diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java index fb9f499943b..37a2b0b05c3 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java @@ -1423,6 +1423,22 @@ public class YarnConfiguration extends Configuration { /** Prefix for runtime configuration constants. */ public static final String LINUX_CONTAINER_RUNTIME_PREFIX = NM_PREFIX + "runtime.linux."; + + /** + * Comma separated list of runtimes that are allowed when using + * LinuxContainerExecutor. The allowed values are: + * + */ + public static final String LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES = + LINUX_CONTAINER_RUNTIME_PREFIX + "allowed-runtimes"; + + /** The default list of allowed runtimes when using LinuxContainerExecutor. */ + public static final String[] DEFAULT_LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES + = {"default"}; + public static final String DOCKER_CONTAINER_RUNTIME_PREFIX = LINUX_CONTAINER_RUNTIME_PREFIX + "docker."; diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml index 5dceedcbc81..7cb79ada31a 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml @@ -1537,6 +1537,14 @@ false + + Comma separated list of runtimes that are allowed when using + LinuxContainerExecutor. The allowed values are default and docker. + + yarn.nodemanager.runtime.linux.allowed-runtimes + default + + This configuration setting determines the capabilities assigned to docker containers when they are launched. While these may not diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/ContainerExecutor.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/ContainerExecutor.java index 5a19d2b8e2a..b0f06c2231f 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/ContainerExecutor.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/ContainerExecutor.java @@ -52,6 +52,7 @@ import org.apache.hadoop.yarn.exceptions.ConfigurationException; import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container; import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.ContainerDiagnosticsUpdateEvent; import org.apache.hadoop.yarn.server.nodemanager.containermanager.launcher.ContainerLaunch; +import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerExecutionException; import org.apache.hadoop.yarn.server.nodemanager.util.NodeManagerHardwareUtils; import org.apache.hadoop.yarn.server.nodemanager.executor.ContainerLivenessContext; import org.apache.hadoop.yarn.server.nodemanager.executor.ContainerReacquisitionContext; @@ -656,7 +657,8 @@ public abstract class ContainerExecutor implements Configurable { } // LinuxContainerExecutor overrides this method and behaves differently. - public String[] getIpAndHost(Container container) { + public String[] getIpAndHost(Container container) + throws ContainerExecutionException { return getLocalIpAndHost(container); } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java index 77b72bcb269..419d66f7d78 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java @@ -600,7 +600,8 @@ public class LinuxContainerExecutor extends ContainerExecutor { } @Override - public String[] getIpAndHost(Container container) { + public String[] getIpAndHost(Container container) + throws ContainerExecutionException { return linuxContainerRuntime.getIpAndHost(container); } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DelegatingLinuxContainerRuntime.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DelegatingLinuxContainerRuntime.java index 25cb7d56143..f1f4451beec 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DelegatingLinuxContainerRuntime.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DelegatingLinuxContainerRuntime.java @@ -20,9 +20,11 @@ package org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime; +import com.google.common.annotations.VisibleForTesting; import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.classification.InterfaceStability; import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.yarn.conf.YarnConfiguration; import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container; import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.privileged.PrivilegedOperationExecutor; import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerExecutionException; @@ -31,6 +33,7 @@ import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.Contai import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import java.util.EnumSet; import java.util.Map; /** @@ -49,28 +52,50 @@ public class DelegatingLinuxContainerRuntime implements LinuxContainerRuntime { LoggerFactory.getLogger(DelegatingLinuxContainerRuntime.class); private DefaultLinuxContainerRuntime defaultLinuxContainerRuntime; private DockerLinuxContainerRuntime dockerLinuxContainerRuntime; + private EnumSet allowedRuntimes = + EnumSet.noneOf(LinuxContainerRuntimeConstants.RuntimeType.class); @Override public void initialize(Configuration conf) throws ContainerExecutionException { - PrivilegedOperationExecutor privilegedOperationExecutor = - PrivilegedOperationExecutor.getInstance(conf); - defaultLinuxContainerRuntime = new DefaultLinuxContainerRuntime( - privilegedOperationExecutor); - defaultLinuxContainerRuntime.initialize(conf); - dockerLinuxContainerRuntime = new DockerLinuxContainerRuntime( - privilegedOperationExecutor); - dockerLinuxContainerRuntime.initialize(conf); + String[] configuredRuntimes = conf.getTrimmedStrings( + YarnConfiguration.LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES, + YarnConfiguration.DEFAULT_LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES); + for (String configuredRuntime : configuredRuntimes) { + try { + allowedRuntimes.add( + LinuxContainerRuntimeConstants.RuntimeType.valueOf( + configuredRuntime.toUpperCase())); + } catch (IllegalArgumentException e) { + throw new ContainerExecutionException("Invalid runtime set in " + + YarnConfiguration.LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES + " : " + + configuredRuntime); + } + } + if (isRuntimeAllowed(LinuxContainerRuntimeConstants.RuntimeType.DOCKER)) { + dockerLinuxContainerRuntime = new DockerLinuxContainerRuntime( + PrivilegedOperationExecutor.getInstance(conf)); + dockerLinuxContainerRuntime.initialize(conf); + } + if (isRuntimeAllowed(LinuxContainerRuntimeConstants.RuntimeType.DEFAULT)) { + defaultLinuxContainerRuntime = new DefaultLinuxContainerRuntime( + PrivilegedOperationExecutor.getInstance(conf)); + defaultLinuxContainerRuntime.initialize(conf); + } } - private LinuxContainerRuntime pickContainerRuntime(Container container) { - Map env = container.getLaunchContext().getEnvironment(); + @VisibleForTesting + LinuxContainerRuntime pickContainerRuntime( + Map environment) throws ContainerExecutionException { LinuxContainerRuntime runtime; - - if (DockerLinuxContainerRuntime.isDockerContainerRequested(env)){ + if (dockerLinuxContainerRuntime != null && + DockerLinuxContainerRuntime.isDockerContainerRequested(environment)){ runtime = dockerLinuxContainerRuntime; - } else { + } else if (defaultLinuxContainerRuntime != null && + !DockerLinuxContainerRuntime.isDockerContainerRequested(environment)) { runtime = defaultLinuxContainerRuntime; + } else { + throw new ContainerExecutionException("Requested runtime not allowed."); } if (LOG.isDebugEnabled()) { @@ -81,6 +106,11 @@ public class DelegatingLinuxContainerRuntime implements LinuxContainerRuntime { return runtime; } + private LinuxContainerRuntime pickContainerRuntime(Container container) + throws ContainerExecutionException { + return pickContainerRuntime(container.getLaunchContext().getEnvironment()); + } + @Override public void prepareContainer(ContainerRuntimeContext ctx) throws ContainerExecutionException { @@ -118,8 +148,15 @@ public class DelegatingLinuxContainerRuntime implements LinuxContainerRuntime { } @Override - public String[] getIpAndHost(Container container) { + public String[] getIpAndHost(Container container) + throws ContainerExecutionException { LinuxContainerRuntime runtime = pickContainerRuntime(container); return runtime.getIpAndHost(container); } + + @VisibleForTesting + boolean isRuntimeAllowed( + LinuxContainerRuntimeConstants.RuntimeType runtimeType) { + return allowedRuntimes.contains(runtimeType); + } } \ No newline at end of file diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/LinuxContainerRuntimeConstants.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/LinuxContainerRuntimeConstants.java index 0c1ec3e14af..7cea4d381e8 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/LinuxContainerRuntimeConstants.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/LinuxContainerRuntimeConstants.java @@ -31,6 +31,14 @@ public final class LinuxContainerRuntimeConstants { private LinuxContainerRuntimeConstants() { } + /** + * Linux container runtime types for {@link DelegatingLinuxContainerRuntime}. + */ + public enum RuntimeType { + DEFAULT, + DOCKER; + } + public static final Attribute LOCALIZED_RESOURCES = Attribute .attribute(Map.class, "localized_resources"); public static final Attribute CONTAINER_LAUNCH_PREFIX_COMMANDS = diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/runtime/ContainerRuntime.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/runtime/ContainerRuntime.java index b15690f808d..7caa0edf4de 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/runtime/ContainerRuntime.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/runtime/ContainerRuntime.java @@ -77,6 +77,10 @@ public interface ContainerRuntime { /** * Return the host and ip of the container + * + * @param container the {@link Container} + * @throws ContainerExecutionException if an error occurs while getting the ip + * and hostname */ - String[] getIpAndHost(Container container); + String[] getIpAndHost(Container container) throws ContainerExecutionException; } \ No newline at end of file diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/TestDelegatingLinuxContainerRuntime.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/TestDelegatingLinuxContainerRuntime.java new file mode 100644 index 00000000000..4edc8cb0780 --- /dev/null +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/TestDelegatingLinuxContainerRuntime.java @@ -0,0 +1,80 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.yarn.conf.YarnConfiguration; +import org.junit.Before; +import org.junit.Test; + +import java.util.HashMap; +import java.util.Map; + +import static org.junit.Assert.