YARN-8927. Added support for top level Dockerhub images to trusted registry using library keyword.

           Contributed by Zhankun Tang

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c

@@ -113,6 +113,7 @@ int check_trusted_image(const struct configuration *command_config, const struct
   int found = 0;
   int i = 0;
   int ret = 0;
+  int no_registry_prefix_in_image_name = 0;
   char *image_name = get_configuration_value("image", DOCKER_COMMAND_FILE_SECTION, command_config);
   char **privileged_registry = get_configuration_values_delimiter("docker.trusted.registries", CONTAINER_EXECUTOR_CFG_DOCKER_SECTION, conf, ",");
   char *registry_ptr = NULL;
@@ -120,8 +121,20 @@ int check_trusted_image(const struct configuration *command_config, const struct
     ret = INVALID_DOCKER_IMAGE_NAME;
     goto free_and_exit;
   }
+  if (strchr(image_name, '/') == NULL) {
+    no_registry_prefix_in_image_name = 1;
+  }
   if (privileged_registry != NULL) {
     for (i = 0; privileged_registry[i] != NULL; i++) {
+      // "library" means we trust public top
+      if (strncmp(privileged_registry[i], "library", strlen("library")) == 0) {
+        if (no_registry_prefix_in_image_name) {
+          // if image doesn't exists, docker pull will automatically happen
+          found = 1;
+          fprintf(LOGFILE, "image: %s is a trusted top-level image.\n", image_name);
+          break;
+        }
+      }
       int len = strlen(privileged_registry[i]);
       if (privileged_registry[i][len - 1] != '/') {
         registry_ptr = (char *) alloc_and_clear_memory(len + 2, sizeof(char));

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc

@@ -1921,4 +1921,45 @@ namespace ContainerExecutor {
     run_docker_command_test(file_cmd_vec, bad_file_cmd_vec, get_docker_exec_command);
     free_configuration(&container_executor_cfg);
   }
+
+  TEST_F(TestDockerUtil, test_trusted_top_level_image) {
+    struct configuration container_cfg, cmd_cfg;
+    std::string container_executor_contents = "[docker]\n"
+        "  docker.trusted.registries=library\n";
+    write_file(container_executor_cfg_file, container_executor_contents);
+    int ret = read_config(container_executor_cfg_file.c_str(), &container_cfg);
+    if (ret != 0) {
+      FAIL();
+    }
+    ret = create_ce_file();
+    if (ret != 0) {
+      std::cerr << "Could not create ce file, skipping test" << std::endl;
+      return;
+    }
+    std::vector<std::pair<std::string, std::string> > file_cmd_vec;
+    file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
+        "[docker-command-execution]\n"
+            "  image=centos",
+        "centos"));
+    file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
+        "[docker-command-execution]\n"
+            "  image=ubuntu:latest",
+        "centos"));
+    file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
+        "[docker-command-execution]\n"
+            "  image=library/centos",
+        "centos"));
+    std::vector<std::pair<std::string, std::string> >::const_iterator itr;
+
+    for (itr = file_cmd_vec.begin(); itr != file_cmd_vec.end(); ++itr) {
+      write_command_file(itr->first);
+      ret = read_config(docker_command_file.c_str(), &cmd_cfg);
+      if (ret != 0) {
+        FAIL();
+      }
+      ret = check_trusted_image(&cmd_cfg, &container_cfg);
+      ASSERT_EQ(0, ret);
+    }
+    free_configuration(&container_cfg);
+  }
 }