Google Git
Sign in
apache / hadoop / 5cd5656cd43a176a62c06e0f3d1398da624c0429 / . / branch-0.23.1 / hadoop-mapreduce-project / hadoop-yarn / hadoop-yarn-server / hadoop-yarn-server-nodemanager / src / main / native / container-executor / test / test-container-executor.c
blob: b7796586a4d344bfb69d952870d6fa0432ed8b32 [file] [log] [blame]
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "configuration.h"
#include "container-executor.h"
#include <errno.h>
#include <fcntl.h>
#include <unistd.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/wait.h>
#define TEST_ROOT "/tmp/test-container-executor"
#define DONT_TOUCH_FILE "dont-touch-me"
#define NM_LOCAL_DIRS TEST_ROOT "/local-1," TEST_ROOT "/local-2," \
TEST_ROOT "/local-3," TEST_ROOT "/local-4," TEST_ROOT "/local-5"
#define NM_LOG_DIRS TEST_ROOT "/logdir_1," TEST_ROOT "/logdir_2," \
TEST_ROOT "/logdir_3," TEST_ROOT "/logdir_4"
#define ARRAY_SIZE 1000
static char* username = NULL;
static char* local_dirs = NULL;
static char* log_dirs = NULL;
/**
* Run the command using the effective user id.
* It can't use system, since bash seems to copy the real user id into the
* effective id.
*/
void run(const char *cmd) {
fflush(stdout);
fflush(stderr);
pid_t child = fork();
if (child == -1) {
printf("FAIL: failed to fork - %s\n", strerror(errno));
} else if (child == 0) {
char *cmd_copy = strdup(cmd);
char *ptr;
int words = 1;
for(ptr = strchr(cmd_copy, ' '); ptr; ptr = strchr(ptr+1, ' ')) {
words += 1;
}
char **argv = malloc(sizeof(char *) * (words + 1));
ptr = strtok(cmd_copy, " ");
int i = 0;
argv[i++] = ptr;
while (ptr != NULL) {
ptr = strtok(NULL, " ");
argv[i++] = ptr;
}
if (execvp(argv[0], argv) != 0) {
printf("FAIL: exec failed in child %s - %s\n", cmd, strerror(errno));
exit(42);
}
} else {
int status = 0;
if (waitpid(child, &status, 0) <= 0) {
printf("FAIL: failed waiting for child process %s pid %d - %s\n",
cmd, child, strerror(errno));
exit(1);
}
if (!WIFEXITED(status)) {
printf("FAIL: process %s pid %d did not exit\n", cmd, child);
exit(1);
}
if (WEXITSTATUS(status) != 0) {
printf("FAIL: process %s pid %d exited with error status %d\n", cmd,
child, WEXITSTATUS(status));
exit(1);
}
}
}
int write_config_file(char *file_name) {
FILE *file;
file = fopen(file_name, "w");
if (file == NULL) {
printf("Failed to open %s.\n", file_name);
return EXIT_FAILURE;
}
fprintf(file, "banned.users=bannedUser\n");
fprintf(file, "min.user.id=1000\n");
fclose(file);
return 0;
}
void create_nm_roots(char ** nm_roots) {
char** nm_root;
for(nm_root=nm_roots; *nm_root != NULL; ++nm_root) {
if (mkdir(*nm_root, 0755) != 0) {
printf("FAIL: Can't create directory %s - %s\n", *nm_root,
strerror(errno));
exit(1);
}
char buffer[100000];
sprintf(buffer, "%s/usercache", *nm_root);
if (mkdir(buffer, 0755) != 0) {
printf("FAIL: Can't create directory %s - %s\n", buffer,
strerror(errno));
exit(1);
}
}
}
void test_get_user_directory() {
char *user_dir = get_user_directory("/tmp", "user");
char *expected = "/tmp/usercache/user";
if (strcmp(user_dir, expected) != 0) {
printf("test_get_user_directory expected %s got %s\n", expected, user_dir);
exit(1);
}
free(user_dir);
}
void test_get_app_directory() {
char *expected = "/tmp/usercache/user/appcache/app_200906101234_0001";
char *app_dir = (char *) get_app_directory("/tmp", "user",
