_append_fmt(&sb, sb_incr, "%s%s%s", "some longer strings",
" that will cause the strbuf", " to have to realloc");
ASSERT_EQ(true, rc) << "Unable to append format to strbuf\n";
ASSERT_STREQ("hellofoobarsome longer strings that will cause the strbuf to have to realloc", sb.buffer);
strbuf_destroy(&sb);
}
TEST_F(TestStringUtils, test_strbuf_in_heap) {
const int sb_incr = 16;
strbuf *sb = NULL;
bool rc;
sb = strbuf_alloc(sb_incr);
ASSERT_NE(nullptr, sb) << "Unable to init strbuf\n";
rc = strbuf_append_fmt(sb, sb_incr, "%s%s%s", "hello", "foo", "bar");
ASSERT_EQ(true, rc) << "Unable to append format to strbuf";
ASSERT_STREQ("hellofoobar", sb->buffer);
rc = strbuf_append_fmt(sb, sb_incr, "%s%s%s", "some longer strings",
" that will cause the strbuf", " to have to realloc");
ASSERT_EQ(true, rc) << "Unable to append format to strbuf\n";
ASSERT_STREQ("hellofoobarsome longer strings that will cause the strbuf to have to realloc", sb->buffer);
strbuf_free(sb);
}
TEST_F(TestStringUtils, test_strbuf_detach) {
const int sb_incr = 16;
strbuf sb;
char *buf;
bool rc;
rc = strbuf_init(&sb, sb_incr);
ASSERT_EQ(true, rc) << "Unable to init strbuf\n";
rc = strbuf_append_fmt(&sb, sb_incr, "%s%s%s", "hello", "foo", "bar");
ASSERT_EQ(true, rc) << "Unable to append format to strbuf\n";
ASSERT_STREQ("hellofoobar", sb.buffer);
rc = strbuf_append_fmt(&sb, sb_incr, "%s%s%s", "some longer strings",
" that will cause the strbuf", " to have to realloc");
ASSERT_EQ(true, rc) << "Unable to append format to strbuf\n";
ASSERT_STREQ("hellofoobarsome longer strings that will cause the strbuf to have to realloc", sb.buffer);
buf = strbuf_detach_buffer(&sb);
ASSERT_NE(nullptr, buf) << "Unable to detach char buf from strbuf\n";
rc = strbuf_append_fmt(&sb, sb_incr, "%s%s%s", "Buffer detached",
" so this should allocate", " a new buffer in strbuf");
ASSERT_EQ(true, rc) << "Unable to append format to strbuf\n";
ASSERT_STREQ("Buffer detached so this should allocate a new buffer in strbuf", sb.buffer);
ASSERT_STREQ("hellofoobarsome longer strings that will cause the strbuf to have to realloc", buf);
free(buf);
strbuf_destroy(&sb);
}
TEST_F(TestStringUtils, test_strbuf_realloc) {
const int sb_incr = 5;
strbuf sb;
char buf[] = "1234567890";
bool rc;
int len = strlen(buf);
rc = strbuf_init(&sb, sb_incr);
ASSERT_EQ(true, rc) << "Unable to init strbuf\n";
ASSERT_NE(nullptr, sb.buffer) << "Unable to init strbuf buffer\n";
ASSERT_EQ(5, sb.capacity) << "Unable to init strbuf capacity\n";
ASSERT_EQ(0, sb.length) << "Unable to init strbuf length\n";
rc = strbuf_append_fmt(&sb, sb_incr, "%s", buf);
ASSERT_EQ(true, rc) << "Unable to append format to strbuf\n";
ASSERT_NE(nullptr, sb.buffer) << "Unable to append strbuf buffer\n";
ASSERT_EQ(len + sb_incr + 1, sb.capacity) << "Unable to update strbuf capacity\n";
ASSERT_EQ(len, sb.length) << "Unable to update strbuf length\n";
rc = strbuf_realloc(&sb, 10);
ASSERT_EQ(false, rc) << "realloc to smaller capacity succeeded and has truncated existing string\n";
strbuf_destroy(&sb);
}
} // namespace ContainerExecutor } // namespace ContainerExecutor

View File

@ -0,0 +1,752 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <algorithm>
#include <gtest/gtest.h>
#include <fstream>
#include "errno.h"
