diff options
author | Valerij Fredriksen <valerijf@yahooinc.com> | 2021-10-21 14:59:01 +0200 |
---|---|---|
committer | Valerij Fredriksen <valerijf@yahooinc.com> | 2021-10-21 14:59:01 +0200 |
commit | e451ee844990aa6255deaa3546cde1a1aac25e6d (patch) | |
tree | 96313506d6955b5e29b169ebf7d420065ac2e4fc /node-admin | |
parent | 9abe019606f2367b05e4e13d796de65dddf7c449 (diff) |
Add size to UserNamespace
Diffstat (limited to 'node-admin')
6 files changed, 49 insertions, 18 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/NodeAgentContext.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/NodeAgentContext.java index 23a81458134..d26a1fa6019 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/NodeAgentContext.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/NodeAgentContext.java @@ -45,6 +45,8 @@ public interface NodeAgentContext extends TaskContext { /** @return information about the Vespa user inside the container */ VespaUser vespaUser(); + UserNamespace userNamespace(); + default boolean isDisabled(NodeAgentTask task) { return false; }; diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/NodeAgentContextImpl.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/NodeAgentContextImpl.java index 0b1f7f24ced..037bbc56d1d 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/NodeAgentContextImpl.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/NodeAgentContextImpl.java @@ -104,6 +104,11 @@ public class NodeAgentContextImpl implements NodeAgentContext { } @Override + public UserNamespace userNamespace() { + return containerFs.getUserPrincipalLookupService().userNamespace(); + } + + @Override public boolean isDisabled(NodeAgentTask task) { return disabledNodeAgentTasks.contains(task); } @@ -263,7 +268,7 @@ public class NodeAgentContextImpl implements NodeAgentContext { Objects.requireNonNull(containerStorage, "Must set one of containerStorage or fileSystem"); UserNamespace userNamespace = Optional.ofNullable(this.userNamespace) - .orElseGet(() -> new UserNamespace(100000, 100000)); + .orElseGet(() -> new UserNamespace(100000, 100000, 100000)); VespaUser vespaUser = Optional.ofNullable(this.vespaUser) .orElseGet(() -> new VespaUser("vespa", "vespa", 1000, 100)); ContainerFileSystem containerFs = ContainerFileSystem.create(containerStorage diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/UserNamespace.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/UserNamespace.java index 005452411bd..99529b83374 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/UserNamespace.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/UserNamespace.java @@ -1,33 +1,35 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.node.admin.nodeagent; +import java.util.Objects; + /** * @author valerijf */ public class UserNamespace { - /** Total number of UID/GID that are mapped for each container */ - private static final int ID_RANGE = 65_536; // 2^16 - /** * IDs outside the ID range are translated to the overflow ID before being written to disk: - * https://github.com/torvalds/linux/blob/5bfc75d92efd494db37f5c4c173d3639d4772966/Documentation/admin-guide/sysctl/fs.rst#overflowgid--overflowuid */ + * https://github.com/torvalds/linux/blob/5bfc75d92efd494db37f5c4c173d3639d4772966/Documentation/admin-guide/sysctl/fs.rst#overflowgid--overflowuid + * Real value in /proc/sys/fs/overflowuid or overflowgid, hardcode default value*/ private static final int OVERFLOW_ID = 65_534; private volatile int uidOffset; private volatile int gidOffset; + private final int idRangeSize; - public UserNamespace(int uidOffset, int gidOffset) { + public UserNamespace(int uidOffset, int gidOffset, int idRangeSize) { this.uidOffset = uidOffset; this.gidOffset = gidOffset; + this.idRangeSize = idRangeSize; } - public int userIdOnHost(int containerUid) { return toHostId(containerUid, uidOffset); } - public int groupIdOnHost(int containerGid) { return toHostId(containerGid, gidOffset); } - public int userIdInContainer(int hostUid) { return toContainerId(hostUid, uidOffset); } - public int groupIdInContainer(int hostGid) { return toContainerId(hostGid, gidOffset); } + public int userIdOnHost(int containerUid) { return