Apache
/
hadoop
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

YARN-7221. Add security check for privileged docker container. Contributed by Eric Yang

This commit is contained in:
Billie Rinaldi 2018-04-11 08:23:20 -07:00
parent f7d5bace43
commit 933477e9e0
4 changed files with 157 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java
View File

@ -767,7 +767,11 @@ public class DockerLinuxContainerRuntime implements LinuxContainerRuntime {
throw new ContainerExecutionException(message); throw new ContainerExecutionException(message);
} }
} }
dockerRunAsUser = uid + ":" + gid; if (!allowPrivilegedContainerExecution(container)) {
dockerRunAsUser = uid + ":" + gid;
} else {
dockerRunAsUser = ctx.getExecutionAttribute(USER);
}
} }
//List<String> -> stored as List -> fetched/converted to List<String> //List<String> -> stored as List -> fetched/converted to List<String>
@ -879,7 +883,9 @@ public class DockerLinuxContainerRuntime implements LinuxContainerRuntime {
} }
if(enableUserReMapping) { if(enableUserReMapping) {
runCommand.groupAdd(groups); if (!allowPrivilegedContainerExecution(container)) {
runCommand.groupAdd(groups);
}
} }
// use plugins to update docker run command. // use plugins to update docker run command.

100
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c
View File

@ -16,6 +16,9 @@
* limitations under the License. * limitations under the License.
*/ */
#include <stdio.h>
#include <unistd.h>
#include <sys/wait.h>
#include <string.h> #include <string.h>
#include <strings.h> #include <strings.h>
#include <stdlib.h> #include <stdlib.h>
@ -25,6 +28,9 @@
#include "docker-util.h" #include "docker-util.h"
#include "string-utils.h" #include "string-utils.h"
#include "util.h" #include "util.h"
#include <grp.h>
#include <pwd.h>
#include <errno.h>
static int read_and_verify_command_file(const char *command_file, const char *docker_command, static int read_and_verify_command_file(const char *command_file, const char *docker_command,
struct configuration *command_config) { struct configuration *command_config) {
@ -1254,14 +1260,94 @@ static int add_rw_mounts(const struct configuration *command_config, const stru
return add_mounts(command_config, conf, "rw-mounts", 0, out, outlen); return add_mounts(command_config, conf, "rw-mounts", 0, out, outlen);
} }
static int check_privileges(const char *user) {
int ngroups = 0;
gid_t *groups = NULL;
struct passwd *pw;
struct group *gr;
int ret = 0;
int waitid = -1;
int statval = 0;
pw = getpwnam(user);
if (pw == NULL) {
fprintf(ERRORFILE, "User %s does not exist in host OS.\n", user);
exit(INITIALIZE_USER_FAILED);
}
int rc = getgrouplist(user, pw->pw_gid, groups, &ngroups);
if (rc < 0) {
groups = (gid_t *) alloc_and_clear_memory(ngroups, sizeof(gid_t));
if (groups == NULL) {
fprintf(ERRORFILE, "Failed to allocate buffer for group lookup for user %s.\n", user);
exit(OUT_OF_MEMORY);
}
if (getgrouplist(user, pw->pw_gid, groups, &ngroups) == -1) {
fprintf(ERRORFILE, "Fail to lookup groups for user %s.\n", user);
ret = 2;
}
}
if (ret != 2) {
for (int j = 0; j < ngroups; j++) {
gr = getgrgid(groups[j]);
if (gr != NULL) {
if (strcmp(gr->gr_name, "root")==0 || strcmp(gr->gr_name, "docker")==0) {
ret = 1;
break;
}
}
}
}
if (ret != 1) {
int child_pid = fork();
if (child_pid == 0) {
execl("/bin/sudo", "sudo", "-U", user, "-n", "-l", "docker", NULL);
exit(INITIALIZE_USER_FAILED);
} else {
while ((waitid = waitpid(child_pid, &statval, 0)) != child_pid) {
if (waitid == -1 && errno != EINTR) {
fprintf(ERRORFILE, "waitpid failed: %s\n", strerror(errno));
break;
}
}
if (waitid == child_pid) {
if (WIFEXITED(statval)) {
if (WEXITSTATUS(statval) == 0) {
ret = 1;
}
} else if (WIFSIGNALED(statval)) {
fprintf(ERRORFILE, "sudo terminated by signal %d\n", WTERMSIG(statval));
}
}
}
}
free(groups);
if (ret == 1) {
fprintf(ERRORFILE, "check privileges passed for user: %s\n", user);
} else {
fprintf(ERRORFILE, "check privileges failed for user: %s, error code: %d\n", user, ret);
ret = 0;
}
return ret;
}
static int set_privileged(const struct configuration *command_config, const struct configuration *conf, char *out, static int set_privileged(const struct configuration *command_config, const struct configuration *conf, char *out,
const size_t outlen) { const size_t outlen) {
size_t tmp_buffer_size = 1024; size_t tmp_buffer_size = 1024;
char *user = NULL;
char *tmp_buffer = (char *) alloc_and_clear_memory(tmp_buffer_size, sizeof(char)); char *tmp_buffer = (char *) alloc_and_clear_memory(tmp_buffer_size, sizeof(char));