#include "configuration.h"
#include <pwd.h>
#include <stdbool.h>
extern "C" {
#include "container-executor.h"
#include "runc/runc_launch_cmd.h"
#include "runc/runc_write_config.h"
#include "utils/mount-utils.h"
}
#define STARTING_JSON_BUFFER_SIZE (128*1024)
namespace ContainerExecutor {
class TestRunc : public ::testing::Test {
protected:
virtual void SetUp() {
container_executor_cfg_file = "container-executor.cfg";
std::string container_executor_cfg_contents = "[runc]\n "
"runc.allowed.rw-mounts=/opt,/var,/usr/bin/cut,/usr/bin/awk\n "
"runc.allowed.ro-mounts=/etc/passwd";
int ret = setup_container_executor_cfg(container_executor_cfg_contents);
ASSERT_EQ(ret, 0) << "Container executor cfg setup failed\n";
}
virtual void TearDown() {
remove(runc_config_file);
remove(container_executor_cfg_file.c_str());
delete_ce_file();
free_executor_configurations();
}
const char *runc_config_file = "runc-config.json";
std::string container_executor_cfg_file;
void write_file(const std::string fname, const std::string contents) {
std::ofstream config_file;
config_file.open(fname.c_str());
config_file << contents;
config_file.close();
}
int create_ce_file() {
int ret = 0;
const char *fname = HADOOP_CONF_DIR "/" CONF_FILENAME;
struct stat buffer;
if (stat(fname, &buffer) == 0) {
return ret;
}
if (strcmp("../etc/hadoop/container-executor.cfg", fname) == 0) {
ret = mkdir("../etc", 0755);
if (ret == 0 || errno == EEXIST) {
ret = mkdir("../etc/hadoop", 0755);
if (ret == 0 || errno == EEXIST) {
write_file("../etc/hadoop/container-executor.cfg", "");
} else {
std::cerr << "Could not create ../etc/hadoop, " << strerror(errno) << std::endl;
}
} else {
std::cerr << "Could not create ../etc, " << strerror(errno) << std::endl;
}
} else {
// Don't want to create directories all over. Make a simple attempt to
// write the file.
write_file(fname, "");
}
if (stat(fname, &buffer) != 0) {
std::cerr << "Could not create " << fname << strerror(errno) << std::endl;
ret = 1;
}
return ret;
}
void delete_ce_file() {
const char *fname = HADOOP_CONF_DIR "/" CONF_FILENAME;
if (strcmp("../etc/hadoop/container-executor.cfg", fname) == 0) {
struct stat buffer;
if (stat(fname, &buffer) == 0) {
remove("../etc/hadoop/container-executor.cfg");
rmdir("../etc/hadoop");
rmdir("../etc");
}
}
}
void write_container_executor_cfg(const std::string contents) {
write_file(container_executor_cfg_file, contents);
}
void write_config_file(const std::string contents) {
write_file(runc_config_file, contents);
}
int setup_container_executor_cfg(const std::string container_executor_cfg_contents) {
write_container_executor_cfg(container_executor_cfg_contents);
read_executor_config(container_executor_cfg_file.c_str());
return create_ce_file();
}
static cJSON* build_layer_array(const rlc_layer_spec *layers_array, int num_layers) {
cJSON* layer_json_array = cJSON_CreateArray();
if (layer_json_array == NULL) { return NULL; }
int i;
for (i = 0; i < num_layers; i++) {
const rlc_layer_spec *layer = &layers_array[i];
cJSON* layer_json = cJSON_CreateObject();
if (layer_json == NULL) { goto fail; }
cJSON_AddStringToObject(layer_json, "mediaType", layer->media_type);
cJSON_AddStringToObject(layer_json, "path", layer->path);
cJSON_AddItemToArray(layer_json_array, layer_json);
