package org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime;

import com.google.common.annotations.VisibleForTesting;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.util.StringUtils;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.server.nodemanager.ContainerExecutor;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.launcher.ContainerLaunch;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.privileged.PrivilegedOperation;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.privileged.PrivilegedOperationException;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.privileged.PrivilegedOperationExecutor;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.resources.CGroupsHandler;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.resources.ResourceHandlerModule;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.docker.DockerClient;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.docker.DockerInspectCommand;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.docker.DockerRunCommand;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.docker.DockerStopCommand;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerExecutionException;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntimeConstants;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntimeContext;

@InterfaceAudience.Private
@InterfaceStability.Unstable
/* loaded from: input_file:org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.class */
public class DockerLinuxContainerRuntime implements LinuxContainerRuntime {
    private static final Log LOG = LogFactory.getLog(DockerLinuxContainerRuntime.class);

    @InterfaceAudience.Private
    public static final String ENV_DOCKER_CONTAINER_IMAGE = "YARN_CONTAINER_RUNTIME_DOCKER_IMAGE";

    @InterfaceAudience.Private
    public static final String ENV_DOCKER_CONTAINER_IMAGE_FILE = "YARN_CONTAINER_RUNTIME_DOCKER_IMAGE_FILE";

    @InterfaceAudience.Private
    public static final String ENV_DOCKER_CONTAINER_RUN_OVERRIDE_DISABLE = "YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE";

    @InterfaceAudience.Private
    public static final String ENV_DOCKER_CONTAINER_NETWORK = "YARN_CONTAINER_RUNTIME_DOCKER_CONTAINER_NETWORK";
    public static final String ENV_DOCKER_CONTAINER_RUN_PRIVILEGED_CONTAINER = "YARN_CONTAINER_RUNTIME_DOCKER_RUN_PRIVILEGED_CONTAINER";

    @InterfaceAudience.Private
    public static final String ENV_DOCKER_CONTAINER_LOCAL_RESOURCE_MOUNTS = "YARN_CONTAINER_RUNTIME_DOCKER_LOCAL_RESOURCE_MOUNTS";
    static final String CGROUPS_ROOT_DIRECTORY = "/sys/fs/cgroup";
    private Configuration conf;
    private DockerClient dockerClient;
    private PrivilegedOperationExecutor privilegedOperationExecutor;
    private Set<String> allowedNetworks;
    private String defaultNetwork;
    private CGroupsHandler cGroupsHandler;
    private AccessControlList privilegedContainersAcl;

    public static boolean isDockerContainerRequested(Map<String, String> map) {
        String str;
        return (map == null || (str = map.get(ContainerRuntimeConstants.ENV_CONTAINER_TYPE)) == null || !str.equals("docker")) ? false : true;
    }

    public DockerLinuxContainerRuntime(PrivilegedOperationExecutor privilegedOperationExecutor) {
        this(privilegedOperationExecutor, ResourceHandlerModule.getCGroupsHandler());
    }

    @VisibleForTesting
    public DockerLinuxContainerRuntime(PrivilegedOperationExecutor privilegedOperationExecutor, CGroupsHandler cGroupsHandler) {
        this.allowedNetworks = new HashSet();
        this.privilegedOperationExecutor = privilegedOperationExecutor;
        if (cGroupsHandler != null) {
            this.cGroupsHandler = cGroupsHandler;
        } else if (LOG.isInfoEnabled()) {
            LOG.info("cGroupsHandler is null - cgroups not in use.");
        }
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.LinuxContainerRuntime
    public void initialize(Configuration configuration) throws ContainerExecutionException {
        this.conf = configuration;
        this.dockerClient = new DockerClient(configuration);
        this.allowedNetworks.clear();
        this.allowedNetworks.addAll(Arrays.asList(configuration.getTrimmedStrings("yarn.nodemanager.runtime.linux.docker.allowed-container-networks", YarnConfiguration.DEFAULT_NM_DOCKER_ALLOWED_CONTAINER_NETWORKS)));
        this.defaultNetwork = configuration.getTrimmed("yarn.nodemanager.runtime.linux.docker.default-container-network", "host");
        if (this.allowedNetworks.contains(this.defaultNetwork)) {
            this.privilegedContainersAcl = new AccessControlList(configuration.getTrimmed("yarn.nodemanager.runtime.linux.docker.privileged-containers.acl", ""));
            return;
        }
        String str = "Default network: " + this.defaultNetwork + " is not in the set of allowed networks: " + this.allowedNetworks;
        if (LOG.isWarnEnabled()) {
            LOG.warn(str + ". Please check configuration");
        }
        throw new ContainerExecutionException(str);
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntime
    public void prepareContainer(ContainerRuntimeContext containerRuntimeContext) throws ContainerExecutionException {
    }

