in hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c [1545:1740]
int get_docker_run_command(const char *command_file, const struct configuration *conf, args *args) {
int ret = 0, i = 0;
char *container_name = NULL, *user = NULL, *image = NULL;
char *tmp_buffer = NULL;
char **launch_command = NULL;
char *privileged = NULL;
char *no_new_privileges_enabled = NULL;
char *use_entry_point = NULL;
int service_mode_enabled = 0;
struct configuration command_config = {0, NULL};
ret = read_and_verify_command_file(command_file, DOCKER_RUN_COMMAND, &command_config);
if (ret != 0) {
goto free_and_exit;
}
service_mode_enabled = is_service_mode_enabled(&command_config, conf, args);
if (service_mode_enabled == DOCKER_SERVICE_MODE_DISABLED) {
ret = DOCKER_SERVICE_MODE_DISABLED;
goto free_and_exit;
}
use_entry_point = get_configuration_value("use-entry-point", DOCKER_COMMAND_FILE_SECTION, &command_config);
if (use_entry_point != NULL && strcasecmp(use_entry_point, "true") == 0) {
entry_point = 1;
}
free(use_entry_point);
container_name = get_configuration_value("name", DOCKER_COMMAND_FILE_SECTION, &command_config);
if (container_name == NULL || validate_container_name(container_name) != 0) {
ret = INVALID_DOCKER_CONTAINER_NAME;
goto free_and_exit;
}
if (!service_mode_enabled) {
user = get_configuration_value("user", DOCKER_COMMAND_FILE_SECTION, &command_config);
if (user == NULL) {
ret = INVALID_DOCKER_USER_NAME;
goto free_and_exit;
}
}
image = get_configuration_value("image", DOCKER_COMMAND_FILE_SECTION, &command_config);
if (image == NULL || validate_docker_image_name(image) != 0) {
ret = INVALID_DOCKER_IMAGE_NAME;
goto free_and_exit;
}
ret = add_to_args(args, DOCKER_RUN_COMMAND);
if(ret != 0) {
ret = BUFFER_TOO_SMALL;
goto free_and_exit;
}
tmp_buffer = make_string("--name=%s", container_name);
ret = add_to_args(args, tmp_buffer);
free(tmp_buffer);
if (ret != 0) {
ret = BUFFER_TOO_SMALL;
goto free_and_exit;
}
privileged = get_configuration_value("privileged", DOCKER_COMMAND_FILE_SECTION, &command_config);
if (privileged == NULL || strcmp(privileged, "false") == 0) {
if (!service_mode_enabled) {
char *user_buffer = make_string("--user=%s", user);
ret = add_to_args(args, user_buffer);
free(user_buffer);
if (ret != 0) {
ret = BUFFER_TOO_SMALL;
goto free_and_exit;
}
}
no_new_privileges_enabled =
get_configuration_value("docker.no-new-privileges.enabled",
CONTAINER_EXECUTOR_CFG_DOCKER_SECTION, conf);
if (no_new_privileges_enabled != NULL &&
strcasecmp(no_new_privileges_enabled, "True") == 0) {
ret = add_to_args(args, "--security-opt=no-new-privileges");
if (ret != 0) {
ret = BUFFER_TOO_SMALL;
goto free_and_exit;
}
}
}
ret = detach_container(&command_config, args);
if (ret != 0) {
goto free_and_exit;
}
ret = rm_container_on_exit(&command_config, args);
if (ret != 0) {
goto free_and_exit;
}
ret = set_container_workdir(&command_config, args);
if (ret != 0) {
goto free_and_exit;
}
ret = set_network(&command_config, conf, args);
if (ret != 0) {
goto free_and_exit;
}
ret = add_ports_mapping_to_command(&command_config, args);
if (ret != 0) {
goto free_and_exit;
}
ret = set_pid_namespace(&command_config, conf, args);
if (ret != 0) {
goto free_and_exit;
}
ret = add_docker_mounts(&command_config, conf, args);
if (ret != 0) {
goto free_and_exit;
}
ret = add_tmpfs_mounts(&command_config, args);
if (ret != 0) {
goto free_and_exit;
}
ret = set_cgroup_parent(&command_config, args);
if (ret != 0) {
goto free_and_exit;
}
ret = set_privileged(&command_config, conf, args);
if (ret != 0) {
goto free_and_exit;
}
ret = set_capabilities(&command_config, conf, args);
if (ret != 0) {
goto free_and_exit;
}
ret = set_runtime(&command_config, conf, args);
if (ret != 0) {
goto free_and_exit;
}
ret = set_hostname(&command_config, args);
if (ret != 0) {
goto free_and_exit;
}
if (!service_mode_enabled) {
ret = set_group_add(&command_config, args);
if (ret != 0) {
goto free_and_exit;
}
}
ret = set_devices(&command_config, conf, args);
if (ret != 0) {
goto free_and_exit;
}
ret = set_env(&command_config, args);
if (ret != 0) {
goto free_and_exit;
}
ret = add_to_args(args, image);
if (ret != 0) {
goto free_and_exit;
}
launch_command = get_configuration_values_delimiter("launch-command", DOCKER_COMMAND_FILE_SECTION, &command_config,
",");
if (launch_command != NULL) {
for (i = 0; launch_command[i] != NULL; ++i) {
ret = add_to_args(args, launch_command[i]);
if (ret != 0) {
ret = BUFFER_TOO_SMALL;
goto free_and_exit;
}
}
}
free_and_exit:
if (ret != 0) {
reset_args(args);
}
free(user);
free(image);
free(privileged);
free(no_new_privileges_enabled);
free(container_name);
free_values(launch_command);
free_configuration(&command_config);
return ret;
}