"app_200906101234_0001");
if (strcmp(app_dir, expected) != 0) {
printf("test_get_app_directory expected %s got %s\n", expected, app_dir);
exit(1);
}
free(app_dir);
}
void test_get_container_directory() {
char *container_dir = get_container_work_directory("/tmp", "owen", "app_1",
"container_1");
char *expected = "/tmp/usercache/owen/appcache/app_1/container_1";
if (strcmp(container_dir, expected) != 0) {
printf("Fail get_container_work_directory got %s expected %s\n",
container_dir, expected);
exit(1);
}
free(container_dir);
}
void test_get_container_launcher_file() {
char *expected_file = ("/tmp/usercache/user/appcache/app_200906101234_0001"
"/launch_container.sh");
char *app_dir = get_app_directory("/tmp", "user",
"app_200906101234_0001");
char *container_file = get_container_launcher_file(app_dir);
if (strcmp(container_file, expected_file) != 0) {
printf("failure to match expected container file %s vs %s\n", container_file,
expected_file);
exit(1);
}
free(app_dir);
free(container_file);
}
void test_get_app_log_dir() {
char *expected = TEST_ROOT "/logs/userlogs/app_200906101234_0001";
char *logdir = get_app_log_directory(TEST_ROOT "/logs/userlogs","app_200906101234_0001");
if (strcmp(logdir, expected) != 0) {
printf("Fail get_app_log_dir got %s expected %s\n", logdir, expected);
exit(1);
}
free(logdir);
}
void test_check_user() {
printf("\nTesting test_check_user\n");
struct passwd *user = check_user(username);
if (user == NULL) {
printf("FAIL: failed check for user %s\n", username);
exit(1);
}
free(user);
if (check_user("lp") != NULL) {
printf("FAIL: failed check for system user lp\n");
exit(1);
}
if (check_user("root") != NULL) {
printf("FAIL: failed check for system user root\n");
exit(1);
}
}
void test_check_configuration_permissions() {
printf("\nTesting check_configuration_permissions\n");
if (check_configuration_permissions("/etc/passwd") != 0) {
printf("FAIL: failed permission check on /etc/passwd\n");
exit(1);
}
if (check_configuration_permissions(TEST_ROOT) == 0) {
printf("FAIL: failed permission check on %s\n", TEST_ROOT);
exit(1);
}
}
void test_delete_container() {
if (initialize_user(username, extract_values(local_dirs))) {
printf("FAIL: failed to initialize user %s\n", username);
exit(1);
}
char* app_dir = get_app_directory(TEST_ROOT "/local-2", username, "app_1");
char* dont_touch = get_app_directory(TEST_ROOT "/local-2", username,
DONT_TOUCH_FILE);
char* container_dir = get_container_work_directory(TEST_ROOT "/local-2",
username, "app_1", "container_1");
char buffer[100000];
sprintf(buffer, "mkdir -p %s/who/let/the/dogs/out/who/who", container_dir);
run(buffer);
sprintf(buffer, "touch %s", dont_touch);
run(buffer);
// soft link to the canary file from the container directory
sprintf(buffer, "ln -s %s %s/who/softlink", dont_touch, container_dir);
run(buffer);
// hard link to the canary file from the container directory
sprintf(buffer, "ln %s %s/who/hardlink", dont_touch, container_dir);
run(buffer);
// create a dot file in the container directory
sprintf(buffer, "touch %s/who/let/.dotfile", container_dir);
run(buffer);
// create a no permission file
sprintf(buffer, "touch %s/who/let/protect", container_dir);
run(buffer);
sprintf(buffer, "chmod 000 %s/who/let/protect", container_dir);
run(buffer);
// create a no permission directory
