package org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.File;
import java.io.IOException;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import java.util.regex.Matcher;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.hdfs.protocol.datatransfer.IOStreamPair;
import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.thirdparty.com.google.common.annotations.VisibleForTesting;
import org.apache.hadoop.util.StringUtils;
import org.apache.hadoop.util.concurrent.HadoopExecutors;
import org.apache.hadoop.yarn.api.records.ApplicationId;
import org.apache.hadoop.yarn.api.records.ContainerId;
import org.apache.hadoop.yarn.api.records.LocalResource;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.exceptions.YarnException;
import org.apache.hadoop.yarn.server.nodemanager.ContainerExecutor;
import org.apache.hadoop.yarn.server.nodemanager.Context;
import org.apache.hadoop.yarn.server.nodemanager.api.deviceplugin.MountDeviceSpec;
import org.apache.hadoop.yarn.server.nodemanager.api.deviceplugin.MountVolumeSpec;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.launcher.ContainerLaunch;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.privileged.PrivilegedOperation;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.privileged.PrivilegedOperationException;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.privileged.PrivilegedOperationExecutor;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.resources.CGroupsHandler;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.resources.ResourceHandlerModule;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.runc.ImageManifest;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.runc.RuncContainerExecutorConfig;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.runc.RuncImageTagToManifestPlugin;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.runc.RuncManifestToResourcesPlugin;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.localizer.LocalResourceRequest;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.localizer.LocalizedResource;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.localizer.ResourceLocalizationService;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerExecutionException;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntimeConstants;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntimeContext;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.volume.csi.ContainerVolumePublisher;
import org.apache.hadoop.yarn.server.nodemanager.executor.ContainerExecContext;

@InterfaceAudience.Private
@InterfaceStability.Unstable
/* loaded from: input_file:org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/RuncContainerRuntime.class */
public class RuncContainerRuntime extends OCIContainerRuntime {

    @InterfaceAudience.Private
    public static final String ENV_RUNC_CONTAINER_IMAGE = "YARN_CONTAINER_RUNTIME_RUNC_IMAGE";

    @InterfaceAudience.Private
    public static final String ENV_RUNC_CONTAINER_MOUNTS = "YARN_CONTAINER_RUNTIME_RUNC_MOUNTS";

    @InterfaceAudience.Private
    public static final String ENV_RUNC_CONTAINER_HOSTNAME = "YARN_CONTAINER_RUNTIME_RUNC_CONTAINER_HOSTNAME";
    private Configuration conf;
    private Context nmContext;
    private PrivilegedOperationExecutor privilegedOperationExecutor;
    private CGroupsHandler cGroupsHandler;
    private RuncImageTagToManifestPlugin imageTagToManifestPlugin;
    private RuncManifestToResourcesPlugin manifestToResourcesPlugin;
    private ObjectMapper mapper;
    private String seccomp;
    private int layersToKeep;
    private String defaultRuncImage;
    private ScheduledExecutorService exec;
    private String seccompProfile;
    private Set<String> defaultROMounts;
    private Set<String> defaultRWMounts;
    private Set<String> allowedNetworks;
    private Set<String> allowedRuntimes;
    private AccessControlList privilegedContainersAcl;
    private static final Log LOG = LogFactory.getLog(RuncContainerRuntime.class);

    @InterfaceAudience.Private
    private static final String RUNTIME_TYPE = "RUNC";

    @InterfaceAudience.Private
    public static final String ENV_RUNC_CONTAINER_PID_NAMESPACE = formatOciEnvKey(RUNTIME_TYPE, OCIContainerRuntime.CONTAINER_PID_NAMESPACE_SUFFIX);

    @InterfaceAudience.Private
    public static final String ENV_RUNC_CONTAINER_RUN_PRIVILEGED_CONTAINER = formatOciEnvKey(RUNTIME_TYPE, OCIContainerRuntime.RUN_PRIVILEGED_CONTAINER_SUFFIX);

    @InterfaceStability.Unstable
    /* loaded from: input_file:org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/RuncContainerRuntime$RuncRuntimeObject.class */
    static class RuncRuntimeObject {
        private final List<LocalResource> layers;
        private final LocalResource config;