}
return layer_json_array;
fail:
cJSON_Delete(layer_json_array);
return NULL;
}
static cJSON* build_string_array(char const* const* dirs_array) {
int i;
cJSON* dirs_json_array = cJSON_CreateArray();
if (dirs_json_array == NULL) { return NULL; }
for (i = 0; dirs_array[i] != NULL; i++) {
const char *dir = dirs_array[i];
cJSON* layer_json = cJSON_CreateString(dir);
if (layer_json == NULL) { goto fail; }
cJSON_AddItemToArray(dirs_json_array, layer_json);
}
return dirs_json_array;
fail:
cJSON_Delete(dirs_json_array);
return NULL;
}
static bool build_process_struct(runc_config_process *const process, char const* const* args, char const* const cwd,
char const* const* env) {
cJSON *args_array = build_string_array(args);
if (args_array == NULL) { return false; }
cJSON *cwd_string = cJSON_CreateString(cwd);
if (cwd_string == NULL) { return false; }
cJSON *env_array = build_string_array(env);
if (env_array == NULL) { return false; }
process->args = args_array;
process->cwd = cwd_string;
process->env = env_array;
return true;
}
static cJSON* build_process_json(runc_config_process const* const process) {
cJSON* process_json = cJSON_CreateObject();
if (process_json == NULL) { return NULL; }
cJSON_AddItemReferenceToObject(process_json, "args", process->args);
cJSON_AddItemReferenceToObject(process_json, "cwd", process->cwd);
cJSON_AddItemReferenceToObject(process_json, "env", process->env);
return process_json;
}
static cJSON* build_config_json(runc_config const* const config) {
cJSON *config_json = cJSON_CreateObject();
if (config_json == NULL) { return NULL; }
runc_config_process const *const process = &config->process;
cJSON *process_json = build_process_json(process);
if (process_json == NULL) { goto fail; }
cJSON_AddItemToObject(config_json, "process", process_json);
cJSON_AddItemReferenceToObject(config_json, "linux", config->linux_config);
cJSON_AddItemReferenceToObject(config_json, "mounts", config->mounts);
return config_json;
fail:
cJSON_Delete(config_json);
return NULL;
}
static cJSON* build_runc_config_json(runc_launch_cmd const* const rlc) {
cJSON *local_dir_json;
cJSON *log_dir_json;
cJSON *layer_dir_json;
cJSON *runc_config_json = cJSON_CreateObject();
if (runc_config_json == NULL) { return NULL; }
runc_config const* const config = &rlc->config;
cJSON* config_json = build_config_json(config);
if (config_json == NULL) { goto fail; }
cJSON_AddItemToObject(runc_config_json, "ociRuntimeConfig", config_json);
cJSON_AddStringToObject(runc_config_json, "runAsUser", rlc->run_as_user);
cJSON_AddStringToObject(runc_config_json, "username", rlc->username);
cJSON_AddStringToObject(runc_config_json, "applicationId", rlc->app_id);
cJSON_AddStringToObject(runc_config_json, "containerId", rlc->container_id);
cJSON_AddStringToObject(runc_config_json, "pidFile", rlc->pid_file);
cJSON_AddStringToObject(runc_config_json, "containerScriptPath", rlc->script_path);
cJSON_AddStringToObject(runc_config_json, "containerCredentialsPath", rlc->cred_path);
cJSON_AddNumberToObject(runc_config_json, "https", rlc->https);
local_dir_json = build_string_array(rlc->local_dirs);
log_dir_json = build_string_array(rlc->log_dirs);
layer_dir_json = build_layer_array(rlc->layers, rlc->num_layers);
