首頁 探索 說明
註冊 登入
apache
/
hadoop
镜像来自 https://github.com/apache/hadoop.git
2
0
複刻 1
檔案 問題管理 0 Wiki
瀏覽代碼

YARN-8927. Added support for top level Dockerhub images to trusted registry using library keyword.
Contributed by Zhankun Tang

Eric Yang 6 年之前
父節點
de934ba2dc
當前提交
7c1b561e33
共有 2 個文件被更改,包括 54 次插入0 次删除
統一視圖 顯示文件統計
  1. 13 0
      hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c
  2. 41 0
      hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc

+ 13 - 0
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c
查看文件 

@@ -113,6 +113,7 @@ int check_trusted_image(const struct configuration *command_config, const struct
 
   int found = 0;
 
   int found = 0;
 
   int i = 0;
 
   int i = 0;
 
   int ret = 0;
 
   int ret = 0;
 
+  int no_registry_prefix_in_image_name = 0;
 
   char *image_name = get_configuration_value("image", DOCKER_COMMAND_FILE_SECTION, command_config);
 
   char *image_name = get_configuration_value("image", DOCKER_COMMAND_FILE_SECTION, command_config);
 
   char **privileged_registry = get_configuration_values_delimiter("docker.trusted.registries", CONTAINER_EXECUTOR_CFG_DOCKER_SECTION, conf, ",");
 
   char **privileged_registry = get_configuration_values_delimiter("docker.trusted.registries", CONTAINER_EXECUTOR_CFG_DOCKER_SECTION, conf, ",");
 
   char *registry_ptr = NULL;
 
   char *registry_ptr = NULL;
 
@@ -120,8 +121,20 @@ int check_trusted_image(const struct configuration *command_config, const struct
 
     ret = INVALID_DOCKER_IMAGE_NAME;
 
     ret = INVALID_DOCKER_IMAGE_NAME;
 
     goto free_and_exit;
 
     goto free_and_exit;
 
   }
 
   }
 
+  if (strchr(image_name, '/') == NULL) {
 
+    no_registry_prefix_in_image_name = 1;
 
+  }
 
   if (privileged_registry != NULL) {
 
   if (privileged_registry != NULL) {
 
     for (i = 0; privileged_registry[i] != NULL; i++) {
 
     for (i = 0; privileged_registry[i] != NULL; i++) {
 
+      // "library" means we trust public top
 
+      if (strncmp(privileged_registry[i], "library", strlen("library")) == 0) {
 
+        if (no_registry_prefix_in_image_name) {
 
+          // if image doesn't exists, docker pull will automatically happen
 
+          found = 1;
 
+          fprintf(LOGFILE, "image: %s is a trusted top-level image.\n", image_name);
 
+          break;
 
+        }
 
+      }
 
       int len = strlen(privileged_registry[i]);
 
       int len = strlen(privileged_registry[i]);
 
       if (privileged_registry[i][len - 1] != '/') {
 
       if (privileged_registry[i][len - 1] != '/') {
 
         registry_ptr = (char *) alloc_and_clear_memory(len + 2, sizeof(char));
 
         registry_ptr = (char *) alloc_and_clear_memory(len + 2, sizeof(char));

+ 41 - 0
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc
查看文件 

@@ -1921,4 +1921,45 @@ namespace ContainerExecutor {
 
     run_docker_command_test(file_cmd_vec, bad_file_cmd_vec, get_docker_exec_command);
 
     run_docker_command_test(file_cmd_vec, bad_file_cmd_vec, get_docker_exec_command);
 
     free_configuration(&container_executor_cfg);
 
     free_configuration(&container_executor_cfg);
 
   }
 
   }
 
+
 
+  TEST_F(TestDockerUtil, test_trusted_top_level_image) {
 
+    struct configuration container_cfg, cmd_cfg;
 
+    std::string container_executor_contents = "[docker]\n"
 
+        "  docker.trusted.registries=library\n";
 
+    write_file(container_executor_cfg_file, container_executor_contents);
 
+    int ret = read_config(container_executor_cfg_file.c_str(), &container_cfg);
 
+    if (ret != 0) {
 
+      FAIL();
 
+    }
 
+    ret = create_ce_file();
 
+    if (ret != 0) {
 
+      std::cerr << "Could not create ce file, skipping test" << std::endl;
 
+      return;
 
+    }
 
+    std::vector<std::pair<std::string, std::string> > file_cmd_vec;
 
+    file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
 
+        "[docker-command-execution]\n"
 
+            "  image=centos",
 
+        "centos"));
 
+    file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
 
+        "[docker-command-execution]\n"
 
+            "  image=ubuntu:latest",
 
+        "centos"));
 
+    file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
 
+        "[docker-command-execution]\n"
 
+            "  image=library/centos",
 
+        "centos"));
 
+    std::vector<std::pair<std::string, std::string> >::const_iterator itr;
 
+
 
+    for (itr = file_cmd_vec.begin(); itr != file_cmd_vec.end(); ++itr) {
 
+      write_command_file(itr->first);
 
+      ret = read_config(docker_command_file.c_str(), &cmd_cfg);
 
+      if (ret != 0) {
 
+        FAIL();
 
+      }
 
+      ret = check_trusted_image(&cmd_cfg, &container_cfg);
 
+      ASSERT_EQ(0, ret);
 
+    }
 
+    free_configuration(&container_cfg);
 
+  }
 
 }
 
 }