sprintf(buffer, "chmod 000 %s/who/let", container_dir);
run(buffer);
// delete container directory
char * dirs[] = {app_dir, 0};
int ret = delete_as_user(username, "container_1" , dirs);
if (ret != 0) {
printf("FAIL: return code from delete_as_user is %d\n", ret);
exit(1);
}
// check to make sure the container directory is gone
if (access(container_dir, R_OK) == 0) {
printf("FAIL: failed to delete the directory - %s\n", container_dir);
exit(1);
}
// check to make sure the app directory is not gone
if (access(app_dir, R_OK) != 0) {
printf("FAIL: accidently deleted the directory - %s\n", app_dir);
exit(1);
}
// but that the canary is not gone
if (access(dont_touch, R_OK) != 0) {
printf("FAIL: accidently deleted file %s\n", dont_touch);
exit(1);
}
sprintf(buffer, "chmod -R 700 %s", app_dir);
run(buffer);
sprintf(buffer, "rm -fr %s", app_dir);
run(buffer);
free(app_dir);
free(container_dir);
free(dont_touch);
}
void test_delete_app() {
char* app_dir = get_app_directory(TEST_ROOT "/local-2", username, "app_2");
char* dont_touch = get_app_directory(TEST_ROOT "/local-2", username,
DONT_TOUCH_FILE);
char* container_dir = get_container_work_directory(TEST_ROOT "/local-2",
username, "app_2", "container_1");
char buffer[100000];
sprintf(buffer, "mkdir -p %s/who/let/the/dogs/out/who/who", container_dir);
run(buffer);
sprintf(buffer, "touch %s", dont_touch);
run(buffer);
// soft link to the canary file from the container directory
sprintf(buffer, "ln -s %s %s/who/softlink", dont_touch, container_dir);
run(buffer);
// hard link to the canary file from the container directory
sprintf(buffer, "ln %s %s/who/hardlink", dont_touch, container_dir);
run(buffer);
// create a dot file in the container directory
sprintf(buffer, "touch %s/who/let/.dotfile", container_dir);
run(buffer);
// create a no permission file
sprintf(buffer, "touch %s/who/let/protect", container_dir);
run(buffer);
sprintf(buffer, "chmod 000 %s/who/let/protect", container_dir);
run(buffer);
// create a no permission directory
sprintf(buffer, "chmod 000 %s/who/let", container_dir);
run(buffer);
// delete container directory
int ret = delete_as_user(username, app_dir, NULL);
if (ret != 0) {
printf("FAIL: return code from delete_as_user is %d\n", ret);
exit(1);
}
// check to make sure the container directory is gone
if (access(container_dir, R_OK) == 0) {
printf("FAIL: failed to delete the directory - %s\n", container_dir);
exit(1);
}
// check to make sure the app directory is gone
if (access(app_dir, R_OK) == 0) {
printf("FAIL: didn't delete the directory - %s\n", app_dir);
exit(1);
}
// but that the canary is not gone
if (access(dont_touch, R_OK) != 0) {
printf("FAIL: accidently deleted file %s\n", dont_touch);
exit(1);
}
free(app_dir);
free(container_dir);
free(dont_touch);
}
void test_delete_user() {
printf("\nTesting delete_user\n");
char* app_dir = get_app_directory(TEST_ROOT "/local-1", username, "app_3");
if (mkdirs(app_dir, 0700) != 0) {
exit(1);
}
char buffer[100000];
sprintf(buffer, "%s/local-1/usercache/%s", TEST_ROOT, username);
if (access(buffer, R_OK) != 0) {
printf("FAIL: directory missing before test\n");
exit(1);
}
if (delete_as_user(username, buffer, NULL) != 0) {
exit(1);
}
if (access(buffer, R_OK) == 0) {
printf("FAIL: directory not deleted\n");
exit(1);
}
if (access(TEST_ROOT "/local-1", R_OK) != 0) {
