YARN-9442. container working directory has group read permissions. Contributed by Jim Brennan.
(cherry picked from commit2ac029b949
) Conflicts: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/test-container-executor.c (cherry picked from commitcec71691be
)
This commit is contained in:
parent
cb91ab73b0
commit
a995e6352f
|
@ -721,8 +721,8 @@ int check_dir(const char* npath, mode_t st_mode, mode_t desired, int finalCompon
|
||||||
*/
|
*/
|
||||||
static int create_container_directories(const char* user, const char *app_id,
|
static int create_container_directories(const char* user, const char *app_id,
|
||||||
const char *container_id, char* const* local_dir, char* const* log_dir, const char *work_dir) {
|
const char *container_id, char* const* local_dir, char* const* log_dir, const char *work_dir) {
|
||||||
// create dirs as 0750
|
// create dirs as 0710
|
||||||
const mode_t perms = S_IRWXU | S_IRGRP | S_IXGRP;
|
const mode_t perms = S_IRWXU | S_IXGRP;
|
||||||
if (user == NULL || app_id == NULL || container_id == NULL ||
|
if (user == NULL || app_id == NULL || container_id == NULL ||
|
||||||
local_dir == NULL || log_dir == NULL || work_dir == NULL ||
|
local_dir == NULL || log_dir == NULL || work_dir == NULL ||
|
||||||
user_detail == NULL || user_detail->pw_name == NULL) {
|
user_detail == NULL || user_detail->pw_name == NULL) {
|
||||||
|
@ -764,6 +764,9 @@ static int create_container_directories(const char* user, const char *app_id,
|
||||||
} else {
|
} else {
|
||||||
sprintf(combined_name, "%s/%s", app_id, container_id);
|
sprintf(combined_name, "%s/%s", app_id, container_id);
|
||||||
char* const* log_dir_ptr;
|
char* const* log_dir_ptr;
|
||||||
|
// Log dirs need 750 access
|
||||||
|
const mode_t logdir_perms = S_IRWXU | S_IRGRP | S_IXGRP;
|
||||||
|
|
||||||
for(log_dir_ptr = log_dir; *log_dir_ptr != NULL; ++log_dir_ptr) {
|
for(log_dir_ptr = log_dir; *log_dir_ptr != NULL; ++log_dir_ptr) {
|
||||||
char *container_log_dir = get_app_log_directory(*log_dir_ptr, combined_name);
|
char *container_log_dir = get_app_log_directory(*log_dir_ptr, combined_name);
|
||||||
int check = check_nm_local_dir(nm_uid, *log_dir_ptr);
|
int check = check_nm_local_dir(nm_uid, *log_dir_ptr);
|
||||||
|
@ -777,7 +780,7 @@ static int create_container_directories(const char* user, const char *app_id,
|
||||||
if (container_log_dir == NULL) {
|
if (container_log_dir == NULL) {
|
||||||
free(combined_name);
|
free(combined_name);
|
||||||
return OUT_OF_MEMORY;
|
return OUT_OF_MEMORY;
|
||||||
} else if (mkdirs(container_log_dir, perms) != 0) {
|
} else if (mkdirs(container_log_dir, logdir_perms) != 0) {
|
||||||
free(container_log_dir);
|
free(container_log_dir);
|
||||||
} else {
|
} else {
|
||||||
result = 0;
|
result = 0;
|
||||||
|
@ -1228,6 +1231,37 @@ int create_container_log_dirs(const char *container_id, const char *app_id,
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Function to create the application directories.
|
||||||
|
* Returns pointer to primary_app_dir or NULL if it fails.
