Package org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime

Class JavaSandboxLinuxContainerRuntime

java.lang.Object

org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.DefaultLinuxContainerRuntime

org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.JavaSandboxLinuxContainerRuntime

All Implemented Interfaces:

LinuxContainerRuntime, ContainerRuntime

@Private
@Unstable
public class JavaSandboxLinuxContainerRuntime
extends DefaultLinuxContainerRuntime

This class extends the DefaultLinuxContainerRuntime specifically for containers which run Java commands. It generates a new java security policy file per container and modifies the java command to enable the Java Security Manager with the generated policy.

The behavior of the JavaSandboxLinuxContainerRuntime can be modified using the following settings:

• "yarn.nodemanager.runtime.linux.sandbox-mode" : This yarn-site.xml setting has three options:
  • disabled - Default behavior. LinuxContainerRuntime is disabled
  • permissive - JVM containers will run with Java Security Manager enabled. Non-JVM containers will run normally
  • enforcing - JVM containers will run with Java Security Manager enabled. Non-JVM containers will be prevented from executing and an ContainerExecutionException will be thrown.
• "yarn.nodemanager.runtime.linux.sandbox-mode.local-dirs.permissions" : Determines the file permissions for the application directories. The permissions come in the form of comma separated values (e.g. read,write,execute,delete). Defaults to read for read-only.
• "yarn.nodemanager.runtime.linux.sandbox-mode.policy" : Accepts canonical path to a java policy file on the local filesystem. This file will be loaded as the base policy, any additional container grants will be appended to this base file. If not specified, the default java.policy file provided with hadoop resources will be used.
• "yarn.nodemanager.runtime.linux.sandbox-mode.whitelist-group" : Optional setting to specify a YARN queue which will be exempt from the sand-boxing process.
• "yarn.nodemanager.runtime.linux.sandbox-mode.policy.group."$groupName : Optional setting to map groups to java policy files. The value is a path to the java policy file for $groupName. A user which is a member of multiple groups with different policies will receive the superset of all the permissions across their groups.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static enum	JavaSandboxLinuxContainerRuntime.SandboxMode	Enumeration of the modes the JavaSandboxLinuxContainerRuntime can use.

Field Summary

Fields

Modifier and Type	Field	Description
static final String	POLICY_FILE_DIR

Constructor Summary

Constructors

Constructor	Description
JavaSandboxLinuxContainerRuntime(PrivilegedOperationExecutor privilegedOperationExecutor)	Create an instance using the given PrivilegedOperationExecutor instance for performing operations.

Method Summary

Modifier and Type	Method	Description
void	initialize(org.apache.hadoop.conf.Configuration conf, Context nmContext)	Initialize the runtime.
boolean	isRuntimeRequested(Map<String,String> env)	Determine if JVMSandboxLinuxContainerRuntime should be used.
void	launchContainer(ContainerRuntimeContext ctx)	Launch a container.
void	prepareContainer(ContainerRuntimeContext ctx)	Prior to environment from being written locally need to generate policy file which limits container access to a small set of directories.
void	relaunchContainer(ContainerRuntimeContext ctx)	Relaunch a container.

Methods inherited from class org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.DefaultLinuxContainerRuntime

execContainer, getExposedPorts, getIpAndHost, reapContainer, signalContainer

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.LinuxContainerRuntime

getLocalResources, start, stop

Field Details

POLICY_FILE_DIR

public static final String POLICY_FILE_DIR

See Also:

• Constant Field Values

Constructor Details

JavaSandboxLinuxContainerRuntime

public JavaSandboxLinuxContainerRuntime(PrivilegedOperationExecutor privilegedOperationExecutor)

Create an instance using the given PrivilegedOperationExecutor instance for performing operations.

Parameters:

privilegedOperationExecutor - the PrivilegedOperationExecutor instance

Method Details

initialize

public void initialize(org.apache.hadoop.conf.Configuration conf,
 Context nmContext)
                throws ContainerExecutionException

Description copied from interface: LinuxContainerRuntime

Initialize the runtime.

Specified by:

initialize in interface LinuxContainerRuntime

Overrides:

initialize in class DefaultLinuxContainerRuntime

Parameters:

conf - the Configuration to use

nmContext - NMContext

Throws:

ContainerExecutionException - if an error occurs while initializing the runtime

prepareContainer

public void prepareContainer(ContainerRuntimeContext ctx)
                      throws ContainerExecutionException

Prior to environment from being written locally need to generate policy file which limits container access to a small set of directories. Additionally the container run command needs to be modified to include flags to enable the java security manager with the generated policy.
The Java Sandbox will be circumvented if the user is a member of the group specified in: "yarn.nodemanager.runtime.linux.sandbox-mode.whitelist-group" and if they do not include the JVM flag -Djava.security.manager.

Specified by:

prepareContainer in interface ContainerRuntime

Overrides:

prepareContainer in class DefaultLinuxContainerRuntime

Parameters:

ctx - The ContainerRuntimeContext containing container setup properties.

Throws:

ContainerExecutionException - Exception thrown if temporary policy file directory can't be created, or if any exceptions occur during policy file parsing and generation.

launchContainer

public void launchContainer(ContainerRuntimeContext ctx)
                     throws ContainerExecutionException

Description copied from interface: ContainerRuntime

Launch a container.

Specified by:

launchContainer in interface ContainerRuntime

Overrides:

launchContainer in class DefaultLinuxContainerRuntime

Parameters:

ctx - the ContainerRuntimeContext

Throws:

ContainerExecutionException - if an error occurs while launching the container

relaunchContainer

public void relaunchContainer(ContainerRuntimeContext ctx)
                       throws ContainerExecutionException

Description copied from interface: ContainerRuntime

Relaunch a container.

Specified by:

relaunchContainer in interface ContainerRuntime

Overrides:

relaunchContainer in class DefaultLinuxContainerRuntime

Parameters:

ctx - the ContainerRuntimeContext

Throws:

ContainerExecutionException - if an error occurs while relaunching the container

isRuntimeRequested

public boolean isRuntimeRequested(Map<String,String> env)

Determine if JVMSandboxLinuxContainerRuntime should be used. This is decided based on the value of "yarn.nodemanager.runtime.linux.sandbox-mode"

Specified by:

isRuntimeRequested in interface LinuxContainerRuntime

Overrides:

isRuntimeRequested in class DefaultLinuxContainerRuntime

Parameters:

env - the environment variable settings for the operation

Returns:

true if Sandbox is requested, false otherwise