Examples with ContainerExecutionException org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerExecutionException used on opensource projects

Example 11 with ContainerExecutionException

use of org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerExecutionException in project hadoop by apache.

the class JavaSandboxLinuxContainerRuntime method initializePolicyDir.

/**
   * Initialize the Java Security Policy directory.  Either creates the
   * directory if it doesn't exist, or clears the contents of the directory if
   * already created.
   * @throws ContainerExecutionException If unable to resolve policy directory
   */
private void initializePolicyDir() throws ContainerExecutionException {
    String hadoopTempDir = configuration.get("hadoop.tmp.dir");
    if (hadoopTempDir == null) {
        throw new ContainerExecutionException("hadoop.tmp.dir not set!");
    }
    policyFileDir = Paths.get(hadoopTempDir, POLICY_FILE_DIR);
    //Delete any existing policy files if the directory has already been created
    if (Files.exists(policyFileDir)) {
        try (DirectoryStream<Path> stream = Files.newDirectoryStream(policyFileDir)) {
            for (Path policyFile : stream) {
                Files.delete(policyFile);
            }
        } catch (IOException e) {
            throw new ContainerExecutionException("Unable to initialize policy " + "directory: " + e);
        }
    } else {
        try {
            policyFileDir = Files.createDirectories(Paths.get(hadoopTempDir, POLICY_FILE_DIR), POLICY_ATTR);
        } catch (IOException e) {
            throw new ContainerExecutionException("Unable to create policy file " + "directory: " + e);
        }
    }
}

Example 12 with ContainerExecutionException

use of org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerExecutionException in project hadoop by apache.

the class JavaSandboxLinuxContainerRuntime method prepareContainer.

/**
   *  Prior to environment from being written locally need to generate
   *  policy file which limits container access to a small set of directories.
   *  Additionally the container run command needs to be modified to include
   *  flags to enable the java security manager with the generated policy.
   *  <br>
   *  The Java Sandbox will be circumvented if the user is a member of the
   *  group specified in:
   *  {@value YarnConfiguration#YARN_CONTAINER_SANDBOX_WHITELIST_GROUP} and if
   *  they do not include the JVM flag:
   *  {@value NMContainerPolicyUtils#SECURITY_FLAG}
   *
   * @param ctx The {@link ContainerRuntimeContext} containing container
   *            setup properties.
   * @throws ContainerExecutionException Exception thrown if temporary policy
   * file directory can't be created, or if any exceptions occur during policy
   * file parsing and generation.
   */
@Override
public void prepareContainer(ContainerRuntimeContext ctx) throws ContainerExecutionException {
    @SuppressWarnings("unchecked") List<String> localDirs = ctx.getExecutionAttribute(CONTAINER_LOCAL_DIRS);
    @SuppressWarnings("unchecked") Map<org.apache.hadoop.fs.Path, List<String>> resources = ctx.getExecutionAttribute(LOCALIZED_RESOURCES);
    @SuppressWarnings("unchecked") List<String> commands = ctx.getExecutionAttribute(CONTAINER_RUN_CMDS);
    Map<String, String> env = ctx.getContainer().getLaunchContext().getEnvironment();
    if (!isSandboxContainerWhitelisted(ctx, commands)) {
        String tmpDirBase = configuration.get("hadoop.tmp.dir");
        if (tmpDirBase == null) {
            throw new ContainerExecutionException("hadoop.tmp.dir not set!");
        }
        OutputStream policyOutputStream = null;
        try {
            String containerID = ctx.getExecutionAttribute(CONTAINER_ID_STR);
            Path policyFilePath = Files.createFile(Paths.get(policyFileDir.toString(), containerID + "-" + NMContainerPolicyUtils.POLICY_FILE), POLICY_ATTR);
            policyOutputStream = Files.newOutputStream(policyFilePath);
            containerPolicies.put(containerID, policyFilePath);
            NMContainerPolicyUtils.generatePolicyFile(policyOutputStream, localDirs, resources, configuration);
            NMContainerPolicyUtils.appendSecurityFlags(commands, env, policyFilePath, sandboxMode);
        } catch (Exception e) {
            throw new ContainerExecutionException(e);
        } finally {
            IOUtils.cleanup(LOG, policyOutputStream);
        }
    }
}