char *value = get_configuration_value("privileged", DOCKER_COMMAND_FILE_SECTION, command_config); char *value = get_configuration_value("privileged", DOCKER_COMMAND_FILE_SECTION, command_config);
char *privileged_container_enabled char *privileged_container_enabled
= get_configuration_value("docker.privileged-containers.enabled", CONTAINER_EXECUTOR_CFG_DOCKER_SECTION, conf); = get_configuration_value("docker.privileged-containers.enabled", CONTAINER_EXECUTOR_CFG_DOCKER_SECTION, conf);
int ret = 0; int ret = 0;
int allowed = 0;
user = get_configuration_value("user", DOCKER_COMMAND_FILE_SECTION, command_config);
if (user == NULL) {
return INVALID_DOCKER_USER_NAME;
}
if (value != NULL && strcasecmp(value, "true") == 0 ) { if (value != NULL && strcasecmp(value, "true") == 0 ) {
if (privileged_container_enabled != NULL) { if (privileged_container_enabled != NULL) {
@ -1273,9 +1359,16 @@ static int set_privileged(const struct configuration *command_config, const stru
ret = PRIVILEGED_CONTAINERS_DISABLED; ret = PRIVILEGED_CONTAINERS_DISABLED;
goto free_and_exit; goto free_and_exit;
} }
ret = add_to_buffer(out, outlen, "--privileged "); allowed = check_privileges(user);
if (ret != 0) { if (allowed) {
ret = BUFFER_TOO_SMALL; ret = add_to_buffer(out, outlen, "--privileged ");
if (ret != 0) {
ret = BUFFER_TOO_SMALL;
}
} else {
fprintf(ERRORFILE, "Privileged containers are disabled for user: %s\n", user);
ret = PRIVILEGED_CONTAINERS_DISABLED;
goto free_and_exit;
} }
} else { } else {
fprintf(ERRORFILE, "Privileged containers are disabled\n"); fprintf(ERRORFILE, "Privileged containers are disabled\n");
@ -1293,6 +1386,7 @@ static int set_privileged(const struct configuration *command_config, const stru
free(tmp_buffer); free(tmp_buffer);
free(value); free(value);
free(privileged_container_enabled); free(privileged_container_enabled);
free(user);
if (ret != 0) { if (ret != 0) {
memset(out, 0, outlen); memset(out, 0, outlen);
} }

97
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc
View File

@ -646,10 +646,10 @@ namespace ContainerExecutor {
FAIL(); FAIL();
} }
ret = set_privileged(&cmd_cfg, &container_cfg, buff, buff_len); ret = set_privileged(&cmd_cfg, &container_cfg, buff, buff_len);
ASSERT_EQ(0, ret); ASSERT_EQ(6, ret);
ASSERT_STREQ(itr->second.c_str(), buff); ASSERT_EQ(0, strlen(buff));
} }
write_command_file("[docker-command-execution]\n docker-command=run\n privileged=true\n image=nothadoop/image"); write_command_file("[docker-command-execution]\n docker-command=run\n user=nobody\n privileged=true\n image=nothadoop/image");
ret = read_config(docker_command_file.c_str(), &cmd_cfg); ret = read_config(docker_command_file.c_str(), &cmd_cfg);
if (ret != 0) { if (ret != 0) {
FAIL(); FAIL();
@ -669,9 +669,7 @@ namespace ContainerExecutor {
} }
file_cmd_vec.clear(); file_cmd_vec.clear();
file_cmd_vec.push_back(std::make_pair<std::string, std::string>( file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
"[docker-command-execution]\n docker-command=run\n privileged=false", "")); "[docker-command-execution]\n docker-command=run\n user=root\n privileged=false", ""));
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
"[docker-command-execution]\n docker-command=run", ""));
for (itr = file_cmd_vec.begin(); itr != file_cmd_vec.end(); ++itr) { for (itr = file_cmd_vec.begin(); itr != file_cmd_vec.end(); ++itr) {
memset(buff, 0, buff_len); memset(buff, 0, buff_len);
write_command_file(itr->first); write_command_file(itr->first);
@ -683,7 +681,7 @@ namespace ContainerExecutor {
ASSERT_EQ(0, ret); ASSERT_EQ(0, ret);
ASSERT_STREQ(itr->second.c_str(), buff); ASSERT_STREQ(itr->second.c_str(), buff);
} }
write_command_file("[docker-command-execution]\n docker-command=run\n privileged=true"); write_command_file("[docker-command-execution]\n docker-command=run\n user=root\n privileged=true");
ret = read_config(docker_command_file.c_str(), &cmd_cfg); ret = read_config(docker_command_file.c_str(), &cmd_cfg);
if (ret != 0) { if (ret != 0) {
FAIL(); FAIL();
@ -1114,64 +1112,64 @@ namespace ContainerExecutor {
std::vector<std::pair<std::string, std::string> > file_cmd_vec; std::vector<std::pair<std::string, std::string> > file_cmd_vec;
file_cmd_vec.push_back(std::make_pair<std::string, std::string>( file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
"[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test", "[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody",
