YARN-6919. Add default volume mount list. Contributed by Eric Badger
This commit is contained in:
parent
923c833da4
commit
de43b41d0f
|
@ -1949,6 +1949,16 @@ public class YarnConfiguration extends Configuration {
|
||||||
*/
|
*/
|
||||||
public static final boolean DEFAULT_NM_DOCKER_ALLOW_DELAYED_REMOVAL = false;
|
public static final boolean DEFAULT_NM_DOCKER_ALLOW_DELAYED_REMOVAL = false;
|
||||||
|
|
||||||
|
/** The default list of read-only mounts to be bind-mounted into all
|
||||||
|
* Docker containers that use DockerContainerRuntime. */
|
||||||
|
public static final String NM_DOCKER_DEFAULT_RO_MOUNTS =
|
||||||
|
DOCKER_CONTAINER_RUNTIME_PREFIX + "default-ro-mounts";
|
||||||
|
|
||||||
|
/** The default list of read-write mounts to be bind-mounted into all
|
||||||
|
* Docker containers that use DockerContainerRuntime. */
|
||||||
|
public static final String NM_DOCKER_DEFAULT_RW_MOUNTS =
|
||||||
|
DOCKER_CONTAINER_RUNTIME_PREFIX + "default-rw-mounts";
|
||||||
|
|
||||||
/** The mode in which the Java Container Sandbox should run detailed by
|
/** The mode in which the Java Container Sandbox should run detailed by
|
||||||
* the JavaSandboxLinuxContainerRuntime. */
|
* the JavaSandboxLinuxContainerRuntime. */
|
||||||
public static final String YARN_CONTAINER_SANDBOX =
|
public static final String YARN_CONTAINER_SANDBOX =
|
||||||
|
|
|
@ -1786,6 +1786,20 @@
|
||||||
<value>false</value>
|
<value>false</value>
|
||||||
</property>
|
</property>
|
||||||
|
|
||||||
|
<property>
|
||||||
|
<description>The default list of read-only mounts to be bind-mounted
|
||||||
|
into all Docker containers that use DockerContainerRuntime.</description>
|
||||||
|
<name>yarn.nodemanager.runtime.linux.docker.default-ro-mounts</name>
|
||||||
|
<value></value>
|
||||||
|
</property>
|
||||||
|
|
||||||
|
<property>
|
||||||
|
<description>The default list of read-write mounts to be bind-mounted
|
||||||
|
into all Docker containers that use DockerContainerRuntime.</description>
|
||||||
|
<name>yarn.nodemanager.runtime.linux.docker.default-rw-mounts</name>
|
||||||
|
<value></value>
|
||||||
|
</property>
|
||||||
|
|
||||||
<property>
|
<property>
|
||||||
<description>The mode in which the Java Container Sandbox should run detailed by
|
<description>The mode in which the Java Container Sandbox should run detailed by
|
||||||
the JavaSandboxLinuxContainerRuntime.</description>
|
the JavaSandboxLinuxContainerRuntime.</description>
|
||||||
|
|
|
@ -237,6 +237,8 @@ public class DockerLinuxContainerRuntime implements LinuxContainerRuntime {
|
||||||
private int userRemappingGidThreshold;
|
private int userRemappingGidThreshold;
|
||||||
private Set<String> capabilities;
|
private Set<String> capabilities;
|
||||||
private boolean delayedRemovalAllowed;
|
private boolean delayedRemovalAllowed;
|
||||||
|
private Set<String> defaultROMounts = new HashSet<>();
|
||||||
|
private Set<String> defaultRWMounts = new HashSet<>();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Return whether the given environment variables indicate that the operation
|
* Return whether the given environment variables indicate that the operation
|
||||||
|
@ -299,6 +301,8 @@ public class DockerLinuxContainerRuntime implements LinuxContainerRuntime {
|
||||||
this.conf = conf;
|
this.conf = conf;
|
||||||
dockerClient = new DockerClient(conf);
|
dockerClient = new DockerClient(conf);
|
||||||
allowedNetworks.clear();
|
allowedNetworks.clear();
|
||||||
|
defaultROMounts.clear();
|
||||||