        RuncRuntimeObject(LocalResource localResource, List<LocalResource> list) {
            this.config = localResource;
            this.layers = list;
        }

        public LocalResource getConfig() {
            return this.config;
        }

        public List<LocalResource> getOCILayers() {
            return this.layers;
        }
    }

    public RuncContainerRuntime(PrivilegedOperationExecutor privilegedOperationExecutor) {
        this(privilegedOperationExecutor, ResourceHandlerModule.getCGroupsHandler());
    }

    @VisibleForTesting
    public RuncContainerRuntime(PrivilegedOperationExecutor privilegedOperationExecutor, CGroupsHandler cGroupsHandler) {
        super(privilegedOperationExecutor, cGroupsHandler);
        this.defaultROMounts = new HashSet();
        this.defaultRWMounts = new HashSet();
        this.allowedNetworks = new HashSet();
        this.allowedRuntimes = new HashSet();
        this.privilegedOperationExecutor = privilegedOperationExecutor;
        if (cGroupsHandler == null) {
            LOG.info("cGroupsHandler is null - cgroups not in use.");
        } else {
            this.cGroupsHandler = cGroupsHandler;
        }
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.OCIContainerRuntime, org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.LinuxContainerRuntime
    public void initialize(Configuration configuration, Context context) throws ContainerExecutionException {
        super.initialize(configuration, context);
        this.conf = configuration;
        this.nmContext = context;
        this.imageTagToManifestPlugin = chooseImageTagToManifestPlugin();
        this.imageTagToManifestPlugin.init(this.conf);
        this.manifestToResourcesPlugin = chooseManifestToResourcesPlugin();
        this.manifestToResourcesPlugin.init(this.conf);
        this.mapper = new ObjectMapper();
        this.defaultRuncImage = this.conf.get("yarn.nodemanager.runtime.linux.runc.image-name");
        this.allowedNetworks.clear();
        this.allowedRuntimes.clear();
        this.allowedNetworks.addAll(Arrays.asList(this.conf.getTrimmedStrings("yarn.nodemanager.runtime.linux.runc.allowed-container-networks", YarnConfiguration.DEFAULT_NM_RUNC_ALLOWED_CONTAINER_NETWORKS)));
        this.allowedRuntimes.addAll(Arrays.asList(this.conf.getTrimmedStrings("yarn.nodemanager.runtime.linux.runc.allowed-container-runtimes", YarnConfiguration.DEFAULT_NM_RUNC_ALLOWED_CONTAINER_RUNTIMES)));
        this.privilegedContainersAcl = new AccessControlList(this.conf.getTrimmed("yarn.nodemanager.runtime.linux.runc.privileged-containers.acl", ""));
        this.seccompProfile = this.conf.get("yarn.nodemanager.runtime.linux.runc.seccomp-profile");
        this.defaultROMounts.addAll(Arrays.asList(this.conf.getTrimmedStrings("yarn.nodemanager.runtime.linux.runc.default-ro-mounts")));
        this.defaultRWMounts.addAll(Arrays.asList(this.conf.getTrimmedStrings("yarn.nodemanager.runtime.linux.runc.default-rw-mounts")));
        try {
            if (this.seccompProfile != null) {
                this.seccomp = new String(Files.readAllBytes(Paths.get(this.seccompProfile, new String[0])), StandardCharsets.UTF_8);
            }
            this.layersToKeep = this.conf.getInt("yarn.nodemanager.runtime.linux.runc.layer-mounts-to-keep", 100);
        } catch (IOException e) {
            throw new ContainerExecutionException(e);
        }
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.LinuxContainerRuntime
    public void start() {
        int i = this.conf.getInt("yarn.nodemanager.runtime.linux.runc.layer-mounts-interval-secs", 600);
        this.exec = HadoopExecutors.newScheduledThreadPool(1);
        this.exec.scheduleAtFixedRate(new Runnable() { // from class: org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.RuncContainerRuntime.1
            @Override // java.lang.Runnable
            public void run() {
                try {
                    PrivilegedOperation privilegedOperation = new PrivilegedOperation(PrivilegedOperation.OperationType.REAP_RUNC_LAYER_MOUNTS);
                    privilegedOperation.appendArgs(Integer.toString(RuncContainerRuntime.this.layersToKeep));
                    try {
                        String executePrivilegedOperation = RuncContainerRuntime.this.privilegedOperationExecutor.executePrivilegedOperation(null, privilegedOperation, null, null, false, false);
                        if (executePrivilegedOperation != null) {
                            RuncContainerRuntime.LOG.info("Reap layer mounts thread: " + executePrivilegedOperation);
                        }
                    } catch (PrivilegedOperationException e) {
                        RuncContainerRuntime.LOG.warn("Failed to reap old runc layer mounts", e);
                    }
                } catch (Exception e2) {
                    RuncContainerRuntime.LOG.warn("Reap layer mount thread caught an exception: ", e2);
                }
            }
        }, 0L, i, TimeUnit.SECONDS);
        this.imageTagToManifestPlugin.start();
        this.manifestToResourcesPlugin.start();
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.LinuxContainerRuntime
    public void stop() {
        this.exec.shutdownNow();
        this.imageTagToManifestPlugin.stop();
        this.manifestToResourcesPlugin.stop();
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r55v0, types: [java.lang.Throwable, org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.privileged.PrivilegedOperationException] */
    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntime
    public void launchContainer(ContainerRuntimeContext containerRuntimeContext) throws ContainerExecutionException {
        List<String> arrayList = new ArrayList<>();
        Container container = containerRuntimeContext.getContainer();
        String str = (String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.RUN_AS_USER);
        String str2 = (String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.USER);