*; + +/** + * Test container runtime delegation. + */ +public class TestDelegatingLinuxContainerRuntime { + + private DelegatingLinuxContainerRuntime delegatingLinuxContainerRuntime; + private Configuration conf; + private Map env = new HashMap<>(); + + @Before + public void setUp() throws Exception { + delegatingLinuxContainerRuntime = new DelegatingLinuxContainerRuntime(); + conf = new Configuration(); + env.clear(); + } + + @Test + public void testIsRuntimeAllowedDefault() throws Exception { + conf.set(YarnConfiguration.LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES, + YarnConfiguration.DEFAULT_LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES[0]); + System.out.println(conf.get( + YarnConfiguration.LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES)); + delegatingLinuxContainerRuntime.initialize(conf); + assertTrue(delegatingLinuxContainerRuntime.isRuntimeAllowed( + LinuxContainerRuntimeConstants.RuntimeType.DEFAULT)); + assertFalse(delegatingLinuxContainerRuntime.isRuntimeAllowed( + LinuxContainerRuntimeConstants.RuntimeType.DOCKER)); + } + + @Test + public void testIsRuntimeAllowedDocker() throws Exception { + conf.set(YarnConfiguration.LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES, + "docker"); + delegatingLinuxContainerRuntime.initialize(conf); + assertTrue(delegatingLinuxContainerRuntime.isRuntimeAllowed( + LinuxContainerRuntimeConstants.RuntimeType.DOCKER)); + assertFalse(delegatingLinuxContainerRuntime.isRuntimeAllowed( + LinuxContainerRuntimeConstants.RuntimeType.DEFAULT)); + } + + + @Test + public void testIsRuntimeAllowedMultiple() throws Exception { + conf.set(YarnConfiguration.LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES, + "default,docker"); + delegatingLinuxContainerRuntime.initialize(conf); + assertTrue(delegatingLinuxContainerRuntime.isRuntimeAllowed( + LinuxContainerRuntimeConstants.RuntimeType.DOCKER)); + assertTrue(delegatingLinuxContainerRuntime.isRuntimeAllowed( + LinuxContainerRuntimeConstants.RuntimeType.DEFAULT)); + } +} \ No newline at end of file diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md index 4de0a6ae489..bc40e34ab01 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md @@ -71,68 +71,82 @@ request. For example: The following properties should be set in yarn-site.xml: ```xml - - yarn.nodemanager.container-executor.class - org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor - - This is the container executor setting that ensures that all applications - are started with the LinuxContainerExecutor. - - + + + yarn.nodemanager.container-executor.class + org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor + + This is the container executor setting that ensures that all applications + are started with the LinuxContainerExecutor. + + - - yarn.nodemanager.linux-container-executor.group - hadoop - - The POSIX group of the NodeManager. It should match the setting in - "container-executor.cfg". This configuration is required for validating - the secure access of the container-executor binary. - - + + yarn.nodemanager.linux-container-executor.group + hadoop + + The POSIX group of the NodeManager. It should match the setting in + "container-executor.cfg". This configuration is required for validating + the secure access of the container-executor binary. + + - - yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users - false - - Whether all applications should be run as the NodeManager process' owner. - When false, applications are launched instead as the application owner. - - + + yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users + false + + Whether all applications should be run as the NodeManager process' owner. + When false, applications are launched instead as the application owner. + + - - yarn.nodemanager.runtime.linux.docker.allowed-container-networks - host,none,bridge - - Optional. A comma-separated set of networks allowed when launching - containers. Valid values are determined by Docker networks available from - `docker network ls` - - + + yarn.nodemanager.runtime.linux.allowed-runtimes + default,docker + + Comma separated list of runtimes that are allowed when using + LinuxContainerExecutor. The allowed values are default and docker. + + - - The network used when launching Docker containers when no - network is specified in the request. This network must be one of the - (configurable) set of allowed container networks. - yarn.nodemanager.runtime.linux.docker.default-container-network - host - + + yarn.nodemanager.runtime.linux.docker.allowed-container-networks + host,none,bridge + + Optional. A comma-separated set of networks allowed when launching + containers. Valid values are determined by Docker networks available from + `docker network ls` + + - - yarn.nodemanager.runtime.linux.docker.privileged-containers.allowed - false - - Optional. Whether applications are allowed to run in privileged containers. - - + + yarn.nodemanager.runtime.linux.docker.default-container-network + host + + The network used when launching Docker containers when no + network is specified in the request. This network must be one of the + (configurable) set of allowed container networks. + + - - yarn.nodemanager.runtime.linux.docker.privileged-containers.acl - - - Optional. A comma-separated list of users who are allowed to request - privileged contains if privileged containers are allowed. - - + + yarn.nodemanager.runtime.linux.docker.privileged-containers.allowed + false + + Optional. Whether applications are allowed to run in privileged + containers. + + + + + yarn.nodemanager.runtime.linux.docker.privileged-containers.acl + + + Optional. A comma-separated list of users who are allowed to request + privileged contains if privileged containers are allowed. + + + ``` In addition, a container-executer.cfg file must exist and contain settings for