|
defaultRWMounts.clear();
|
||||||
allowedNetworks.addAll(Arrays.asList(
|
allowedNetworks.addAll(Arrays.asList(
|
||||||
conf.getTrimmedStrings(
|
conf.getTrimmedStrings(
|
||||||
YarnConfiguration.NM_DOCKER_ALLOWED_CONTAINER_NETWORKS,
|
YarnConfiguration.NM_DOCKER_ALLOWED_CONTAINER_NETWORKS,
|
||||||
|
@ -340,6 +344,14 @@ public class DockerLinuxContainerRuntime implements LinuxContainerRuntime {
|
||||||
delayedRemovalAllowed = conf.getBoolean(
|
delayedRemovalAllowed = conf.getBoolean(
|
||||||
YarnConfiguration.NM_DOCKER_ALLOW_DELAYED_REMOVAL,
|
YarnConfiguration.NM_DOCKER_ALLOW_DELAYED_REMOVAL,
|
||||||
YarnConfiguration.DEFAULT_NM_DOCKER_ALLOW_DELAYED_REMOVAL);
|
YarnConfiguration.DEFAULT_NM_DOCKER_ALLOW_DELAYED_REMOVAL);
|
||||||
|
|
||||||
|
defaultROMounts.addAll(Arrays.asList(
|
||||||
|
conf.getTrimmedStrings(
|
||||||
|
YarnConfiguration.NM_DOCKER_DEFAULT_RO_MOUNTS)));
|
||||||
|
|
||||||
|
defaultRWMounts.addAll(Arrays.asList(
|
||||||
|
conf.getTrimmedStrings(
|
||||||
|
YarnConfiguration.NM_DOCKER_DEFAULT_RW_MOUNTS)));
|
||||||
}
|
}
|
||||||
|
|
||||||
private Set<String> getDockerCapabilitiesFromConf() throws
|
private Set<String> getDockerCapabilitiesFromConf() throws
|
||||||
|
@ -833,6 +845,32 @@ public class DockerLinuxContainerRuntime implements LinuxContainerRuntime {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if(defaultROMounts != null && !defaultROMounts.isEmpty()) {
|
||||||
|
for (String mount : defaultROMounts) {
|
||||||
|
String[] dir = StringUtils.split(mount, ':');
|
||||||
|
if (dir.length != 2) {
|
||||||
|
throw new ContainerExecutionException("Invalid mount : " +
|
||||||
|
mount);
|
||||||
|
}
|
||||||
|
String src = dir[0];
|
||||||
|
String dst = dir[1];
|
||||||
|
runCommand.addReadOnlyMountLocation(src, dst);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if(defaultRWMounts != null && !defaultRWMounts.isEmpty()) {
|
||||||
|
for (String mount : defaultRWMounts) {
|
||||||
|
String[] dir = StringUtils.split(mount, ':');
|
||||||
|
if (dir.length != 2) {
|
||||||
|
throw new ContainerExecutionException("Invalid mount : " +
|
||||||
|
mount);
|
||||||
|
}
|
||||||
|
String src = dir[0];
|
||||||
|
String dst = dir[1];
|
||||||
|
runCommand.addReadWriteMountLocation(src, dst);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (allowHostPidNamespace(container)) {
|
if (allowHostPidNamespace(container)) {
|
||||||
runCommand.setPidNamespace("host");
|
runCommand.setPidNamespace("host");
|
||||||
}
|
}
|
||||||
|
|
|
@ -82,6 +82,8 @@ import java.util.Random;
|
||||||
import java.util.Set;
|
import java.util.Set;
|
||||||
import java.util.concurrent.ConcurrentMap;
|
import java.util.concurrent.ConcurrentMap;
|
||||||
|
|
||||||
|
import static org.apache.hadoop.yarn.conf.YarnConfiguration.NM_DOCKER_DEFAULT_RO_MOUNTS;
|
||||||
|
import static org.apache.hadoop.yarn.conf.YarnConfiguration.NM_DOCKER_DEFAULT_RW_MOUNTS;
|
||||||
import static org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.DockerLinuxContainerRuntime.ENV_DOCKER_CONTAINER_RUN_PRIVILEGED_CONTAINER;
|
import static org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.DockerLinuxContainerRuntime.ENV_DOCKER_CONTAINER_RUN_PRIVILEGED_CONTAINER;
|
||||||
import static org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.LinuxContainerRuntimeConstants.APPID;
|
import static org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.LinuxContainerRuntimeConstants.APPID;
|
||||||
import static org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.LinuxContainerRuntimeConstants.APPLICATION_LOCAL_DIRS;