"run --name='container_e1_12312_11111_02_000001' --user='test' --cap-drop='ALL' 'hadoop/docker-image' ")); "run --name='container_e1_12312_11111_02_000001' --user='nobody' --cap-drop='ALL' 'hadoop/docker-image' "));
file_cmd_vec.push_back(std::make_pair<std::string, std::string>( file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
"[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=test", "[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=nobody",
"run --name='container_e1_12312_11111_02_000001' --user='test' --cap-drop='ALL' 'nothadoop/docker-image' ")); "run --name='container_e1_12312_11111_02_000001' --user='nobody' --cap-drop='ALL' 'nothadoop/docker-image' "));
file_cmd_vec.push_back(std::make_pair<std::string, std::string>( file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
"[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n" "[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n"
" launch-command=bash,test_script.sh,arg1,arg2", " launch-command=bash,test_script.sh,arg1,arg2",
"run --name='container_e1_12312_11111_02_000001' --user='test' --cap-drop='ALL' 'hadoop/docker-image' 'bash' 'test_script.sh' 'arg1' 'arg2' ")); "run --name='container_e1_12312_11111_02_000001' --user='nobody' --cap-drop='ALL' 'hadoop/docker-image' 'bash' 'test_script.sh' 'arg1' 'arg2' "));
// Test non-privileged conatiner with launch command // Test non-privileged conatiner with launch command
file_cmd_vec.push_back(std::make_pair<std::string, std::string>( file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
"[docker-command-execution]\n" "[docker-command-execution]\n"
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n hostname=host-id\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n"
" ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n" " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n"
" network=bridge\n devices=/dev/test:/dev/test\n" " network=bridge\n devices=/dev/test:/dev/test\n"
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
" launch-command=bash,test_script.sh,arg1,arg2", " launch-command=bash,test_script.sh,arg1,arg2",
"run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'" "run --name='container_e1_12312_11111_02_000001' --user='nobody' -d --rm -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'"
" -v '/usr/bin/cut:/usr/bin/cut:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --cap-add='CHOWN'" " -v '/usr/bin/cut:/usr/bin/cut:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --cap-add='CHOWN'"
" --cap-add='SETUID' --hostname='host-id' --device='/dev/test:/dev/test' 'hadoop/docker-image' 'bash' " " --cap-add='SETUID' --hostname='host-id' --device='/dev/test:/dev/test' 'hadoop/docker-image' 'bash' "
"'test_script.sh' 'arg1' 'arg2' ")); "'test_script.sh' 'arg1' 'arg2' "));
file_cmd_vec.push_back(std::make_pair<std::string, std::string>( file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
"[docker-command-execution]\n" "[docker-command-execution]\n"
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=test\n hostname=host-id\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=nobody\n hostname=host-id\n"
" ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n" " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n"
" network=bridge\n" " network=bridge\n"
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
" launch-command=bash,test_script.sh,arg1,arg2", " launch-command=bash,test_script.sh,arg1,arg2",
"run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm" "run --name='container_e1_12312_11111_02_000001' --user='nobody' -d --rm"
" --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --hostname='host-id' 'nothadoop/docker-image' ")); " --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --hostname='host-id' 'nothadoop/docker-image' "));
// Test non-privileged container and drop all privileges // Test non-privileged container and drop all privileges
file_cmd_vec.push_back(std::make_pair<std::string, std::string>( file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
"[docker-command-execution]\n" "[docker-command-execution]\n"
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n hostname=host-id\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n"
" ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n" " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n"
" network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n" " network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n"