    private void validateContainerNetworkType(String str) throws ContainerExecutionException {
        if (!this.allowedNetworks.contains(str)) {
            throw new ContainerExecutionException("Disallowed network:  '" + str + "' specified. Allowed networks: are " + this.allowedNetworks.toString());
        }
    }

    @VisibleForTesting
    protected void addCGroupParentIfRequired(String str, String str2, DockerRunCommand dockerRunCommand) {
        if (this.cGroupsHandler == null) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("cGroupsHandler is null. cgroups are not in use. nothing to do.");
            }
        } else if (str.equals("cgroups=none")) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("no resource restrictions specified. not using docker's cgroup options");
            }
        } else {
            if (LOG.isDebugEnabled()) {
                LOG.debug("using docker's cgroups options");
            }
            String str3 = "/" + this.cGroupsHandler.getRelativePathForCGroup(str2);
            if (LOG.isDebugEnabled()) {
                LOG.debug("using cgroup parent: " + str3);
            }
            dockerRunCommand.setCGroupParent(str3);
        }
    }

    private boolean allowPrivilegedContainerExecution(Container container) throws ContainerExecutionException {
        String str = (String) container.getLaunchContext().getEnvironment().get(ENV_DOCKER_CONTAINER_RUN_PRIVILEGED_CONTAINER);
        if (str == null) {
            return false;
        }
        if (!str.equalsIgnoreCase("true")) {
            LOG.warn("NOT running a privileged container. Value of YARN_CONTAINER_RUNTIME_DOCKER_RUN_PRIVILEGED_CONTAINERis invalid: " + str);
            return false;
        }
        if (LOG.isInfoEnabled()) {
            LOG.info("Privileged container requested for : " + container.getContainerId().toString());
        }
        if (!this.conf.getBoolean("yarn.nodemanager.runtime.linux.docker.privileged-containers.allowed", false)) {
            LOG.warn("Privileged container being requested but privileged containers are not enabled on this cluster");
            throw new ContainerExecutionException("Privileged container being requested but privileged containers are not enabled on this cluster");
        }
        String user = container.getUser();
        if (!this.privilegedContainersAcl.isUserAllowed(UserGroupInformation.createRemoteUser(user))) {
            String str2 = "Cannot launch privileged container. Submitting user (" + user + ") fails ACL check.";
            LOG.warn(str2);
            throw new ContainerExecutionException(str2);
        }
        if (!LOG.isInfoEnabled()) {
            return true;
        }
        LOG.info("All checks pass. Launching privileged container for : " + container.getContainerId().toString());
        return true;
    }