cJSON_AddItemToObject(runc_config_json, "layers", layer_dir_json);
cJSON_AddItemToObject(runc_config_json, "localDirs", local_dir_json);
cJSON_AddItemToObject(runc_config_json, "logDirs", log_dir_json);
cJSON_AddNumberToObject(runc_config_json, "reapLayerKeepCount", rlc->num_reap_layers_keep);
return runc_config_json;
fail:
cJSON_Delete(runc_config_json);
return NULL;
}
static cJSON* build_mount_json(const char *src, const char *dest, const char *input_options[]) {
cJSON* mount_json = cJSON_CreateObject();
if (mount_json == NULL) { return NULL; }
cJSON_AddStringToObject(mount_json, "source", src);
cJSON_AddStringToObject(mount_json, "destination", dest);
cJSON_AddStringToObject(mount_json, "type", "bind");
cJSON* options_array = build_string_array(input_options);
cJSON_AddItemToObject(mount_json, "options", options_array);
return mount_json;
}
static cJSON* build_mounts_json() {
cJSON* mount_json = NULL;
cJSON* mounts_json_array = cJSON_CreateArray();
if (mounts_json_array == NULL) {
return NULL;
}
const char *options_rw[10] = {"rw", "rprivate", "rbind"};
const char *options_ro[10] = {"ro", "rprivate", "rbind"};
mount_json = build_mount_json("/opt", "/opt", options_rw);
if (mount_json == NULL) { goto fail; }
cJSON_AddItemToArray(mounts_json_array, mount_json);
mount_json = build_mount_json("/var/", "/var/", options_rw);
if (mount_json == NULL) { goto fail; }
cJSON_AddItemToArray(mounts_json_array, mount_json);
mount_json = build_mount_json("/etc/passwd", "/etc/passwd", options_ro);
if (mount_json == NULL) { goto fail; }
cJSON_AddItemToArray(mounts_json_array, mount_json);
return mounts_json_array;
fail:
cJSON_Delete(mounts_json_array);
return NULL;
}
static runc_launch_cmd* build_default_runc_launch_cmd() {
char* run_as_user = strdup(getpwuid(getuid())->pw_name);
char* username = strdup(getpwuid(getuid())->pw_name);
char const* const application_id = "application_1571614753172_3182915";
char const* const container_id = "container_e14_1571614753172_3182915_01_000001";
char const* const pid_file = "/tmp/container_e14_1571614753172_3182915_01_000001.pid";
char const* const container_script_path = "/tmp/launch_container.sh";
char const* const container_credentials_path = "/tmp/container_e14_1571614753172_3182915_01_000001.tokens";
char const* const log_dirs[] = {"/log1", "/log2", NULL};
char const* const local_dirs[] = {"/local1", "/local2", NULL};
char const* const layer_media_type = "application/vnd.squashfs";
char const* const args[] = {"bash", "/tmp/launch_container.sh", NULL};
char const* const cwd = "/tmp";
char const* const env[] = {"HADOOP_PREFIX=/tmp", "PATH=/tmp", NULL};
char const* const hostname = "hostname";
int num_reap_layers_keep = 10;
unsigned int num_layers = 2;
int https = 1;
int i;
runc_launch_cmd *rlc_input = NULL;
rlc_layer_spec *layers_input = NULL;
cJSON *hostname_json = NULL;
cJSON *linux_config_json = NULL;
cJSON *mounts_json = NULL;
rlc_input = (runc_launch_cmd*) calloc(1, sizeof(*rlc_input));
if (rlc_input == NULL) { return NULL; }
runc_config *config = &rlc_input->config;
rlc_input->run_as_user = run_as_user;
rlc_input->username = username;
rlc_input->app_id = strdup(application_id);
rlc_input->container_id = strdup(container_id);
rlc_input->pid_file = strdup(pid_file);