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
" launch-command=bash,test_script.sh,arg1,arg2", " launch-command=bash,test_script.sh,arg1,arg2",
"run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm --net='bridge' -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'" "run --name='container_e1_12312_11111_02_000001' --user='nobody' -d --rm --net='bridge' -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'"
" -v '/usr/bin/cut:/usr/bin/cut:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --cap-add='CHOWN' " " -v '/usr/bin/cut:/usr/bin/cut:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --cap-add='CHOWN' "
"--cap-add='SETUID' --hostname='host-id' --device='/dev/test:/dev/test' 'hadoop/docker-image' 'bash'" "--cap-add='SETUID' --hostname='host-id' --device='/dev/test:/dev/test' 'hadoop/docker-image' 'bash'"
" 'test_script.sh' 'arg1' 'arg2' ")); " 'test_script.sh' 'arg1' 'arg2' "));
file_cmd_vec.push_back(std::make_pair<std::string, std::string>( file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
"[docker-command-execution]\n" "[docker-command-execution]\n"
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=test\n hostname=host-id\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=nobody\n hostname=host-id\n"
" ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n" " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n"
" network=bridge\n net=bridge\n" " network=bridge\n net=bridge\n"
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
" launch-command=bash,test_script.sh,arg1,arg2", " launch-command=bash,test_script.sh,arg1,arg2",
"run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm --net='bridge'" "run --name='container_e1_12312_11111_02_000001' --user='nobody' -d --rm --net='bridge'"
" --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --hostname='host-id' 'nothadoop/docker-image' ")); " --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --hostname='host-id' 'nothadoop/docker-image' "));
// Test privileged container // Test privileged container
file_cmd_vec.push_back(std::make_pair<std::string, std::string>( file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
"[docker-command-execution]\n" "[docker-command-execution]\n"
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n hostname=host-id\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=root\n hostname=host-id\n"
" ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n" " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n"
" network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n privileged=true\n" " network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n privileged=true\n"
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
@ -1181,10 +1179,9 @@ namespace ContainerExecutor {
"--cap-add='CHOWN' --cap-add='SETUID' --hostname='host-id' --device='/dev/test:/dev/test' 'hadoop/docker-image' " "--cap-add='CHOWN' --cap-add='SETUID' --hostname='host-id' --device='/dev/test:/dev/test' 'hadoop/docker-image' "
"'bash' 'test_script.sh' 'arg1' 'arg2' ")); "'bash' 'test_script.sh' 'arg1' 'arg2' "));
file_cmd_vec.push_back(std::make_pair<std::string, std::string>( file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
"[docker-command-execution]\n" "[docker-command-execution]\n"
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n hostname=host-id\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=root\n hostname=host-id\n"
" ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n" " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n"
" network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n privileged=true\n" " network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n privileged=true\n"
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n group-add=1000,1001\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n group-add=1000,1001\n"
@ -1196,28 +1193,28 @@ namespace ContainerExecutor {
file_cmd_vec.push_back(std::make_pair<std::string, std::string>( file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
"[docker-command-execution]\n" "[docker-command-execution]\n"
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n user=test\n hostname=host-id\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n user=nobody\n hostname=host-id\n"
" network=bridge\n net=bridge\n" " network=bridge\n net=bridge\n"
" detach=true\n rm=true\n group-add=1000,1001\n" " detach=true\n rm=true\n group-add=1000,1001\n"