printf("FAIL: local-1 directory does not exist\n");
exit(1);
}
free(app_dir);
}
void run_test_in_child(const char* test_name, void (*func)()) {
printf("\nRunning test %s in child process\n", test_name);
fflush(stdout);
fflush(stderr);
pid_t child = fork();
if (child == -1) {
printf("FAIL: fork failed\n");
exit(1);
} else if (child == 0) {
func();
exit(0);
} else {
int status = 0;
if (waitpid(child, &status, 0) == -1) {
printf("FAIL: waitpid %d failed - %s\n", child, strerror(errno));
exit(1);
}
if (!WIFEXITED(status)) {
printf("FAIL: child %d didn't exit - %d\n", child, status);
exit(1);
}
if (WEXITSTATUS(status) != 0) {
printf("FAIL: child %d exited with bad status %d\n",
child, WEXITSTATUS(status));
exit(1);
}
}
}
void test_signal_container() {
printf("\nTesting signal_container\n");
fflush(stdout);
fflush(stderr);
pid_t child = fork();
if (child == -1) {
printf("FAIL: fork failed\n");
exit(1);
} else if (child == 0) {
if (change_user(user_detail->pw_uid, user_detail->pw_gid) != 0) {
exit(1);
}
sleep(3600);
exit(0);
} else {
printf("Child container launched as %d\n", child);
if (signal_container_as_user(username, child, SIGQUIT) != 0) {
exit(1);
}
int status = 0;
if (waitpid(child, &status, 0) == -1) {
printf("FAIL: waitpid failed - %s\n", strerror(errno));
exit(1);
}
if (!WIFSIGNALED(status)) {
printf("FAIL: child wasn't signalled - %d\n", status);
exit(1);
}
if (WTERMSIG(status) != SIGQUIT) {
printf("FAIL: child was killed with %d instead of %d\n",
WTERMSIG(status), SIGQUIT);
exit(1);
}
}
}
void test_signal_container_group() {
printf("\nTesting group signal_container\n");
fflush(stdout);
fflush(stderr);
pid_t child = fork();
if (child == -1) {
printf("FAIL: fork failed\n");
exit(1);
} else if (child == 0) {
setpgrp();
if (change_user(user_detail->pw_uid, user_detail->pw_gid) != 0) {
exit(1);
}
sleep(3600);
exit(0);
}
printf("Child container launched as %d\n", child);
if (signal_container_as_user(username, child, SIGKILL) != 0) {
exit(1);
}
int status = 0;
if (waitpid(child, &status, 0) == -1) {
printf("FAIL: waitpid failed - %s\n", strerror(errno));
exit(1);
}
if (!WIFSIGNALED(status)) {
printf("FAIL: child wasn't signalled - %d\n", status);
exit(1);
}
if (WTERMSIG(status) != SIGKILL) {
printf("FAIL: child was killed with %d instead of %d\n",
WTERMSIG(status), SIGKILL);
exit(1);
}
}
void test_init_app() {
printf("\nTesting init app\n");
if (seteuid(0) != 0) {
printf("FAIL: seteuid to root failed - %s\n", strerror(errno));
exit(1);
}
FILE* creds = fopen(TEST_ROOT "/creds.txt", "w");
if (creds == NULL) {
printf("FAIL: failed to create credentials file - %s\n", strerror(errno));
exit(1);
}
if (fprintf(creds, "secret key\n") < 0) {
printf("FAIL: fprintf failed - %s\n", strerror(errno));
exit(1);
}
if (fclose(creds) != 0) {
printf("FAIL: fclose failed - %s\n", strerror(errno));
exit(1);
}
FILE* job_xml = fopen(TEST_ROOT "/job.xml", "w");
if (job_xml == NULL) {
printf("FAIL: failed to create job file - %s\n", strerror(errno));
exit(1);
}
if (fprintf(job_xml, "<jobconf/>\n") < 0) {
printf("FAIL: fprintf failed - %s\n", strerror(errno));
exit(1);
}
if (fclose(job_xml) != 0) {
printf("FAIL: fclose failed - %s\n", strerror(errno));
exit(1);
}
if (seteuid(user_detail->pw_uid) != 0) {
printf("FAIL: failed to seteuid back to user - %s\n", strerror(errno));
exit(1);