|
||||||
|
*/
|
||||||
|
static char *create_app_dirs(const char *user,
|
||||||
|
const char *app_id,
|
||||||
|
char* const* local_dirs)
|
||||||
|
{
|
||||||
|
// 750
|
||||||
|
mode_t permissions = S_IRWXU | S_IRGRP | S_IXGRP;
|
||||||
|
char* const* nm_root;
|
||||||
|
char *primary_app_dir = NULL;
|
||||||
|
for(nm_root=local_dirs; *nm_root != NULL; ++nm_root) {
|
||||||
|
char *app_dir = get_app_directory(*nm_root, user, app_id);
|
||||||
|
if (app_dir == NULL) {
|
||||||
|
// try the next one
|
||||||
|
} else if (mkdirs(app_dir, permissions) != 0) {
|
||||||
|
free(app_dir);
|
||||||
|
} else if (primary_app_dir == NULL) {
|
||||||
|
primary_app_dir = app_dir;
|
||||||
|
} else {
|
||||||
|
free(app_dir);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (primary_app_dir == NULL) {
|
||||||
|
fprintf(LOGFILE, "Did not create any app directories\n");
|
||||||
|
}
|
||||||
|
return primary_app_dir;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Function to prepare the application directories for the container.
|
* Function to prepare the application directories for the container.
|
||||||
*/
|
*/
|
||||||
|
@ -1271,25 +1305,9 @@ int initialize_app(const char *user, const char *app_id,
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
// 750
|
// Create application directories
|
||||||
mode_t permissions = S_IRWXU | S_IRGRP | S_IXGRP;
|
char *primary_app_dir = create_app_dirs(user, app_id, local_dirs);
|
||||||
char* const* nm_root;
|
|
||||||
char *primary_app_dir = NULL;
|
|
||||||
for(nm_root=local_dirs; *nm_root != NULL; ++nm_root) {
|
|
||||||
char *app_dir = get_app_directory(*nm_root, user, app_id);
|
|
||||||
if (app_dir == NULL) {
|
|
||||||
// try the next one
|
|
||||||
} else if (mkdirs(app_dir, permissions) != 0) {
|
|
||||||
free(app_dir);
|
|
||||||
} else if (primary_app_dir == NULL) {
|
|
||||||
primary_app_dir = app_dir;
|
|
||||||
} else {
|
|
||||||
free(app_dir);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if (primary_app_dir == NULL) {
|
if (primary_app_dir == NULL) {
|
||||||
fprintf(LOGFILE, "Did not create any app directories\n");
|
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1480,8 +1498,17 @@ int create_local_dirs(const char * user, const char *app_id,
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Create application directories if not already created by localization
|
||||||
|
char *primary_app_dir = create_app_dirs(user, app_id, local_dirs);
|
||||||
|
if (primary_app_dir == NULL) {
|
||||||
|
exit_code = COULD_NOT_CREATE_WORK_DIRECTORIES;
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
free(primary_app_dir);
|
||||||
|
|
||||||
// Create container specific directories as user. If there are no resources
|
// Create container specific directories as user. If there are no resources
|
||||||
// to localize for this container, app-directories and log-directories are
|
// to localize for this container, log-directories are
|
||||||
// also created automatically as part of this call.
|
// also created automatically as part of this call.
|
||||||
int directory_create_result = create_container_directories(user, app_id,
|
int directory_create_result = create_container_directories(user, app_id,
|
||||||
container_id, local_dirs, log_dirs, work_dir);
|
container_id, local_dirs, log_dirs, work_dir);
|
||||||
|
|
|
@ -939,6 +939,18 @@ void test_run_container() {
|
||||||
printf("FAIL: failed to create container directory %s\n", container_dir);
|
printf("FAIL: failed to create container directory %s\n", container_dir);
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
// Verify no group read permission on container_dir
|
||||||
|
struct stat st_buf;
|
||||||
|
if (stat(container_dir, &st_buf) < 0) {
|
||||||
|
printf("FAIL: failed to stat container directory %s\n", container_dir);
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
if ((st_buf.st_mode & S_IRGRP) != 0) {
|
||||||
|
printf("FAIL: group read permission should not be set on "
|
||||||
|
"container directory %s\n", container_dir);
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
char buffer[100000];
|
char buffer[100000];
|
||||||
sprintf(buffer, "%s/foobar", container_dir);
|
sprintf(buffer, "%s/foobar", container_dir);
|
||||||
if (access(buffer, R_OK) != 0) {
|
if (access(buffer, R_OK) != 0) {
|
||||||
|
|
Loading…
Reference in New Issue