rlc_input->script_path = strdup(container_script_path);
rlc_input->cred_path = strdup(container_credentials_path);
rlc_input->https = https;
rlc_input->local_dirs = (char **) calloc(sizeof(local_dirs)/sizeof(local_dirs[0]) + 1, sizeof(*local_dirs));
for (i = 0; local_dirs[i] != NULL; i++) {
rlc_input->local_dirs[i] = strdup(local_dirs[i]);
}
rlc_input->local_dirs[i] = NULL;
rlc_input->log_dirs = (char **) calloc(sizeof(log_dirs)/sizeof(log_dirs[0]) + 1, sizeof(*log_dirs));
for (i = 0; log_dirs[i] != NULL; i++) {
rlc_input->log_dirs[i] = strdup(log_dirs[i]);
}
rlc_input->log_dirs[i] = NULL;
rlc_input->num_reap_layers_keep = num_reap_layers_keep;
rlc_input->num_layers = num_layers;
layers_input = (rlc_layer_spec*) calloc(num_layers, sizeof(*layers_input));
(&layers_input[0])->media_type = strdup(layer_media_type);
(&layers_input[0])->path = strdup("/foo");
(&layers_input[1])->media_type = strdup(layer_media_type);
(&layers_input[1])->path = strdup("/bar");
rlc_input->layers = layers_input;
build_process_struct(&config->process, args, cwd, env);
hostname_json = cJSON_CreateString(hostname);
if (hostname_json == NULL) { goto fail; }
config->hostname = hostname_json;
linux_config_json = cJSON_CreateObject();
if (linux_config_json == NULL) { goto fail; }
config->linux_config = linux_config_json;
mounts_json = build_mounts_json();
if (mounts_json == NULL) { goto fail; }
config->mounts = mounts_json;
return rlc_input;
fail:
free_runc_launch_cmd(rlc_input);
return NULL;
}
static void test_runc_launch_cmd(runc_launch_cmd const* const rlc_input, runc_launch_cmd const* const rlc_parsed) {
unsigned int i;
ASSERT_STREQ(rlc_parsed->run_as_user, rlc_input->run_as_user);
ASSERT_STREQ(rlc_parsed->username, rlc_input->username);
ASSERT_STREQ(rlc_parsed->app_id, rlc_input->app_id);
ASSERT_STREQ(rlc_parsed->container_id, rlc_input->container_id);
ASSERT_STREQ(rlc_parsed->pid_file, rlc_input->pid_file);
ASSERT_STREQ(rlc_parsed->script_path, rlc_input->script_path);
ASSERT_STREQ(rlc_parsed->cred_path, rlc_input->cred_path);
ASSERT_EQ(rlc_parsed->https, rlc_input->https);
for (i = 0; rlc_input->local_dirs[i] != NULL; i++) {
ASSERT_NE(rlc_input->local_dirs[i], nullptr);
ASSERT_NE(rlc_parsed->local_dirs[i], nullptr);
ASSERT_STREQ(rlc_parsed->local_dirs[i], rlc_input->local_dirs[i]);
}
for (i = 0; rlc_input->log_dirs[i] != NULL; i++) {
ASSERT_NE(rlc_input->log_dirs[i], nullptr);
ASSERT_NE(rlc_parsed->log_dirs[i], nullptr);
ASSERT_STREQ(rlc_parsed->log_dirs[i], rlc_input->log_dirs[i]);
}
for (i = 0; i < rlc_input->num_layers; i++) {
rlc_layer_spec *layer_input = &rlc_input->layers[i];
rlc_layer_spec *layer_parsed = &rlc_parsed->layers[i];
ASSERT_NE(layer_input, nullptr);
ASSERT_NE(layer_parsed, nullptr);
ASSERT_STREQ(layer_parsed->media_type, layer_input->media_type);
ASSERT_STREQ(layer_parsed->path, layer_input->path);
}
ASSERT_EQ(rlc_parsed->num_layers, rlc_input->num_layers);
ASSERT_EQ(rlc_parsed->num_reap_layers_keep, rlc_input->num_reap_layers_keep);
}
};
static mount* build_mounts(std::string mounts_string,
unsigned int num_mounts) {
mount* mounts = (mount*) calloc(num_mounts, sizeof(*mounts));
std::istringstream comma_iss(mounts_string);
std::string comma_token;
int i = 0;
while (std::getline(comma_iss, comma_token, ','))
{