        ContainerId containerId = container.getContainerId();
        ApplicationId applicationId = containerId.getApplicationAttemptId().getApplicationId();
        Map<String, String> environment = container.getLaunchContext().getEnvironment();
        ArrayList<RuncContainerExecutorConfig.OCIRuntimeConfig.OCIMount> arrayList2 = new ArrayList<>();
        ArrayList arrayList3 = new ArrayList();
        String str3 = environment.get(ENV_RUNC_CONTAINER_HOSTNAME);
        validateHostname(str3);
        String containerId2 = containerId.toString();
        String applicationId2 = applicationId.toString();
        Path path = (Path) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.CONTAINER_WORK_DIR);
        RuncRuntimeObject runcRuntimeObject = (RuncRuntimeObject) container.getContainerRuntimeData(RuncRuntimeObject.class);
        List<LocalResource> oCILayers = runcRuntimeObject.getOCILayers();
        ResourceLocalizationService resourceLocalizationService = this.nmContext.getContainerManager().getResourceLocalizationService();
        List<String> arrayList4 = new ArrayList<>();
        try {
            try {
                LocalResource config = runcRuntimeObject.getConfig();
                LocalizedResource localizedResource = resourceLocalizationService.getLocalizedResource(new LocalResourceRequest(config), str2, applicationId);
                if (localizedResource == null) {
                    throw new ContainerExecutionException("Could not successfully localize layers. rsrc: " + config.getResource().getFile());
                }
                File file = new File(localizedResource.getLocalPath().toString());
                List<String> extractImageEnv = extractImageEnv(file);
                if (extractImageEnv != null && !extractImageEnv.isEmpty()) {
                    arrayList.addAll(extractImageEnv);
                }
                List<String> extractImageEntrypoint = extractImageEntrypoint(file);
                if (extractImageEntrypoint != null && !extractImageEntrypoint.isEmpty()) {
                    arrayList4.addAll(extractImageEntrypoint);
                }
                Iterator<LocalResource> it = oCILayers.iterator();
                while (it.hasNext()) {
                    arrayList3.add(new RuncContainerExecutorConfig.OCILayer("application/vnd.squashfs", resourceLocalizationService.getLocalizedResource(new LocalResourceRequest(it.next()), str2, applicationId).getLocalPath().toString()));
                }
                setContainerMounts(arrayList2, containerRuntimeContext, path, environment);
                String str4 = (String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.RESOURCES_OPTIONS);
                Path path2 = (Path) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.NM_PRIVATE_CONTAINER_SCRIPT_PATH);
                Path path3 = (Path) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.NM_PRIVATE_TOKENS_PATH);
                int virtualCores = container.getResource().getVirtualCores();
                if (virtualCores < 2) {
                    virtualCores = 2;
                }
                Path path4 = new Path(path, ContainerLaunch.CONTAINER_SCRIPT);
                arrayList4.add("bash");
                arrayList4.add(path4.toUri().getPath());
                String cgroupPath = getCgroupPath(str4, "runc-" + containerId2);
                String path5 = ((Path) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.PID_FILE_PATH)).toString();
                List<String> list = (List) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.LOCAL_DIRS);
                List<String> list2 = (List) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.LOG_DIRS);
                Path path6 = (Path) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.NM_PRIVATE_KEYSTORE_PATH);
                Path path7 = (Path) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.NM_PRIVATE_TRUSTSTORE_PATH);
                int i = 0;
                String str5 = null;
                String str6 = null;
                if (path6 != null && path7 != null) {
                    i = 1;
                    str5 = path6.toUri().getPath();
                    str6 = path7.toUri().getPath();
                }
                RuncContainerExecutorConfig createRuncContainerExecutorConfig = createRuncContainerExecutorConfig(str, str2, containerId2, applicationId2, path5, path2.toString(), path3.toString(), i, str5, str6, list, list2, arrayList3, new RuncContainerExecutorConfig.OCIRuntimeConfig(null, arrayList2, createOCIProcessConfig(path.toString(), arrayList, arrayList4), str3, null, null, createOCILinuxConfig(virtualCores, cgroupPath, this.seccomp)));
                String writeCommandToFile = writeCommandToFile(createRuncContainerExecutorConfig, container);
                PrivilegedOperation privilegedOperation = new PrivilegedOperation(PrivilegedOperation.OperationType.RUN_RUNC_CONTAINER);
                privilegedOperation.appendArgs(writeCommandToFile);
                try {
                    this.privilegedOperationExecutor.executePrivilegedOperation(null, privilegedOperation, null, null, false, false);
                } catch (PrivilegedOperationException e) {
                    LOG.info("Launch container failed: ", e);
                    try {
                        LOG.debug("config.json used: " + this.mapper.writeValueAsString(createRuncContainerExecutorConfig));
                    } catch (IOException e2) {
                        LOG.info("Json Generation Exception", e2);
                    }
                    throw new ContainerExecutionException("Launch container failed", e.getExitCode(), e.getOutput(), e.getErrorOutput());
                }
            } catch (IOException e3) {
                throw new ContainerExecutionException(e3);
            }
        } catch (URISyntaxException e4) {
            throw new ContainerExecutionException(e4);
        }
    }