    @VisibleForTesting
    protected String validateMount(String str, Map<Path, List<String>> map) throws ContainerExecutionException {
        for (Map.Entry<Path, List<String>> entry : map.entrySet()) {
            if (entry.getValue().contains(str)) {
                java.nio.file.Path path = Paths.get(entry.getKey().toString(), new String[0]);
                if (!path.isAbsolute()) {
                    throw new ContainerExecutionException("Mount must be absolute: " + str);
                }
                if (Files.isSymbolicLink(path)) {
                    throw new ContainerExecutionException("Mount cannot be a symlink: " + str);
                }
                return path.toString();
            }
        }
        throw new ContainerExecutionException("Mount must be a localized resource: " + str);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r33v0, types: [java.lang.Throwable, org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.privileged.PrivilegedOperationException] */
    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntime
    public void launchContainer(ContainerRuntimeContext containerRuntimeContext) throws ContainerExecutionException {
        Container container = containerRuntimeContext.getContainer();
        Map environment = container.getLaunchContext().getEnvironment();
        String str = (String) environment.get(ENV_DOCKER_CONTAINER_IMAGE);
        String str2 = (String) environment.get(ENV_DOCKER_CONTAINER_NETWORK);
        if (str2 == null || str2.isEmpty()) {
            str2 = this.defaultNetwork;
        }
        validateContainerNetworkType(str2);
        if (str == null) {
            throw new ContainerExecutionException("YARN_CONTAINER_RUNTIME_DOCKER_IMAGE not set!");
        }
        String containerId = container.getContainerId().toString();
        String str3 = (String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.RUN_AS_USER);
        Path path = (Path) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.CONTAINER_WORK_DIR);
        List list = (List) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.LOCAL_DIRS);
        List list2 = (List) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.LOG_DIRS);
        List list3 = (List) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.FILECACHE_DIRS);
        List list4 = (List) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.CONTAINER_LOCAL_DIRS);
        List list5 = (List) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.CONTAINER_LOG_DIRS);
        Map<Path, List<String>> map = (Map) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.LOCALIZED_RESOURCES);
        List list6 = (List) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.USER_LOCAL_DIRS);
        DockerRunCommand addMountLocation = new DockerRunCommand(containerId, str3, str).detachOnRun().setContainerWorkDir(path.toString()).setNetworkType(str2).setCapabilities(new HashSet(Arrays.asList(this.conf.getTrimmedStrings("yarn.nodemanager.runtime.linux.docker.capabilities", YarnConfiguration.DEFAULT_NM_DOCKER_CONTAINER_CAPABILITIES)))).addMountLocation(CGROUPS_ROOT_DIRECTORY, "/sys/fs/cgroup:ro", false);
        ArrayList<String> arrayList = new ArrayList(list4);
        arrayList.addAll(list3);
        arrayList.add(path.toString());
        arrayList.addAll(list5);
        arrayList.addAll(list6);
        for (String str4 : arrayList) {
            addMountLocation.addMountLocation(str4, str4, true);
        }
        if (environment.containsKey(ENV_DOCKER_CONTAINER_LOCAL_RESOURCE_MOUNTS)) {
            String str5 = (String) environment.get(ENV_DOCKER_CONTAINER_LOCAL_RESOURCE_MOUNTS);
            if (!str5.isEmpty()) {
                for (String str6 : StringUtils.split(str5)) {
                    String[] split = StringUtils.split(str6, ':');
                    if (split.length != 2) {
                        throw new ContainerExecutionException("Invalid mount : " + str6);
                    }
                    addMountLocation.addMountLocation(validateMount(split[0], map), split[1] + ":ro", true);
                }
            }
        }
        if (allowPrivilegedContainerExecution(container)) {
            addMountLocation.setPrivileged();
        }
        String str7 = (String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.RESOURCES_OPTIONS);
        addCGroupParentIfRequired(str7, containerId, addMountLocation);
        Path path2 = (Path) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.NM_PRIVATE_CONTAINER_SCRIPT_PATH);
        String str8 = (String) environment.get(ENV_DOCKER_CONTAINER_RUN_OVERRIDE_DISABLE);
        if (str8 == null || !str8.equals("true")) {
            ArrayList arrayList2 = new ArrayList();
            Path path3 = new Path(path, ContainerLaunch.CONTAINER_SCRIPT);
            arrayList2.add("bash");
            arrayList2.add(path3.toUri().getPath());
            addMountLocation.setOverrideCommandWithArgs(arrayList2);
        } else if (LOG.isInfoEnabled()) {
            LOG.info("command override disabled");
        }
        String writeCommandToTempFile = this.dockerClient.writeCommandToTempFile(addMountLocation, containerId);