mount_options *options = (mount_options*) calloc(1, sizeof(*options));
mounts[i].options = options;
std::istringstream colon_iss(comma_token);
std::string colon_token;
std::getline(colon_iss, colon_token, ':');
mounts[i].src = strdup(colon_token.c_str());
std::getline(colon_iss, colon_token, ':');
mounts[i].dest = strdup(colon_token.c_str());
std::getline(colon_iss, colon_token, ':');
std::istringstream plus_iss(colon_token);
std::string plus_token;
unsigned int num_opts = std::count(colon_token.begin(), colon_token.end(), '+') + 1;
int j = 0;
char **opts = (char**) calloc(num_opts + 1, sizeof(*opts));
mounts[i].options->opts = opts;
while(std::getline(plus_iss, plus_token, '+')) {
char *mount_option = strdup(plus_token.c_str());
if (strcmp("rw", mount_option) == 0) {
options->rw = 1;
} else if (strcmp("ro", mount_option) == 0) {
options->rw = 0;
}
options->opts[j] = mount_option;
j++;
}
options->opts[j] = NULL;
options->num_opts = num_opts;
i++;
}
return mounts;
}
TEST_F(TestRunc, test_parse_runc_launch_cmd_valid) {
runc_launch_cmd *rlc_input = NULL;
runc_launch_cmd *rlc_parsed = NULL;
cJSON *runc_config_json = NULL;
char* json_data = NULL;
int ret = 0;
rlc_input = build_default_runc_launch_cmd();
ASSERT_NE(rlc_input, nullptr);
runc_config_json = build_runc_config_json(rlc_input);
ASSERT_NE(runc_config_json, nullptr);
json_data = cJSON_PrintBuffered(runc_config_json, STARTING_JSON_BUFFER_SIZE, false);
write_config_file(json_data);
rlc_parsed = parse_runc_launch_cmd(runc_config_file);
ASSERT_NE(rlc_parsed, nullptr);
ret = is_valid_runc_launch_cmd(rlc_parsed);
ASSERT_NE(ret, false);
test_runc_launch_cmd(rlc_input, rlc_parsed);
cJSON_Delete(runc_config_json);
free_runc_launch_cmd(rlc_input);
free(json_data);
free_runc_launch_cmd(rlc_parsed);
}
TEST_F(TestRunc, test_parse_runc_launch_cmd_bad_container_id) {
runc_launch_cmd *rlc_input = NULL;
runc_launch_cmd *rlc_parsed = NULL;
cJSON *runc_config_json = NULL;
char* json_data = NULL;
int ret = 0;
rlc_input = build_default_runc_launch_cmd();
ASSERT_NE(rlc_input, nullptr);
free(rlc_input->container_id);
rlc_input->container_id = strdup("foobar");
runc_config_json = build_runc_config_json(rlc_input);
ASSERT_NE(runc_config_json, nullptr);
json_data = cJSON_PrintBuffered(runc_config_json, STARTING_JSON_BUFFER_SIZE, false);
write_config_file(json_data);
rlc_parsed = parse_runc_launch_cmd(runc_config_file);
ASSERT_NE(rlc_parsed, nullptr);
ret = is_valid_runc_launch_cmd(rlc_parsed);
// An invalid container_id should cause an error and the parse function should return null
ASSERT_EQ(ret, false);
cJSON_Delete(runc_config_json);
free_runc_launch_cmd(rlc_input);
free(json_data);
free_runc_launch_cmd(rlc_parsed);
}
TEST_F(TestRunc, test_parse_runc_launch_cmd_existing_pidfile) {
runc_launch_cmd *rlc_input = NULL;
runc_launch_cmd *rlc_parsed = NULL;
cJSON *runc_config_json = NULL;
char* json_data = NULL;
int ret = 0;
rlc_input = build_default_runc_launch_cmd();
ASSERT_NE(rlc_input, nullptr);
free(rlc_input->pid_file);
const char* pid_file = "/tmp/foo";
rlc_input->pid_file = strdup(pid_file);
write_file(pid_file, "");
runc_config_json = build_runc_config_json(rlc_input);
ASSERT_NE(runc_config_json, nullptr);
json_data = cJSON_PrintBuffered(runc_config_json, STARTING_JSON_BUFFER_SIZE, false);