" launch-command=bash,test_script.sh,arg1,arg2", " launch-command=bash,test_script.sh,arg1,arg2",
"run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm --net='bridge' --cap-drop='ALL' " "run --name='container_e1_12312_11111_02_000001' --user='nobody' -d --rm --net='bridge' --cap-drop='ALL' "
"--hostname='host-id' --group-add '1000' --group-add '1001' " "--hostname='host-id' --group-add '1000' --group-add '1001' "
"'docker-image' ")); "'docker-image' "));
std::vector<std::pair<std::string, int> > bad_file_cmd_vec; std::vector<std::pair<std::string, int> > bad_file_cmd_vec;
bad_file_cmd_vec.push_back(std::make_pair<std::string, int>( bad_file_cmd_vec.push_back(std::make_pair<std::string, int>(
"[docker-command-execution]\n docker-command=run\n image=hadoop/docker-image\n user=test", "[docker-command-execution]\n docker-command=run\n image=hadoop/docker-image\n user=nobody",
static_cast<int>(INVALID_DOCKER_CONTAINER_NAME))); static_cast<int>(INVALID_DOCKER_CONTAINER_NAME)));
bad_file_cmd_vec.push_back(std::make_pair<std::string, int>( bad_file_cmd_vec.push_back(std::make_pair<std::string, int>(
"[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n user=test\n", "[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n user=nobody\n",
static_cast<int>(INVALID_DOCKER_IMAGE_NAME))); static_cast<int>(INVALID_DOCKER_IMAGE_NAME)));
bad_file_cmd_vec.push_back(std::make_pair<std::string, int>( bad_file_cmd_vec.push_back(std::make_pair<std::string, int>(
"[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n", "[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n",
static_cast<int>(INVALID_DOCKER_USER_NAME))); static_cast<int>(INVALID_DOCKER_USER_NAME)));
bad_file_cmd_vec.push_back(std::make_pair<std::string, int>( bad_file_cmd_vec.push_back(std::make_pair<std::string, int>(
"[docker-command-execution]\n" "[docker-command-execution]\n"
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=test\n hostname=host-id\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=nobody\n hostname=host-id\n"
" ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n" " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n"
" network=bridge\n net=bridge\n privileged=true\n" " network=bridge\n net=bridge\n privileged=true\n"
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n group-add=1000,1001\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n group-add=1000,1001\n"
@ -1227,7 +1224,7 @@ namespace ContainerExecutor {
// invalid rw mount // invalid rw mount
bad_file_cmd_vec.push_back(std::make_pair<std::string, int>( bad_file_cmd_vec.push_back(std::make_pair<std::string, int>(
"[docker-command-execution]\n" "[docker-command-execution]\n"
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n hostname=host-id\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n"
" ro-mounts=/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/var/log:/var/log\n" " ro-mounts=/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/var/log:/var/log\n"
" network=bridge\n devices=/dev/test:/dev/test\n" " network=bridge\n devices=/dev/test:/dev/test\n"
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
@ -1237,7 +1234,7 @@ namespace ContainerExecutor {
// invalid ro mount // invalid ro mount
bad_file_cmd_vec.push_back(std::make_pair<std::string, int>( bad_file_cmd_vec.push_back(std::make_pair<std::string, int>(
"[docker-command-execution]\n" "[docker-command-execution]\n"
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n hostname=host-id\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n"
" ro-mounts=/bin:/bin,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n" " ro-mounts=/bin:/bin,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n"
" network=bridge\n devices=/dev/test:/dev/test\n" " network=bridge\n devices=/dev/test:/dev/test\n"
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
@ -1247,7 +1244,7 @@ namespace ContainerExecutor {
// invalid capability // invalid capability
bad_file_cmd_vec.push_back(std::make_pair<std::string, int>( bad_file_cmd_vec.push_back(std::make_pair<std::string, int>(
"[docker-command-execution]\n" "[docker-command-execution]\n"
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n hostname=host-id\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n"
" ro-mounts=/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n" " ro-mounts=/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n"
" network=bridge\n devices=/dev/test:/dev/test\n" " network=bridge\n devices=/dev/test:/dev/test\n"
