From 952c309dd993fbb69820891c839961d6b5c7372f Mon Sep 17 00:00:00 2001
From: Varun Vasudev <vvasudev@apache.org>
Date: Thu, 25 Aug 2016 12:56:11 +0530
Subject: [PATCH] YARN-5042. Mount /sys/fs/cgroup into Docker containers as
 read only mount. Contributed by luhuichun.

(cherry picked from commit 42d9876471ff0bf0ea240cd48fe483cda8aa1ec7)
---
 .../linux/runtime/DockerLinuxContainerRuntime.java         | 7 ++++---
 .../linux/runtime/docker/DockerRunCommand.java             | 7 ++++++-
 .../linux/runtime/TestDockerContainerRuntime.java          | 4 ++++
 3 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java
index be17af9f2cb..2cce1f8ce4a 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java
@@ -447,7 +447,8 @@ public class DockerLinuxContainerRuntime implements LinuxContainerRuntime {
         .detachOnRun()
         .setContainerWorkDir(containerWorkDir.toString())
         .setNetworkType(network)
-        .setCapabilities(capabilities);
+        .setCapabilities(capabilities)
+        .addMountLocation("/sys/fs/cgroup", "/sys/fs/cgroup:ro", false);
     List<String> allDirs = new ArrayList<>(containerLocalDirs);
 
     allDirs.addAll(filecacheDirs);
@@ -455,7 +456,7 @@ public class DockerLinuxContainerRuntime implements LinuxContainerRuntime {
     allDirs.addAll(containerLogDirs);
     allDirs.addAll(userLocalDirs);
     for (String dir: allDirs) {
-      runCommand.addMountLocation(dir, dir);
+      runCommand.addMountLocation(dir, dir, true);
     }
 
     if (environment.containsKey(ENV_DOCKER_CONTAINER_LOCAL_RESOURCE_MOUNTS)) {
@@ -470,7 +471,7 @@ public class DockerLinuxContainerRuntime implements LinuxContainerRuntime {
           }
           String src = validateMount(dir[0], localizedResources);
           String dst = dir[1];
-          runCommand.addMountLocation(src, dst + ":ro");
+          runCommand.addMountLocation(src, dst + ":ro", true);
         }
       }
     }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/docker/DockerRunCommand.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/docker/DockerRunCommand.java
index 7c49ef9beff..f79f4ed08c8 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/docker/DockerRunCommand.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/docker/DockerRunCommand.java
@@ -22,6 +22,7 @@ package org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime
 
 import org.apache.hadoop.util.StringUtils;
 
+import java.io.File;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Set;
@@ -59,7 +60,11 @@ public class DockerRunCommand extends DockerCommand {
   }
 
   public DockerRunCommand addMountLocation(String sourcePath, String
-      destinationPath) {
+      destinationPath, boolean createSource) {
+    boolean sourceExists = new File(sourcePath).exists();
+    if (!sourceExists && !createSource) {
+      return this;
+    }
     super.addCommandArguments("-v", sourcePath + ":" + destinationPath);
     return this;
   }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/TestDockerContainerRuntime.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/TestDockerContainerRuntime.java
index ad8b52d6e13..a05ff46f9e7 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/TestDockerContainerRuntime.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/TestDockerContainerRuntime.java
@@ -276,6 +276,7 @@ public class TestDockerContainerRuntime {
         .append("--workdir=%3$s ")
         .append("--net=host ")
         .append(getExpectedTestCapabilitiesArgumentString())
+        .append("-v /sys/fs/cgroup:/sys/fs/cgroup:ro ")
         .append("-v %4$s:%4$s ")
         .append("-v %5$s:%5$s ")
         .append("-v %6$s:%6$s ")
@@ -381,6 +382,7 @@ public class TestDockerContainerRuntime {
             .append("--workdir=%3$s ")
             .append("--net=" + allowedNetwork + " ")
             .append(getExpectedTestCapabilitiesArgumentString())
+            .append("-v /sys/fs/cgroup:/sys/fs/cgroup:ro ")
             .append("-v %4$s:%4$s ").append("-v %5$s:%5$s ")
             .append("-v %6$s:%6$s ").append("-v %7$s:%7$s ")
             .append("-v %8$s:%8$s ").append("%9$s ")
@@ -435,6 +437,7 @@ public class TestDockerContainerRuntime {
             .append("--workdir=%3$s ")
             .append("--net=" + customNetwork1 + " ")
             .append(getExpectedTestCapabilitiesArgumentString())
+            .append("-v /sys/fs/cgroup:/sys/fs/cgroup:ro ")
             .append("-v %4$s:%4$s ").append("-v %5$s:%5$s ")
             .append("-v %6$s:%6$s ").append("-v %7$s:%7$s ")
             .append("-v %8$s:%8$s ").append("%9$s ")
@@ -471,6 +474,7 @@ public class TestDockerContainerRuntime {
             .append("--workdir=%3$s ")
             .append("--net=" + customNetwork2 + " ")
             .append(getExpectedTestCapabilitiesArgumentString())
+            .append("-v /sys/fs/cgroup:/sys/fs/cgroup:ro ")
             .append("-v %4$s:%4$s ").append("-v %5$s:%5$s ")
             .append("-v %6$s:%6$s ").append("-v %7$s:%7$s ")
             .append("-v %8$s:%8$s ").append("%9$s ")