Skip to content

Commit

Permalink
YARN-11364. Docker Container to accept docker Image name with sha256 …
Browse files Browse the repository at this point in the history 
…digest (#5092)

Co-authored-by: Ashutosh Gupta <ashugpt@amazon.com>
Reviewed-by: slfan1989 <55643692+slfan1989@users.noreply.github.com>
Signed-off-by: Chris Nauroth <cnauroth@apache.org>
(cherry picked from commit 83acb55)
(cherry picked from commit 0961014)
  • Loading branch information
@ashutoshcipher @cnauroth
ashutoshcipher authored and cnauroth committed Nov 1, 2022
1 parent c0d8a63 commit d26fd21
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 16 deletions.
17 changes: 14 additions & 3 deletions ...p/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java
View file
Expand Up @@ -213,6 +213,9 @@ public class DockerLinuxContainerRuntime implements LinuxContainerRuntime {
"|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])" +
":[0-9]+:[0-9]+$";
private static final int HOST_NAME_LENGTH = 64;

private static final Pattern DOCKER_DIGEST_PATTERN = Pattern.compile("^sha256:[a-z0-9]{12,64}$");

private static final String DEFAULT_PROCFS = "/proc";

@InterfaceAudience.Private
Expand Down Expand Up @@ -1264,9 +1267,17 @@ public static void validateImageName(String imageName)
throw new ContainerExecutionException(
ENV_DOCKER_CONTAINER_IMAGE + " not set!");
}
if (!dockerImagePattern.matcher(imageName).matches()) {
throw new ContainerExecutionException("Image name '" + imageName
+ "' doesn't match docker image name pattern");
// check if digest is part of imageName, extract and validate it.
String digest = null;
if (imageName.contains("@sha256")) {
String[] digestParts = imageName.split("@");
digest = digestParts[1];
imageName = digestParts[0];
}
if (!dockerImagePattern.matcher(imageName).matches() || (digest != null
&& !DOCKER_DIGEST_PATTERN.matcher(digest).matches())) {
throw new ContainerExecutionException(
"Image name '" + imageName + "' doesn't match docker image name pattern");
}
}

Expand Down
34 changes: 21 additions & 13 deletions ...op/yarn/server/nodemanager/containermanager/linux/runtime/TestDockerContainerRuntime.java
View file
Expand Up @@ -1950,19 +1950,27 @@ public static Configuration enableMockContainerExecutor(Configuration conf) {

@Test
public void testDockerImageNamePattern() throws Exception {
String[] validNames =
{ "ubuntu", "fedora/httpd:version1.0",
"fedora/httpd:version1.0.test",
"fedora/httpd:version1.0.TEST",
"myregistryhost:5000/ubuntu",
"myregistryhost:5000/fedora/httpd:version1.0",
"myregistryhost:5000/fedora/httpd:version1.0.test",
"myregistryhost:5000/fedora/httpd:version1.0.TEST"};

String[] invalidNames = { "Ubuntu", "ubuntu || fedora", "ubuntu#",
"myregistryhost:50AB0/ubuntu", "myregistry#host:50AB0/ubuntu",
":8080/ubuntu"
};
String[] validNames = {"ubuntu", "fedora/httpd:version1.0", "fedora/httpd:version1.0.test",
"fedora/httpd:version1.0.TEST", "myregistryhost:5000/ubuntu",
"myregistryhost:5000/fedora/httpd:version1.0",
"myregistryhost:5000/fedora/httpd:version1.0.test",
"myregistryhost:5000/fedora/httpd:version1.0.TEST",
"123456789123.dkr.ecr.us-east-1.amazonaws.com/emr-docker-examples:pyspark-example"
+ "@sha256:f1d4ae3f7261a72e98c6ebefe9985cf10a0ea5bd762585a43e0700ed99863807"};

String[] invalidNames = {"Ubuntu", "ubuntu || fedora", "ubuntu#", "myregistryhost:50AB0/ubuntu",
"myregistry#host:50AB0/ubuntu", ":8080/ubuntu",

// Invalid: contains "@sha256" but doesn't really contain a digest.
"123456789123.dkr.ecr.us-east-1.amazonaws.com/emr-docker-examples:pyspark-example@sha256",

// Invalid: digest is too short.
"123456789123.dkr.ecr.us-east-1.amazonaws.com/emr-docker-examples:pyspark-example"
+ "@sha256:f1d4",

// Invalid: digest is too long
"123456789123.dkr.ecr.us-east-1.amazonaws.com/emr-docker-examples:pyspark-example"
+ "@sha256:f1d4ae3f7261a72e98c6ebefe9985cf10a0ea5bd762585a43e0700ed99863807f"};

for (String name : validNames) {
DockerLinuxContainerRuntime.validateImageName(name);
Expand Down

0 comments on commit d26fd21

Please sign in to comment.