write_config_file(json_data);
rlc_parsed = parse_runc_launch_cmd(runc_config_file);
ASSERT_NE(rlc_parsed, nullptr);
ret = is_valid_runc_launch_cmd(rlc_parsed);
// A pid file that already exists should cause an error and the parse function should return null
ASSERT_EQ(ret, false);
remove(pid_file);
cJSON_Delete(runc_config_json);
free_runc_launch_cmd(rlc_input);
free(json_data);
free_runc_launch_cmd(rlc_parsed);
}
TEST_F(TestRunc, test_parse_runc_launch_cmd_invalid_media_type) {
runc_launch_cmd *rlc_input = NULL;
runc_launch_cmd *rlc_parsed = NULL;
cJSON *runc_config_json = NULL;
char* json_data = NULL;
int ret = 0;
rlc_input = build_default_runc_launch_cmd();
ASSERT_NE(rlc_input, nullptr);
free(rlc_input->layers[0].media_type);
rlc_input->layers[0].media_type = strdup("bad media type");
runc_config_json = build_runc_config_json(rlc_input);
ASSERT_NE(runc_config_json, nullptr);
json_data = cJSON_PrintBuffered(runc_config_json, STARTING_JSON_BUFFER_SIZE, false);
write_config_file(json_data);
rlc_parsed = parse_runc_launch_cmd(runc_config_file);
ASSERT_NE(rlc_parsed, nullptr);
ret = is_valid_runc_launch_cmd(rlc_parsed);
// A bad layer media type should cause an error and the parse function should return null
ASSERT_EQ(ret, false);
cJSON_Delete(runc_config_json);
free_runc_launch_cmd(rlc_input);
free(json_data);
free_runc_launch_cmd(rlc_parsed);
}
TEST_F(TestRunc, test_parse_runc_launch_cmd_invalid_num_reap_layers_keep) {
runc_launch_cmd *rlc_input = NULL;
runc_launch_cmd *rlc_parsed = NULL;
cJSON *runc_config_json = NULL;
char* json_data = NULL;
int ret = 0;
rlc_input = build_default_runc_launch_cmd();
ASSERT_NE(rlc_input, nullptr);
rlc_input->num_reap_layers_keep = -1;
runc_config_json = build_runc_config_json(rlc_input);
ASSERT_NE(runc_config_json, nullptr);
json_data = cJSON_PrintBuffered(runc_config_json, STARTING_JSON_BUFFER_SIZE, false);
write_config_file(json_data);
rlc_parsed = parse_runc_launch_cmd(runc_config_file);
ASSERT_NE(rlc_parsed, nullptr);
ret = is_valid_runc_launch_cmd(rlc_parsed);
// A negative num_reap_layers_keep value should cause an error and the parse function should return null
ASSERT_EQ(ret, false);
cJSON_Delete(runc_config_json);
free_runc_launch_cmd(rlc_input);
free(json_data);
free_runc_launch_cmd(rlc_parsed);
}
TEST_F(TestRunc, test_parse_runc_launch_cmd_valid_mounts) {
runc_launch_cmd *rlc_input = NULL;
runc_launch_cmd *rlc_parsed = NULL;
cJSON *runc_config_json = NULL;
char* json_data = NULL;
int ret = 0;
std::vector<std::string> mounts_string_vec;
mounts_string_vec.push_back(std::string("/var:/var:rw+rbind+rprivate"));
mounts_string_vec.push_back(std::string("/var:/var:rw+rbind+rprivate"));
mounts_string_vec.push_back(std::string("/var/:/var/:rw+rbind+rprivate"));
mounts_string_vec.push_back(std::string("/usr/bin/cut:/usr/bin/cut:rw+rbind+rprivate"));
mounts_string_vec.push_back(std::string(
"/usr/bin/awk:/awk:rw+shared+rbind+rprivate,/etc/passwd:/etc/passwd:ro+rbind+rprivate"));
mounts_string_vec.push_back(std::string(
"/var:/var:ro+rprivate+rbind,/etc/passwd:/etc/passwd:ro+rshared+rbind+rprivate"));
mount *mounts = NULL;
std::vector<std::string>::const_iterator itr;
for (itr = mounts_string_vec.begin(); itr != mounts_string_vec.end(); ++itr) {