    private String getCgroupPath(String str, String str2) {
        if (this.cGroupsHandler == null) {
            LOG.debug("cGroupsHandler is null. cgroups are not in use. nothing to do.");
            return null;
        }
        if (str.equals("cgroups=none")) {
            LOG.debug("no resource restrictions specified. not using runc's cgroup options");
            return null;
        }
        LOG.debug("using runc's cgroups options");
        String str3 = "/" + this.cGroupsHandler.getRelativePathForCGroup(str2);
        LOG.debug("using cgroup parent: " + str3);
        return str3;
    }

    private void addUserMounts(List<RuncContainerExecutorConfig.OCIRuntimeConfig.OCIMount> list, Map<String, String> map, Map<Path, List<String>> map2) throws ContainerExecutionException {
        boolean z;
        if (map.containsKey(ENV_RUNC_CONTAINER_MOUNTS)) {
            Matcher matcher = USER_MOUNT_PATTERN.matcher(map.get(ENV_RUNC_CONTAINER_MOUNTS));
            if (!matcher.find()) {
                throw new ContainerExecutionException("Unable to parse user supplied mount list: " + map.get(ENV_RUNC_CONTAINER_MOUNTS));
            }
            matcher.reset();
            long j = 0;
            while (matcher.find()) {
                j++;
                String group = matcher.group(1);
                if (!Paths.get(group, new String[0]).isAbsolute()) {
                    group = mountReadOnlyPath(group, map2);
                }
                String group2 = matcher.group(2);
                String group3 = matcher.group(4);
                if (group3 == null) {
                    z = true;
                } else if (group3.equals(MountDeviceSpec.RW)) {
                    z = true;
                } else {
                    if (!group3.equals(MountVolumeSpec.READONLYOPTION)) {
                        throw new ContainerExecutionException("Unable to parse mode of some mounts in user supplied mount list: " + map.get(ENV_RUNC_CONTAINER_MOUNTS));
                    }
                    z = false;
                }
                addRuncMountLocation(list, group, group2, false, z);
            }
            if (j != map.get(ENV_RUNC_CONTAINER_MOUNTS).chars().filter(i -> {
                return i == 44;
            }).count() + 1) {
                throw new ContainerExecutionException("Unable to parse some mounts in user supplied mount list: " + map.get(ENV_RUNC_CONTAINER_MOUNTS));
            }
        }
    }