        PrivilegedOperation privilegedOperation = new PrivilegedOperation(PrivilegedOperation.OperationType.LAUNCH_DOCKER_CONTAINER);
        privilegedOperation.appendArgs(str3, (String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.USER), Integer.toString(PrivilegedOperation.RunAsUserCommand.LAUNCH_DOCKER_CONTAINER.getValue()), (String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.APPID), containerId, path.toString(), path2.toUri().getPath(), ((Path) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.NM_PRIVATE_TOKENS_PATH)).toUri().getPath(), ((Path) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.PID_FILE_PATH)).toString(), StringUtils.join('%', list), StringUtils.join('%', list2), writeCommandToTempFile, str7);
        String str9 = (String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.TC_COMMAND_FILE);
        if (str9 != null) {
            privilegedOperation.appendArgs(str9);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Launching container with cmd: " + addMountLocation.getCommandWithArguments());
        }
        try {
            this.privilegedOperationExecutor.executePrivilegedOperation(null, privilegedOperation, null, container.getLaunchContext().getEnvironment(), false, false);
        } catch (PrivilegedOperationException e) {
            LOG.warn("Launch container failed. Exception: ", e);
            LOG.info("Docker command used: " + addMountLocation.getCommandWithArguments());
            throw new ContainerExecutionException("Launch container failed", e.getExitCode(), e.getOutput(), e.getErrorOutput());
        }
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntime
    public void signalContainer(ContainerRuntimeContext containerRuntimeContext) throws ContainerExecutionException {
        PrivilegedOperation privilegedOperation;
        Container container = containerRuntimeContext.getContainer();
        if (ContainerExecutor.Signal.NULL.equals((ContainerExecutor.Signal) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.SIGNAL))) {
            privilegedOperation = new PrivilegedOperation(PrivilegedOperation.OperationType.SIGNAL_CONTAINER);
            privilegedOperation.appendArgs((String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.RUN_AS_USER), (String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.USER), Integer.toString(PrivilegedOperation.RunAsUserCommand.SIGNAL_CONTAINER.getValue()), (String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.PID), Integer.toString(((ContainerExecutor.Signal) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.SIGNAL)).getValue()));
        } else {
            String containerId = containerRuntimeContext.getContainer().getContainerId().toString();
            String writeCommandToTempFile = this.dockerClient.writeCommandToTempFile(new DockerStopCommand(containerId), containerId);
            privilegedOperation = new PrivilegedOperation(PrivilegedOperation.OperationType.RUN_DOCKER_CMD);
            privilegedOperation.appendArgs(writeCommandToTempFile);
        }
        privilegedOperation.disableFailureLogging();
        try {
            this.privilegedOperationExecutor.executePrivilegedOperation(null, privilegedOperation, null, container.getLaunchContext().getEnvironment(), false, false);
        } catch (PrivilegedOperationException e) {
            throw new ContainerExecutionException("Signal container failed", e.getExitCode(), e.getOutput(), e.getErrorOutput());
        }
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntime
    public void reapContainer(ContainerRuntimeContext containerRuntimeContext) throws ContainerExecutionException {
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntime
    public String[] getIpAndHost(Container container) {
        String containerId = container.getContainerId().toString();
        try {
            String writeCommandToTempFile = this.dockerClient.writeCommandToTempFile(new DockerInspectCommand(containerId).getIpAndHost(), containerId);
            PrivilegedOperation privilegedOperation = new PrivilegedOperation(PrivilegedOperation.OperationType.RUN_DOCKER_CMD);
            privilegedOperation.appendArgs(writeCommandToTempFile);
            String executePrivilegedOperation = this.privilegedOperationExecutor.executePrivilegedOperation(null, privilegedOperation, null, container.getLaunchContext().getEnvironment(), true, false);
            LOG.info("Docker inspect output for " + containerId + ": " + executePrivilegedOperation);
            int lastIndexOf = executePrivilegedOperation.lastIndexOf(44);
            if (lastIndexOf != -1) {
                return new String[]{executePrivilegedOperation.substring(0, lastIndexOf).trim(), executePrivilegedOperation.substring(lastIndexOf + 1).trim()};
            }
            LOG.error("Incorrect format for ip and host");
            return null;
        } catch (PrivilegedOperationException e) {
            LOG.error("Error when executing command.", e);
            return null;
        } catch (ContainerExecutionException e2) {
            LOG.error("Error when writing command to temp file", e2);
            return null;
        }
    }
}