}
fflush(stdout);
fflush(stderr);
pid_t child = fork();
if (child == -1) {
printf("FAIL: failed to fork process for init_app - %s\n",
strerror(errno));
exit(1);
} else if (child == 0) {
char *final_pgm[] = {"touch", "my-touch-file", 0};
if (initialize_app(username, "app_4", TEST_ROOT "/creds.txt", final_pgm,
extract_values(local_dirs), extract_values(log_dirs)) != 0) {
printf("FAIL: failed in child\n");
exit(42);
}
// should never return
exit(1);
}
int status = 0;
if (waitpid(child, &status, 0) <= 0) {
printf("FAIL: failed waiting for process %d - %s\n", child,
strerror(errno));
exit(1);
}
if (access(TEST_ROOT "/logs/userlogs/app_4", R_OK) != 0) {
printf("FAIL: failed to create app log directory\n");
exit(1);
}
char* app_dir = get_app_directory(TEST_ROOT "/local-1", username, "app_4");
if (access(app_dir, R_OK) != 0) {
printf("FAIL: failed to create app directory %s\n", app_dir);
exit(1);
}
char buffer[100000];
sprintf(buffer, "%s/jobToken", app_dir);
if (access(buffer, R_OK) != 0) {
printf("FAIL: failed to create credentials %s\n", buffer);
exit(1);
}
sprintf(buffer, "%s/my-touch-file", app_dir);
if (access(buffer, R_OK) != 0) {
printf("FAIL: failed to create touch file %s\n", buffer);
exit(1);
}
free(app_dir);
app_dir = get_app_log_directory("logs","app_4");
if (access(app_dir, R_OK) != 0) {
printf("FAIL: failed to create app log directory %s\n", app_dir);
exit(1);
}
free(app_dir);
}
void test_run_container() {
printf("\nTesting run container\n");
if (seteuid(0) != 0) {
printf("FAIL: seteuid to root failed - %s\n", strerror(errno));
exit(1);
}
FILE* creds = fopen(TEST_ROOT "/creds.txt", "w");
if (creds == NULL) {
printf("FAIL: failed to create credentials file - %s\n", strerror(errno));
exit(1);
}
if (fprintf(creds, "secret key\n") < 0) {
printf("FAIL: fprintf failed - %s\n", strerror(errno));
exit(1);
}
if (fclose(creds) != 0) {
printf("FAIL: fclose failed - %s\n", strerror(errno));
exit(1);
}
const char* script_name = TEST_ROOT "/container-script";
FILE* script = fopen(script_name, "w");
if (script == NULL) {
printf("FAIL: failed to create script file - %s\n", strerror(errno));
exit(1);
}
if (seteuid(user_detail->pw_uid) != 0) {
printf("FAIL: failed to seteuid back to user - %s\n", strerror(errno));
exit(1);
}
if (fprintf(script, "#!/bin/bash\n"
"touch foobar\n"
"exit 0") < 0) {
printf("FAIL: fprintf failed - %s\n", strerror(errno));
exit(1);
}
if (fclose(script) != 0) {
printf("FAIL: fclose failed - %s\n", strerror(errno));
exit(1);
}
fflush(stdout);
fflush(stderr);
char* container_dir = get_container_work_directory(TEST_ROOT "/local-1",
username, "app_4", "container_1");
const char * pid_file = TEST_ROOT "/pid.txt";
pid_t child = fork();
if (child == -1) {
printf("FAIL: failed to fork process for init_app - %s\n",
strerror(errno));
exit(1);
} else if (child == 0) {
if (launch_container_as_user(username, "app_4", "container_1",
container_dir, script_name, TEST_ROOT "/creds.txt", pid_file,
extract_values(local_dirs), extract_values(log_dirs)) != 0) {
printf("FAIL: failed in child\n");
exit(42);
}
// should never return
exit(1);
}
int status = 0;
if (waitpid(child, &status, 0) <= 0) {
printf("FAIL: failed waiting for process %d - %s\n", child,
strerror(errno));
exit(1);
}
if (access(TEST_ROOT "/logs/userlogs/app_4/container_1", R_OK) != 0) {