    private void addDefaultMountLocation(List<RuncContainerExecutorConfig.OCIRuntimeConfig.OCIMount> list, Set<String> set, boolean z, boolean z2) throws ContainerExecutionException {
        if (set == null || set.isEmpty()) {
            return;
        }
        for (String str : set) {
            String[] split = StringUtils.split(str, ':');
            if (split.length != 2) {
                throw new ContainerExecutionException("Invalid mount : " + str);
            }
            addRuncMountLocation(list, split[0], split[1], z, z2);
        }
    }

    private void addRuncMountLocation(List<RuncContainerExecutorConfig.OCIRuntimeConfig.OCIMount> list, String str, String str2, boolean z, boolean z2) {
        if (z || new File(str).exists()) {
            ArrayList arrayList = new ArrayList();
            if (z2) {
                arrayList.add(MountDeviceSpec.RW);
            } else {
                arrayList.add(MountVolumeSpec.READONLYOPTION);
            }
            arrayList.add("rbind");
            arrayList.add("rprivate");
            list.add(new RuncContainerExecutorConfig.OCIRuntimeConfig.OCIMount(str2, "bind", str, arrayList));
        }
    }

    private void addAllRuncMountLocations(List<RuncContainerExecutorConfig.OCIRuntimeConfig.OCIMount> list, List<String> list2, boolean z, boolean z2) {
        for (String str : list2) {
            addRuncMountLocation(list, str, str, z, z2);
        }
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.LinuxContainerRuntime
    public Map<String, LocalResource> getLocalResources(Container container) throws IOException {
        Map<String, LocalResource> localResources = container.getLaunchContext().getLocalResources();
        long j = 0;
        Map environment = container.getLaunchContext().getEnvironment();
        String str = (String) environment.get(ENV_RUNC_CONTAINER_IMAGE);
        if (str == null || str.isEmpty()) {
            environment.put(ENV_RUNC_CONTAINER_IMAGE, this.defaultRuncImage);
            str = this.defaultRuncImage;
        }
        ImageManifest manifestFromImageTag = this.imageTagToManifestPlugin.getManifestFromImageTag(str);
        LocalResource configResource = this.manifestToResourcesPlugin.getConfigResource(manifestFromImageTag);
        List<LocalResource> layerResources = this.manifestToResourcesPlugin.getLayerResources(manifestFromImageTag);
        container.setContainerRuntimeData(new RuncRuntimeObject(configResource, layerResources));
        Iterator<LocalResource> it = layerResources.iterator();
        while (it.hasNext()) {
            while (localResources.putIfAbsent("runc-layer" + Long.toString(j), it.next()) != null) {
                j++;
            }
        }
        while (localResources.putIfAbsent("runc-config" + Long.toString(j), configResource) != null) {
            j++;
        }
        return localResources;
    }

    protected RuncImageTagToManifestPlugin chooseImageTagToManifestPlugin() throws ContainerExecutionException {
        try {
            return (RuncImageTagToManifestPlugin) Class.forName(this.conf.get("yarn.nodemanager.runtime.linux.runc.image-tag-to-manifest-plugin", "org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.runc.ImageTagToManifestPlugin")).newInstance();
        } catch (Exception e) {
            throw new ContainerExecutionException(e);
        }
    }

    protected RuncManifestToResourcesPlugin chooseManifestToResourcesPlugin() throws ContainerExecutionException {
        String str = this.conf.get("yarn.nodemanager.runtime.linux.runc.manifest-to-resources-plugin", "org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.runc.HdfsManifestToResourcesPlugin");
        LOG.info("pluginName = " + str);
        try {
            return (RuncManifestToResourcesPlugin) Class.forName(str).newInstance();
        } catch (Exception e) {
            throw new ContainerExecutionException(e);
        }
    }