|
import static org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.LinuxContainerRuntimeConstants.APPLICATION_LOCAL_DIRS;
|
||||||
|
@ -1326,6 +1328,142 @@ public class TestDockerContainerRuntime {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testDefaultROMounts()
|
||||||
|
throws ContainerExecutionException, PrivilegedOperationException,
|
||||||
|
IOException {
|
||||||
|
conf.setStrings(NM_DOCKER_DEFAULT_RO_MOUNTS,
|
||||||
|
"/tmp/foo:/tmp/foo,/tmp/bar:/tmp/bar");
|
||||||
|
DockerLinuxContainerRuntime runtime = new DockerLinuxContainerRuntime(
|
||||||
|
mockExecutor, mockCGroupsHandler);
|
||||||
|
runtime.initialize(conf, nmContext);
|
||||||
|
|
||||||
|
runtime.launchContainer(builder.build());
|
||||||
|
PrivilegedOperation op = capturePrivilegedOperationAndVerifyArgs();
|
||||||
|
List<String> args = op.getArguments();
|
||||||
|
String dockerCommandFile = args.get(11);
|
||||||
|
|
||||||
|
List<String> dockerCommands = Files.readAllLines(
|
||||||
|
Paths.get(dockerCommandFile), Charset.forName("UTF-8"));
|
||||||
|
|
||||||
|
int expected = 14;
|
||||||
|
int counter = 0;
|
||||||
|
Assert.assertEquals(expected, dockerCommands.size());
|
||||||
|
Assert.assertEquals("[docker-command-execution]",
|
||||||
|
dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" cap-add=SYS_CHROOT,NET_BIND_SERVICE",
|
||||||
|
dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" cap-drop=ALL", dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" detach=true", dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" docker-command=run", dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" group-add=" + String.join(",", groups),
|
||||||
|
dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" image=busybox:latest",
|
||||||
|
dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(
|
||||||
|
" launch-command=bash,/test_container_work_dir/launch_container.sh",
|
||||||
|
dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(
|
||||||
|
" name=container_e11_1518975676334_14532816_01_000001",
|
||||||
|
dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" net=host", dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" ro-mounts=/test_filecache_dir:/test_filecache_dir,"
|
||||||
|
+ "/test_user_filecache_dir:/test_user_filecache_dir,"
|
||||||
|
+ "/tmp/foo:/tmp/foo,/tmp/bar:/tmp/bar",
|
||||||
|
dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(
|
||||||
|
" rw-mounts=/test_container_log_dir:/test_container_log_dir,"
|
||||||
|
+ "/test_application_local_dir:/test_application_local_dir",
|
||||||
|
dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" user=" + uidGidPair, dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" workdir=/test_container_work_dir",
|
||||||
|
dockerCommands.get(counter));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testDefaultROMountsInvalid() throws ContainerExecutionException {
|
||||||
|
conf.setStrings(NM_DOCKER_DEFAULT_RO_MOUNTS,
|
||||||
|
"source,target");
|
||||||
|
DockerLinuxContainerRuntime runtime = new DockerLinuxContainerRuntime(
|
||||||
|
mockExecutor, mockCGroupsHandler);
|
||||||
|
runtime.initialize(conf, nmContext);
|
||||||
|
|
||||||
|
try {
|
||||||
|
runtime.launchContainer(builder.build());
|
||||||
|
Assert.fail("Expected a launch container failure due to invalid mount.");
|
||||||
|
} catch (ContainerExecutionException e) {
|
||||||
|
LOG.info("Caught expected exception : " + e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testDefaultRWMounts()