printf("FAIL: failed to create container log directory\n");
exit(1);
}
if (access(container_dir, R_OK) != 0) {
printf("FAIL: failed to create container directory %s\n", container_dir);
exit(1);
}
char buffer[100000];
sprintf(buffer, "%s/foobar", container_dir);
if (access(buffer, R_OK) != 0) {
printf("FAIL: failed to create touch file %s\n", buffer);
exit(1);
}
free(container_dir);
container_dir = get_app_log_directory("logs", "app_4/container_1");
if (access(container_dir, R_OK) != 0) {
printf("FAIL: failed to create app log directory %s\n", container_dir);
exit(1);
}
free(container_dir);
if(access(pid_file, R_OK) != 0) {
printf("FAIL: failed to create pid file %s\n", pid_file);
exit(1);
}
int pidfd = open(pid_file, O_RDONLY);
if (pidfd == -1) {
printf("FAIL: failed to open pid file %s - %s\n", pid_file, strerror(errno));
exit(1);
}
char pidBuf[100];
ssize_t bytes = read(pidfd, pidBuf, 100);
if (bytes == -1) {
printf("FAIL: failed to read from pid file %s - %s\n", pid_file, strerror(errno));
exit(1);
}
pid_t mypid = child;
char myPidBuf[33];
snprintf(myPidBuf, 33, "%d", mypid);
if (strncmp(pidBuf, myPidBuf, strlen(myPidBuf)) != 0) {
printf("FAIL: failed to find matching pid in pid file\n");
printf("FAIL: Expected pid %d : Got %.*s", mypid, (int)bytes, pidBuf);
exit(1);
}
}
int main(int argc, char **argv) {
LOGFILE = stdout;
ERRORFILE = stderr;
int my_username = 0;
// clean up any junk from previous run
system("chmod -R u=rwx " TEST_ROOT "; rm -fr " TEST_ROOT);
if (mkdirs(TEST_ROOT "/logs/userlogs", 0755) != 0) {
exit(1);
}
if (write_config_file(TEST_ROOT "/test.cfg") != 0) {
exit(1);
}
read_config(TEST_ROOT "/test.cfg");
local_dirs = (char *) malloc (sizeof(char) * ARRAY_SIZE);
strcpy(local_dirs, NM_LOCAL_DIRS);
log_dirs = (char *) malloc (sizeof(char) * ARRAY_SIZE);
strcpy(log_dirs, NM_LOG_DIRS);
create_nm_roots(extract_values(local_dirs));
if (getuid() == 0 && argc == 2) {
username = argv[1];
} else {
username = strdup(getpwuid(getuid())->pw_name);
my_username = 1;
}
set_nm_uid(geteuid(), getegid());
if (set_user(username)) {
exit(1);
}
printf("\nStarting tests\n");
printf("\nTesting get_user_directory()\n");
test_get_user_directory();
printf("\nTesting get_app_directory()\n");
test_get_app_directory();
printf("\nTesting get_container_directory()\n");
test_get_container_directory();
printf("\nTesting get_container_launcher_file()\n");
test_get_container_launcher_file();
printf("\nTesting get_app_log_dir()\n");
test_get_app_log_dir();
test_check_configuration_permissions();
printf("\nTesting delete_container()\n");
test_delete_container();
printf("\nTesting delete_app()\n");
test_delete_app();
test_delete_user();
test_check_user();
// the tests that change user need to be run in a subshell, so that
// when they change user they don't give up our privs
run_test_in_child("test_signal_container", test_signal_container);
run_test_in_child("test_signal_container_group", test_signal_container_group);
// init app and run container can't be run if you aren't testing as root
if (getuid() == 0) {
// these tests do internal forks so that the change_owner and execs
// don't mess up our process.
test_init_app();
test_run_container();
}
seteuid(0);
run("rm -fr " TEST_ROOT);
printf("\nFinished tests\n");
if (my_username) {
free(username);
}
free_configurations();
return 0;
}