" cap-add=CHOWN,SETUID,SETGID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " cap-add=CHOWN,SETUID,SETGID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
@ -1257,17 +1254,17 @@ namespace ContainerExecutor {
// invalid device // invalid device
bad_file_cmd_vec.push_back(std::make_pair<std::string, int>( bad_file_cmd_vec.push_back(std::make_pair<std::string, int>(
"[docker-command-execution]\n" "[docker-command-execution]\n"
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n hostname=host-id\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n"
" ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n" " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n"
" network=bridge\n devices=/dev/dev1:/dev/dev1\n privileged=true\n" " network=bridge\n devices=/dev/dev1:/dev/dev1\n privileged=true\n"
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
" launch-command=bash,test_script.sh,arg1,arg2", " launch-command=bash,test_script.sh,arg1,arg2",
static_cast<int>(INVALID_DOCKER_DEVICE))); static_cast<int>(PRIVILEGED_CONTAINERS_DISABLED)));
// invalid network // invalid network
bad_file_cmd_vec.push_back(std::make_pair<std::string, int>( bad_file_cmd_vec.push_back(std::make_pair<std::string, int>(
"[docker-command-execution]\n" "[docker-command-execution]\n"
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n hostname=host-id\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n"
" ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n" " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n"
" network=bridge\n devices=/dev/test:/dev/test\n privileged=true\n net=host\n" " network=bridge\n devices=/dev/test:/dev/test\n privileged=true\n net=host\n"
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
@ -1304,59 +1301,59 @@ namespace ContainerExecutor {
std::vector<std::pair<std::string, std::string> > file_cmd_vec; std::vector<std::pair<std::string, std::string> > file_cmd_vec;
file_cmd_vec.push_back(std::make_pair<std::string, std::string>( file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
"[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n user=test", "[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n user=nobody",
"run --name='container_e1_12312_11111_02_000001' --user='test' --cap-drop='ALL' 'docker-image' ")); "run --name='container_e1_12312_11111_02_000001' --user='nobody' --cap-drop='ALL' 'docker-image' "));
file_cmd_vec.push_back(std::make_pair<std::string, std::string>( file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
"[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n" "[docker-command-execution]\n docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n"
" user=test\n launch-command=bash,test_script.sh,arg1,arg2", " user=nobody\n launch-command=bash,test_script.sh,arg1,arg2",
"run --name='container_e1_12312_11111_02_000001' --user='test' --cap-drop='ALL' 'docker-image' ")); "run --name='container_e1_12312_11111_02_000001' --user='nobody' --cap-drop='ALL' 'docker-image' "));
file_cmd_vec.push_back(std::make_pair<std::string, std::string>( file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
"[docker-command-execution]\n" "[docker-command-execution]\n"
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n hostname=host-id\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n"
" ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n" " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n"
" network=bridge\n devices=/dev/test:/dev/test\n" " network=bridge\n devices=/dev/test:/dev/test\n"
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
" launch-command=bash,test_script.sh,arg1,arg2", " launch-command=bash,test_script.sh,arg1,arg2",
"run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'" "run --name='container_e1_12312_11111_02_000001' --user='nobody' -d --rm -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'"
" -v '/usr/bin/cut:/usr/bin/cut:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --cap-add='CHOWN'" " -v '/usr/bin/cut:/usr/bin/cut:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --cap-add='CHOWN'"
" --cap-add='SETUID' --hostname='host-id' --device='/dev/test:/dev/test' 'hadoop/docker-image' 'bash' " " --cap-add='SETUID' --hostname='host-id' --device='/dev/test:/dev/test' 'hadoop/docker-image' 'bash' "
"'test_script.sh' 'arg1' 'arg2' ")); "'test_script.sh' 'arg1' 'arg2' "));
file_cmd_vec.push_back(std::make_pair<std::string, std::string>( file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