Example 13 with ContainerExecutionException

use of org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerExecutionException in project hadoop by apache.

the class DockerClient method writeCommandToTempFile.

public String writeCommandToTempFile(DockerCommand cmd, String filePrefix) throws ContainerExecutionException {
    File dockerCommandFile = null;
    try {
        dockerCommandFile = File.createTempFile(TMP_FILE_PREFIX + filePrefix, TMP_FILE_SUFFIX, new File(tmpDirPath));
        Writer writer = new OutputStreamWriter(new FileOutputStream(dockerCommandFile), "UTF-8");
        PrintWriter printWriter = new PrintWriter(writer);
        printWriter.print(cmd.getCommandWithArguments());
        printWriter.close();
        return dockerCommandFile.getAbsolutePath();
    } catch (IOException e) {
        LOG.warn("Unable to write docker command to temporary file!");
        throw new ContainerExecutionException(e);
    }
}

Example 14 with ContainerExecutionException

use of org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerExecutionException in project hadoop by apache.

the class DefaultLinuxContainerRuntime method signalContainer.

@Override
public void signalContainer(ContainerRuntimeContext ctx) throws ContainerExecutionException {
    Container container = ctx.getContainer();
    PrivilegedOperation signalOp = new PrivilegedOperation(PrivilegedOperation.OperationType.SIGNAL_CONTAINER);
    signalOp.appendArgs(ctx.getExecutionAttribute(RUN_AS_USER), ctx.getExecutionAttribute(USER), Integer.toString(PrivilegedOperation.RunAsUserCommand.SIGNAL_CONTAINER.getValue()), ctx.getExecutionAttribute(PID), Integer.toString(ctx.getExecutionAttribute(SIGNAL).getValue()));
    //Some failures here are acceptable. Let the calling executor decide.
    signalOp.disableFailureLogging();
    try {
        PrivilegedOperationExecutor executor = PrivilegedOperationExecutor.getInstance(conf);
        executor.executePrivilegedOperation(null, signalOp, null, container.getLaunchContext().getEnvironment(), false, true);
    } catch (PrivilegedOperationException e) {
        // acceptable. Let the calling executor decide what to do.
        throw new ContainerExecutionException("Signal container failed", e.getExitCode(), e.getOutput(), e.getErrorOutput());
    }
}

Example 15 with ContainerExecutionException

use of org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerExecutionException in project hadoop by apache.

the class DockerLinuxContainerRuntime method signalContainer.

@Override
public void signalContainer(ContainerRuntimeContext ctx) throws ContainerExecutionException {
    Container container = ctx.getContainer();
    ContainerExecutor.Signal signal = ctx.getExecutionAttribute(SIGNAL);
    PrivilegedOperation privOp = null;
    // Handle liveliness checks, send null signal to pid
    if (ContainerExecutor.Signal.NULL.equals(signal)) {
        privOp = new PrivilegedOperation(PrivilegedOperation.OperationType.SIGNAL_CONTAINER);
        privOp.appendArgs(ctx.getExecutionAttribute(RUN_AS_USER), ctx.getExecutionAttribute(USER), Integer.toString(PrivilegedOperation.RunAsUserCommand.SIGNAL_CONTAINER.getValue()), ctx.getExecutionAttribute(PID), Integer.toString(ctx.getExecutionAttribute(SIGNAL).getValue()));
    // All other signals handled as docker stop
    } else {
        String containerId = ctx.getContainer().getContainerId().toString();
        DockerStopCommand stopCommand = new DockerStopCommand(containerId);
        String commandFile = dockerClient.writeCommandToTempFile(stopCommand, containerId);
        privOp = new PrivilegedOperation(PrivilegedOperation.OperationType.RUN_DOCKER_CMD);
        privOp.appendArgs(commandFile);
    }
    //Some failures here are acceptable. Let the calling executor decide.
    privOp.disableFailureLogging();
    try {
        privilegedOperationExecutor.executePrivilegedOperation(null, privOp, null, container.getLaunchContext().getEnvironment(), false, false);
    } catch (PrivilegedOperationException e) {
        throw new ContainerExecutionException("Signal container failed", e.getExitCode(), e.getOutput(), e.getErrorOutput());
    }
}