rlc_input = build_default_runc_launch_cmd();
ASSERT_NE(rlc_input, nullptr);
cJSON* mounts_json_array = cJSON_CreateArray();
ASSERT_NE(mounts_json_array, nullptr);
unsigned int num_mounts = std::count(itr->begin(), itr->end(), ',') + 1;
mounts = build_mounts(*itr, num_mounts);
for (unsigned int i = 0; i < num_mounts; i++) {
cJSON *mount_json = build_mount_json(mounts[i].src,
mounts[i].dest,
(const char**) mounts[i].options->opts);
ASSERT_NE(mount_json, nullptr);
cJSON_AddItemToArray(mounts_json_array, mount_json);
}
cJSON_Delete(rlc_input->config.mounts);
rlc_input->config.mounts = mounts_json_array;
runc_config_json = build_runc_config_json(rlc_input);
ASSERT_NE(runc_config_json, nullptr);
json_data = cJSON_PrintBuffered(runc_config_json, STARTING_JSON_BUFFER_SIZE, false);
write_config_file(json_data);
rlc_parsed = parse_runc_launch_cmd(runc_config_file);
ASSERT_NE(rlc_parsed, nullptr);
ret = is_valid_runc_launch_cmd(rlc_parsed);
ASSERT_NE(ret, false);
test_runc_launch_cmd(rlc_input, rlc_parsed );
cJSON_Delete(runc_config_json);
free_mounts(mounts, num_mounts);
free_runc_launch_cmd(rlc_input);
free(json_data);
free_runc_launch_cmd(rlc_parsed);
}
}
TEST_F(TestRunc, test_parse_runc_launch_cmd_invalid_mounts) {
runc_launch_cmd *rlc_input = NULL;
runc_launch_cmd *rlc_parsed = NULL;
cJSON *runc_config_json = NULL;
char* json_data = NULL;
int ret = 0;
std::vector<std::string> mounts_string_vec;
mounts_string_vec.push_back(std::string("/lib:/lib:rw+rbind+rprivate"));
mounts_string_vec.push_back(std::string("/lib:/lib:rw+rbind+rprivate"));
mounts_string_vec.push_back(std::string("/usr/bin/:/usr/bin:rw+rbind+rprivate"));
mounts_string_vec.push_back(std::string("/blah:/blah:rw+rbind+rprivate"));
mounts_string_vec.push_back(std::string("/tmp:/tmp:shared"));
mounts_string_vec.push_back(std::string("/lib:/lib"));
mounts_string_vec.push_back(std::string("/lib:/lib:other"));
mount *mounts = NULL;
std::vector<std::string>::const_iterator itr;
for (itr = mounts_string_vec.begin(); itr != mounts_string_vec.end(); ++itr) {
rlc_input = build_default_runc_launch_cmd();
ASSERT_NE(rlc_input, nullptr);
cJSON* mounts_json_array = cJSON_CreateArray();
ASSERT_NE(mounts_json_array, nullptr);
unsigned int num_mounts = std::count(itr->begin(), itr->end(), ',') + 1;
mounts = build_mounts(*itr, num_mounts);
for (unsigned int i = 0; i < num_mounts; i++) {
cJSON *mount_json = build_mount_json(mounts[i].src,
mounts[i].dest,
(const char**) mounts[i].options->opts);
ASSERT_NE(mount_json, nullptr);
cJSON_AddItemToArray(mounts_json_array, mount_json);
}
cJSON_Delete(rlc_input->config.mounts);
rlc_input->config.mounts = mounts_json_array;
runc_config_json = build_runc_config_json(rlc_input);
ASSERT_NE(runc_config_json, nullptr);
json_data = cJSON_PrintBuffered(runc_config_json, STARTING_JSON_BUFFER_SIZE, false);
write_config_file(json_data);
rlc_parsed = parse_runc_launch_cmd(runc_config_file);
ASSERT_NE(rlc_parsed, nullptr);
ret = is_valid_runc_launch_cmd(rlc_parsed);
// A invalid mount should cause an error and the parse function should return null
ASSERT_EQ(ret, false);
cJSON_Delete(runc_config_json);
free_mounts(mounts, num_mounts);
free_runc_launch_cmd(rlc_input);
free(json_data);
free_runc_launch_cmd(rlc_parsed);
}
}
}