    protected List<String> extractImageEnv(File file) throws IOException {
        JsonNode path = this.mapper.readTree(file).path("config").path("Env");
        if (path.isMissingNode()) {
            return null;
        }
        return (List) this.mapper.readValue(path.traverse(), List.class);
    }

    protected List<String> extractImageEntrypoint(File file) throws IOException {
        JsonNode path = this.mapper.readTree(file).path("config").path("Entrypoint");
        if (path.isMissingNode()) {
            return null;
        }
        return (List) this.mapper.readValue(path.traverse(), List.class);
    }

    private RuncContainerExecutorConfig createRuncContainerExecutorConfig(String str, String str2, String str3, String str4, String str5, String str6, String str7, int i, String str8, String str9, List<String> list, List<String> list2, List<RuncContainerExecutorConfig.OCILayer> list3, RuncContainerExecutorConfig.OCIRuntimeConfig oCIRuntimeConfig) {
        return new RuncContainerExecutorConfig(str, str2, str3, str4, str5, str6, str7, i, str8, str9, list, list2, list3, this.layersToKeep, oCIRuntimeConfig);
    }

    private RuncContainerExecutorConfig.OCIRuntimeConfig.OCIProcessConfig createOCIProcessConfig(String str, List<String> list, List<String> list2) {
        return new RuncContainerExecutorConfig.OCIRuntimeConfig.OCIProcessConfig(false, null, str, list, list2, null, null, null, false, 0, null, null);
    }

    private RuncContainerExecutorConfig.OCIRuntimeConfig.OCILinuxConfig createOCILinuxConfig(long j, String str, String str2) {
        return new RuncContainerExecutorConfig.OCIRuntimeConfig.OCILinuxConfig(null, null, null, null, str, new RuncContainerExecutorConfig.OCIRuntimeConfig.OCILinuxConfig.Resources(null, null, new RuncContainerExecutorConfig.OCIRuntimeConfig.OCILinuxConfig.Resources.CPU(j, 0L, 0L, 0L, 0L, null, null), null, null, null, null, null), null, null, str2, null, null, null, null);
    }

    private void setContainerMounts(ArrayList<RuncContainerExecutorConfig.OCIRuntimeConfig.OCIMount> arrayList, ContainerRuntimeContext containerRuntimeContext, Path path, Map<String, String> map) throws ContainerExecutionException {
        List<String> list = (List) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.FILECACHE_DIRS);
        List<String> list2 = (List) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.CONTAINER_LOG_DIRS);
        List<String> list3 = (List) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.USER_FILECACHE_DIRS);
        List<String> list4 = (List) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.APPLICATION_LOCAL_DIRS);
        Map<Path, List<String>> map2 = (Map) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.LOCALIZED_RESOURCES);
        addRuncMountLocation(arrayList, path.toString() + "/private_slash_tmp", "/tmp", true, true);
        addRuncMountLocation(arrayList, path.toString() + "/private_var_slash_tmp", "/var/tmp", true, true);
        addAllRuncMountLocations(arrayList, list2, true, true);
        addAllRuncMountLocations(arrayList, list4, true, true);
        addAllRuncMountLocations(arrayList, list, false, false);
        addAllRuncMountLocations(arrayList, list3, false, false);
        addDefaultMountLocation(arrayList, this.defaultROMounts, false, false);
        addDefaultMountLocation(arrayList, this.defaultRWMounts, false, true);
        addUserMounts(arrayList, map, map2);
    }

