Revert "HADOOP-15195. With SELinux enabled, directories mounted with start-build-env.sh may not be accessible. Contributed by Grigori Rybkine"
This reverts commit 5b88cb3398
.
This commit is contained in:
parent
5b88cb3398
commit
9cc6d1dfb3
|
@ -1,102 +0,0 @@
|
||||||
# Licensed to the Apache Software Foundation (ASF) under one or more
|
|
||||||
# contributor license agreements. See the NOTICE file distributed with
|
|
||||||
# this work for additional information regarding copyright ownership.
|
|
||||||
# The ASF licenses this file to You under the Apache License, Version 2.0
|
|
||||||
# (the "License"); you may not use this file except in compliance with
|
|
||||||
# the License. You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
load hadoop-functions_test_helper
|
|
||||||
|
|
||||||
# Mock docker command
|
|
||||||
docker () {
|
|
||||||
if [ "$1" = "-v" ]; then
|
|
||||||
shift
|
|
||||||
echo Docker version ${DCKR_MOCK_VER:?}
|
|
||||||
elif [ "$1" = run ]; then
|
|
||||||
shift
|
|
||||||
until [ $# -eq 0 ]; do
|
|
||||||
if [ "$1" = -v ]; then
|
|
||||||
shift
|
|
||||||
echo "$1"|awk -F':' '{if (NF == 3 && $3 == "z")
|
|
||||||
printf "Mounted %s with %s option.\n", $1, $3
|
|
||||||
else if (NF == 2)
|
|
||||||
printf "Mounted %s without %s option.\n", $1, "z"}'
|
|
||||||
fi
|
|
||||||
shift
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
export -f docker
|
|
||||||
export DCKR_MOCK_VER
|
|
||||||
|
|
||||||
# Mock a SELinux enabled system
|
|
||||||
enable_selinux () {
|
|
||||||
mkdir -p "${TMP}/bin"
|
|
||||||
echo true >"${TMP}/bin"/selinuxenabled
|
|
||||||
chmod a+x "${TMP}/bin"/selinuxenabled
|
|
||||||
if [ "${PATH#${TMP}/bin}" = "${PATH}" ]; then
|
|
||||||
PATH="${TMP}/bin":"$PATH"
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
setup_user () {
|
|
||||||
if [ -z "$(printenv USER)" ]; then
|
|
||||||
if [ -z "$USER" ]; then
|
|
||||||
USER=${HOME##*/}
|
|
||||||
fi
|
|
||||||
export USER
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
# Mock stat command as used in start-build-env.sh
|
|
||||||
stat () {
|
|
||||||
if [ "$1" = --printf='%C' -a $# -eq 2 ]; then
|
|
||||||
printf 'mock_u:mock_r:mock_t:s0'
|
|
||||||
else
|
|
||||||
command stat "$@"
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
export -f stat
|
|
||||||
|
|
||||||
# Verify that host directories get mounted without z option
|
|
||||||
# and INFO messages get printed out
|
|
||||||
@test "start-build-env.sh (Docker without z mount option)" {
|
|
||||||
if [ "$(uname -s)" != "Linux" ]; then
|
|
||||||
skip "Not on Linux platform"
|
|
||||||
fi
|
|
||||||
enable_selinux
|
|
||||||
setup_user
|
|
||||||
DCKR_MOCK_VER=1.4
|
|
||||||
run "${BATS_TEST_DIRNAME}/../../../../../start-build-env.sh"
|
|
||||||
[ "$status" -eq 0 ]
|
|
||||||
[[ ${lines[0]} == "INFO: SELinux policy is enforced." ]]
|
|
||||||
[[ ${lines[1]} =~ \
|
|
||||||
"Mounted ".*" may not be accessible to the container." ]]
|
|
||||||
[[ ${lines[2]} == \
|
|
||||||
"INFO: If so, on the host, run the following command:" ]]
|
|
||||||
[[ ${lines[3]} =~ "# chcon -Rt svirt_sandbox_file_t " ]]
|
|
||||||
[[ ${lines[-2]} =~ "Mounted ".*" without z option." ]]
|
|
||||||
[[ ${lines[-1]} =~ "Mounted ".*" without z option." ]]
|
|
||||||
}
|
|
||||||
|
|
||||||