|
||||||
|
throws ContainerExecutionException, PrivilegedOperationException,
|
||||||
|
IOException {
|
||||||
|
conf.setStrings(NM_DOCKER_DEFAULT_RW_MOUNTS,
|
||||||
|
"/tmp/foo:/tmp/foo,/tmp/bar:/tmp/bar");
|
||||||
|
DockerLinuxContainerRuntime runtime = new DockerLinuxContainerRuntime(
|
||||||
|
mockExecutor, mockCGroupsHandler);
|
||||||
|
runtime.initialize(conf, nmContext);
|
||||||
|
|
||||||
|
runtime.launchContainer(builder.build());
|
||||||
|
PrivilegedOperation op = capturePrivilegedOperationAndVerifyArgs();
|
||||||
|
List<String> args = op.getArguments();
|
||||||
|
String dockerCommandFile = args.get(11);
|
||||||
|
|
||||||
|
List<String> dockerCommands = Files.readAllLines(
|
||||||
|
Paths.get(dockerCommandFile), Charset.forName("UTF-8"));
|
||||||
|
|
||||||
|
int expected = 14;
|
||||||
|
int counter = 0;
|
||||||
|
Assert.assertEquals(expected, dockerCommands.size());
|
||||||
|
Assert.assertEquals("[docker-command-execution]",
|
||||||
|
dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" cap-add=SYS_CHROOT,NET_BIND_SERVICE",
|
||||||
|
dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" cap-drop=ALL", dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" detach=true", dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" docker-command=run", dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" group-add=" + String.join(",", groups),
|
||||||
|
dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" image=busybox:latest",
|
||||||
|
dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(
|
||||||
|
" launch-command=bash,/test_container_work_dir/launch_container.sh",
|
||||||
|
dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(
|
||||||
|
" name=container_e11_1518975676334_14532816_01_000001",
|
||||||
|
dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" net=host", dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" ro-mounts=/test_filecache_dir:/test_filecache_dir,"
|
||||||
|
+ "/test_user_filecache_dir:/test_user_filecache_dir",
|
||||||
|
dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(
|
||||||
|
" rw-mounts=/test_container_log_dir:/test_container_log_dir,"
|
||||||
|
+ "/test_application_local_dir:/test_application_local_dir,"
|
||||||
|
+ "/tmp/foo:/tmp/foo,/tmp/bar:/tmp/bar",
|
||||||
|
dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" user=" + uidGidPair, dockerCommands.get(counter++));
|
||||||
|
Assert.assertEquals(" workdir=/test_container_work_dir",
|
||||||
|
dockerCommands.get(counter));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testDefaultRWMountsInvalid() throws ContainerExecutionException {
|
||||||
|
conf.setStrings(NM_DOCKER_DEFAULT_RW_MOUNTS,
|
||||||
|
"source,target");
|
||||||
|
DockerLinuxContainerRuntime runtime = new DockerLinuxContainerRuntime(
|
||||||
|
mockExecutor, mockCGroupsHandler);
|
||||||
|
runtime.initialize(conf, nmContext);
|
||||||
|
|
||||||
|
try {
|
||||||
|
runtime.launchContainer(builder.build());
|
||||||
|
Assert.fail("Expected a launch container failure due to invalid mount.");
|
||||||
|
} catch (ContainerExecutionException e) {
|
||||||
|
LOG.info("Caught expected exception : " + e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testContainerLivelinessCheck()
|
public void testContainerLivelinessCheck()
|
||||||
throws ContainerExecutionException, PrivilegedOperationException {
|
throws ContainerExecutionException, PrivilegedOperationException {
|
||||||
|
|
Loading…
Reference in New Issue