    public String writeCommandToFile(RuncContainerExecutorConfig runcContainerExecutorConfig, Container container) throws ContainerExecutionException {
        ContainerId containerId = container.getContainerId();
        String containerId2 = containerId.toString();
        ApplicationId applicationId = containerId.getApplicationAttemptId().getApplicationId();
        try {
            File file = null;
            if (this.nmContext != null && this.nmContext.getLocalDirsHandler() != null) {
                file = new File(this.nmContext.getLocalDirsHandler().getLocalPathForWrite("nmPrivate/" + applicationId + "/" + containerId2 + "/").toString());
                if (!file.mkdirs() && !file.exists()) {
                    throw new IOException("Cannot create container private directory " + file);
                }
            }
            File file2 = new File(file + "/runc-config.json");
            try {
                this.mapper.writeValue(file2, runcContainerExecutorConfig);
                return file2.getAbsolutePath();
            } catch (IOException e) {
                throw new ContainerExecutionException(e);
            }
        } catch (IOException e2) {
            LOG.warn("Unable to write runc config.json to temporary file!");
            throw new ContainerExecutionException(e2);
        }
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntime
    public String getExposedPorts(Container container) {
        return null;
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntime
    public String[] getIpAndHost(Container container) {
        return null;
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntime
    public IOStreamPair execContainer(ContainerExecContext containerExecContext) throws ContainerExecutionException {
        return null;
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntime
    public void reapContainer(ContainerRuntimeContext containerRuntimeContext) throws ContainerExecutionException {
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntime
    public void relaunchContainer(ContainerRuntimeContext containerRuntimeContext) throws ContainerExecutionException {
    }

    public static boolean isRuncContainerRequested(Configuration configuration, Map<String, String> map) {
        String str = map == null ? null : map.get(ContainerRuntimeConstants.ENV_CONTAINER_TYPE);
        if (str == null) {
            str = configuration.get("yarn.nodemanager.runtime.linux.type");
        }
        return str != null && str.equals(ContainerRuntimeConstants.CONTAINER_RUNTIME_RUNC);
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.LinuxContainerRuntime
    public boolean isRuntimeRequested(Map<String, String> map) {
        return isRuncContainerRequested(this.conf, map);
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntime
    public void signalContainer(ContainerRuntimeContext containerRuntimeContext) throws ContainerExecutionException {
        ContainerExecutor.Signal signal = (ContainerExecutor.Signal) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.SIGNAL);
        Container container = containerRuntimeContext.getContainer();
        if (signal == ContainerExecutor.Signal.KILL || signal == ContainerExecutor.Signal.TERM) {
            try {
                new ContainerVolumePublisher(container, container.getCsiVolumesRootDir(), this).unpublishVolumes();
            } catch (YarnException | IOException e) {
                throw new ContainerExecutionException((Throwable) e);
            }
        }
        PrivilegedOperation privilegedOperation = new PrivilegedOperation(PrivilegedOperation.OperationType.SIGNAL_CONTAINER);
        privilegedOperation.appendArgs((String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.RUN_AS_USER), (String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.USER), Integer.toString(PrivilegedOperation.RunAsUserCommand.SIGNAL_CONTAINER.getValue()), (String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.PID), Integer.toString(signal.getValue()));
        privilegedOperation.disableFailureLogging();
        try {
            PrivilegedOperationExecutor.getInstance(this.conf).executePrivilegedOperation(null, privilegedOperation, null, null, false, false);
        } catch (PrivilegedOperationException e2) {
            throw new ContainerExecutionException("Signal container failed", e2.getExitCode(), e2.getOutput(), e2.getErrorOutput());
        }
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.OCIContainerRuntime
    boolean getHostPidNamespaceEnabled() {
        return this.conf.getBoolean("yarn.nodemanager.runtime.linux.runc.host-pid-namespace.allowed", false);
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.OCIContainerRuntime
    boolean getPrivilegedContainersEnabledOnCluster() {
        return this.conf.getBoolean("yarn.nodemanager.runtime.linux.runc.privileged-containers.allowed", false);
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.OCIContainerRuntime
    Set<String> getAllowedNetworks() {
        return this.allowedNetworks;
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.OCIContainerRuntime
    Set<String> getAllowedRuntimes() {
        return this.allowedRuntimes;
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.OCIContainerRuntime
    AccessControlList getPrivilegedContainersAcl() {
        return this.privilegedContainersAcl;
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.OCIContainerRuntime
    String getEnvOciContainerPidNamespace() {
        return ENV_RUNC_CONTAINER_PID_NAMESPACE;
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.OCIContainerRuntime
    String getEnvOciContainerRunPrivilegedContainer() {
        return ENV_RUNC_CONTAINER_RUN_PRIVILEGED_CONTAINER;
    }
}