"[docker-command-execution]\n" "[docker-command-execution]\n"
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=test\n hostname=host-id\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=nobody\n hostname=host-id\n"
" ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n" " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n"
" network=bridge\n" " network=bridge\n"
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
" launch-command=bash,test_script.sh,arg1,arg2", " launch-command=bash,test_script.sh,arg1,arg2",
"run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm" "run --name='container_e1_12312_11111_02_000001' --user='nobody' -d --rm"
" --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --hostname='host-id' 'nothadoop/docker-image' ")); " --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --hostname='host-id' 'nothadoop/docker-image' "));
file_cmd_vec.push_back(std::make_pair<std::string, std::string>( file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
"[docker-command-execution]\n" "[docker-command-execution]\n"
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n hostname=host-id\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n"
" ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n" " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n"
" network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n" " network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n"
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
" launch-command=bash,test_script.sh,arg1,arg2", " launch-command=bash,test_script.sh,arg1,arg2",
"run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm --net='bridge' -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'" "run --name='container_e1_12312_11111_02_000001' --user='nobody' -d --rm --net='bridge' -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'"
" -v '/usr/bin/cut:/usr/bin/cut:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --cap-add='CHOWN' " " -v '/usr/bin/cut:/usr/bin/cut:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --cap-add='CHOWN' "
"--cap-add='SETUID' --hostname='host-id' --device='/dev/test:/dev/test' 'hadoop/docker-image' 'bash'" "--cap-add='SETUID' --hostname='host-id' --device='/dev/test:/dev/test' 'hadoop/docker-image' 'bash'"
" 'test_script.sh' 'arg1' 'arg2' ")); " 'test_script.sh' 'arg1' 'arg2' "));
file_cmd_vec.push_back(std::make_pair<std::string, std::string>( file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
"[docker-command-execution]\n" "[docker-command-execution]\n"
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=test\n hostname=host-id\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=nothadoop/docker-image\n user=nobody\n hostname=host-id\n"
" ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n" " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n"
" network=bridge\n net=bridge\n" " network=bridge\n net=bridge\n"
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
" launch-command=bash,test_script.sh,arg1,arg2", " launch-command=bash,test_script.sh,arg1,arg2",
"run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm --net='bridge'" "run --name='container_e1_12312_11111_02_000001' --user='nobody' -d --rm --net='bridge'"
" --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --hostname='host-id' 'nothadoop/docker-image' ")); " --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --hostname='host-id' 'nothadoop/docker-image' "));
std::vector<std::pair<std::string, int> > bad_file_cmd_vec; std::vector<std::pair<std::string, int> > bad_file_cmd_vec;
bad_file_cmd_vec.push_back(std::make_pair<std::string, int>( bad_file_cmd_vec.push_back(std::make_pair<std::string, int>(
"[docker-command-execution]\n" "[docker-command-execution]\n"
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=test\n hostname=host-id\n" " docker-command=run\n name=container_e1_12312_11111_02_000001\n image=hadoop/docker-image\n user=nobody\n hostname=host-id\n"
" ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n" " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/cut:/usr/bin/cut\n rw-mounts=/tmp:/tmp\n"
" network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n privileged=true\n" " network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n privileged=true\n"
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n" " cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
@ -1387,8 +1384,8 @@ namespace ContainerExecutor {