# Verify that host directories get mounted with z option
|
|
||||||
@test "start-build-env.sh (Docker with z mount option)" {
|
|
||||||
if [ "$(uname -s)" != "Linux" ]; then
|
|
||||||
skip "Not on Linux platform"
|
|
||||||
fi
|
|
||||||
enable_selinux
|
|
||||||
setup_user
|
|
||||||
DCKR_MOCK_VER=1.7
|
|
||||||
run "${BATS_TEST_DIRNAME}/../../../../../start-build-env.sh"
|
|
||||||
[ "$status" -eq 0 ]
|
|
||||||
[[ ${lines[-2]} =~ "Mounted ".*" with z option." ]]
|
|
||||||
[[ ${lines[-1]} =~ "Mounted ".*" with z option." ]]
|
|
||||||
}
|
|
|
@ -21,36 +21,10 @@ cd "$(dirname "$0")" # connect to root
|
||||||
|
|
||||||
docker build -t hadoop-build dev-support/docker
|
docker build -t hadoop-build dev-support/docker
|
||||||
|
|
||||||
if [ "$(uname -s)" = "Linux" ]; then
|
if [ "$(uname -s)" == "Linux" ]; then
|
||||||
USER_NAME=${SUDO_USER:=$USER}
|
USER_NAME=${SUDO_USER:=$USER}
|
||||||
USER_ID=$(id -u "${USER_NAME}")
|
USER_ID=$(id -u "${USER_NAME}")
|
||||||
GROUP_ID=$(id -g "${USER_NAME}")
|
GROUP_ID=$(id -g "${USER_NAME}")
|
||||||
# man docker-run
|
|
||||||
# When using SELinux, mounted directories may not be accessible
|
|
||||||
# to the container. To work around this, with Docker prior to 1.7
|
|
||||||
# one needs to run the "chcon -Rt svirt_sandbox_file_t" command on
|
|
||||||
# the directories. With Docker 1.7 and later the z mount option
|
|
||||||
# does this automatically.
|
|
||||||
if command -v selinuxenabled >/dev/null && selinuxenabled; then
|
|
||||||
DCKR_VER=$(docker -v|awk '$1 == "Docker" && $2 == "version"\
|
|
||||||
{split($3,ver,".");print ver[1]"."ver[2]}')
|
|
||||||
DCKR_MAJ=${DCKR_VER%.*}
|
|
||||||
DCKR_MIN=${DCKR_VER#*.}
|
|
||||||
if [ "${DCKR_MAJ}" -eq 1 ] && [ "${DCKR_MIN}" -ge 7 ] ||
|
|
||||||
[ "${DCKR_MAJ}" -gt 1 ]; then
|
|
||||||
V_OPTS=:z
|
|
||||||
else
|
|
||||||
for d in "${PWD}" "${HOME}/.m2"; do
|
|
||||||
ctx=$(stat --printf='%C' "$d"|cut -d':' -f3)
|
|
||||||
if [ "$ctx" != svirt_sandbox_file_t ] && [ "$ctx" != container_file_t ]; then
|
|
||||||
printf 'INFO: SELinux policy is enforced.\n'
|
|
||||||
printf '\tMounted %s may not be accessible to the container.\n' "$d"
|
|
||||||
printf 'INFO: If so, on the host, run the following command:\n'
|
|
||||||
printf '\t# chcon -Rt svirt_sandbox_file_t %s\n' "$d"
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
else # boot2docker uid and gid
|
else # boot2docker uid and gid
|
||||||
USER_NAME=$USER
|
USER_NAME=$USER
|
||||||
USER_ID=1000
|
USER_ID=1000
|
||||||
|
@ -71,8 +45,8 @@ UserSpecificDocker
|
||||||
# system. And this also is a significant speedup in subsequent
|
# system. And this also is a significant speedup in subsequent
|
||||||
# builds because the dependencies are downloaded only once.
|
# builds because the dependencies are downloaded only once.
|
||||||
docker run --rm=true -t -i \
|
docker run --rm=true -t -i \
|
||||||
-v "${PWD}:/home/${USER_NAME}/hadoop${V_OPTS:-}" \
|
-v "${PWD}:/home/${USER_NAME}/hadoop" \
|
||||||
-w "/home/${USER_NAME}/hadoop" \
|
-w "/home/${USER_NAME}/hadoop" \
|
||||||
-v "${HOME}/.m2:/home/${USER_NAME}/.m2${V_OPTS:-}" \
|
-v "${HOME}/.m2:/home/${USER_NAME}/.m2" \
|
||||||
-u "${USER_NAME}" \
|
-u "${USER_NAME}" \
|
||||||
"hadoop-build-${USER_ID}"
|
"hadoop-build-${USER_ID}"
|
||||||
|
|
Loading…
Reference in New Issue