"--config='/my-config' stop container_e1_12312_11111_02_000001")); "--config='/my-config' stop container_e1_12312_11111_02_000001"));
input_output_map.push_back(std::make_pair<std::string, std::string>( input_output_map.push_back(std::make_pair<std::string, std::string>(
"[docker-command-execution]\n docker-command=run\n docker-config=/my-config\n name=container_e1_12312_11111_02_000001\n" "[docker-command-execution]\n docker-command=run\n docker-config=/my-config\n name=container_e1_12312_11111_02_000001\n"
" image=docker-image\n user=test", " image=docker-image\n user=nobody",
"--config='/my-config' run --name='container_e1_12312_11111_02_000001' --user='test' --cap-drop='ALL' 'docker-image' ")); "--config='/my-config' run --name='container_e1_12312_11111_02_000001' --user='nobody' --cap-drop='ALL' 'docker-image' "));
std::vector<std::pair<std::string, std::string> >::const_iterator itr; std::vector<std::pair<std::string, std::string> >::const_iterator itr;
char buffer[4096]; char buffer[4096];

11
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/TestDockerContainerRuntime.java
View File

@ -214,7 +214,7 @@ public class TestDockerContainerRuntime {
// Prevent gid threshold failures for these tests // Prevent gid threshold failures for these tests
conf.setInt(YarnConfiguration.NM_DOCKER_USER_REMAPPING_GID_THRESHOLD, 0); conf.setInt(YarnConfiguration.NM_DOCKER_USER_REMAPPING_GID_THRESHOLD, 0);
user = "user"; user = submittingUser;
appId = "app_id"; appId = "app_id";
containerIdStr = containerId; containerIdStr = containerId;
containerWorkDir = new Path("/test_container_work_dir"); containerWorkDir = new Path("/test_container_work_dir");
@ -957,7 +957,7 @@ public class TestDockerContainerRuntime {
List<String> dockerCommands = Files.readAllLines(Paths.get List<String> dockerCommands = Files.readAllLines(Paths.get
(dockerCommandFile), Charset.forName("UTF-8")); (dockerCommandFile), Charset.forName("UTF-8"));
int expected = 15; int expected = 14;
int counter = 0; int counter = 0;
Assert.assertEquals(expected, dockerCommands.size()); Assert.assertEquals(expected, dockerCommands.size());
Assert.assertEquals("[docker-command-execution]", Assert.assertEquals("[docker-command-execution]",
@ -967,8 +967,6 @@ public class TestDockerContainerRuntime {
Assert.assertEquals(" cap-drop=ALL", dockerCommands.get(counter++)); Assert.assertEquals(" cap-drop=ALL", dockerCommands.get(counter++));
Assert.assertEquals(" detach=true", dockerCommands.get(counter++)); Assert.assertEquals(" detach=true", dockerCommands.get(counter++));
Assert.assertEquals(" docker-command=run", dockerCommands.get(counter++)); Assert.assertEquals(" docker-command=run", dockerCommands.get(counter++));
Assert.assertEquals(" group-add=" + String.join(",", groups),
dockerCommands.get(counter++));
Assert Assert
.assertEquals(" image=busybox:latest", dockerCommands.get(counter++)); .assertEquals(" image=busybox:latest", dockerCommands.get(counter++));
Assert.assertEquals( Assert.assertEquals(
@ -984,7 +982,8 @@ public class TestDockerContainerRuntime {
" rw-mounts=/test_container_log_dir:/test_container_log_dir," " rw-mounts=/test_container_log_dir:/test_container_log_dir,"
+ "/test_application_local_dir:/test_application_local_dir", + "/test_application_local_dir:/test_application_local_dir",
dockerCommands.get(counter++)); dockerCommands.get(counter++));
Assert.assertEquals(" user=" + uidGidPair, dockerCommands.get(counter++)); Assert.assertEquals(" user=" + submittingUser,
dockerCommands.get(counter++));
Assert.assertEquals(" workdir=/test_container_work_dir", Assert.assertEquals(" workdir=/test_container_work_dir",
dockerCommands.get(counter)); dockerCommands.get(counter));
} }
@ -1303,7 +1302,7 @@ public class TestDockerContainerRuntime {
Assert.assertEquals(op.getOperationType(), Assert.assertEquals(op.getOperationType(),
PrivilegedOperation.OperationType.SIGNAL_CONTAINER); PrivilegedOperation.OperationType.SIGNAL_CONTAINER);
Assert.assertEquals(runAsUser, op.getArguments().get(0)); Assert.assertEquals(runAsUser, op.getArguments().get(0));
Assert.assertEquals("user", op.getArguments().get(1)); Assert.assertEquals(submittingUser, op.getArguments().get(1));
Assert.assertEquals("2", op.getArguments().get(2)); Assert.assertEquals("2", op.getArguments().get(2));
Assert.assertEquals("1234", op.getArguments().get(3)); Assert.assertEquals("1234", op.getArguments().get(3));
Assert.assertEquals("0", op.getArguments().get(4)); Assert.assertEquals("0", op.getArguments().get(4));