toHostId(containerUid, uidOffset, idRangeSize); } + public int groupIdOnHost(int containerGid) { return toHostId(containerGid, gidOffset, idRangeSize); } + public int userIdInContainer(int hostUid) { return toContainerId(hostUid, uidOffset, idRangeSize); } + public int groupIdInContainer(int hostGid) { return toContainerId(hostGid, gidOffset, idRangeSize); } - public int idRange() { return ID_RANGE; } + public int idRangeSize() { return idRangeSize; } public int overflowId() { return OVERFLOW_ID; } // Remove after migration to mapped namespaces is complete, make fields final @@ -36,14 +38,36 @@ public class UserNamespace { this.gidOffset = idOffset; } - private static int toHostId(int containerId, int idOffset) { - if (containerId < 0 || containerId > ID_RANGE) + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + UserNamespace that = (UserNamespace) o; + return uidOffset == that.uidOffset && gidOffset == that.gidOffset && idRangeSize == that.idRangeSize; + } + + @Override + public int hashCode() { + return Objects.hash(uidOffset, gidOffset, idRangeSize); + } + + @Override + public String toString() { + return "UserNamespace{" + + "uidOffset=" + uidOffset + + ", gidOffset=" + gidOffset + + ", idRangeSize=" + idRangeSize + + '}'; + } + + private static int toHostId(int containerId, int idOffset, int idRangeSize) { + if (containerId < 0 || containerId > idRangeSize) throw new IllegalArgumentException("Invalid container id: " + containerId); return idOffset + containerId; } - private static int toContainerId(int hostId, int idOffset) { + private static int toContainerId(int hostId, int idOffset, int idRangeSize) { hostId = hostId - idOffset; - return hostId < 0 || hostId >= ID_RANGE ? OVERFLOW_ID : hostId; + return hostId < 0 || hostId >= idRangeSize ? OVERFLOW_ID : hostId; } } diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/nodeagent/UserNamespaceTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/nodeagent/UserNamespaceTest.java index bb02667a550..20e4bad8c31 100644 --- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/nodeagent/UserNamespaceTest.java +++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/nodeagent/UserNamespaceTest.java @@ -11,7 +11,7 @@ import static org.junit.jupiter.api.Assertions.assertThrows; */ class UserNamespaceTest { - private final UserNamespace userNamespace = new UserNamespace(1000, 2000); + private final UserNamespace userNamespace = new UserNamespace(1000, 2000, 10000); @Test public void translates_between_ids() { diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/task/util/fs/ContainerFileSystemTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/task/util/fs/ContainerFileSystemTest.java index 242a2458f07..932f56f3a60 100644 --- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/task/util/fs/ContainerFileSystemTest.java +++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/task/util/fs/ContainerFileSystemTest.java @@ -25,7 +25,7 @@ class ContainerFileSystemTest { private final FileSystem fileSystem = TestFileSystem.create(); private final UnixPath containerRootOnHost = new UnixPath(fileSystem.getPath("/data/storage/ctr1")); - private final UserNamespace userNamespace = new UserNamespace(10_000, 11_000); + private final UserNamespace userNamespace = new UserNamespace(10_000, 11_000, 10000); private final VespaUser vespaUser = new VespaUser("vespa", "users", 1000, 100); private final ContainerFileSystem containerFs = ContainerFileSystem.create( containerRootOnHost.createDirectories().toPath(), userNamespace, vespaUser); diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/task/util/fs/ContainerUserPrincipalLookupServiceTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/task/util/fs/ContainerUserPrincipalLookupServiceTest.java index 9a6e69ce27c..f201f2667cd 100644 --- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/task/util/fs/ContainerUserPrincipalLookupServiceTest.java +++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/task/util/fs/ContainerUserPrincipalLookupServiceTest.java @@ -19,7 +19,7 @@ import static org.junit.jupiter.api.Assertions.assertThrows; */ class ContainerUserPrincipalLookupServiceTest { - private final UserNamespace userNamespace = new UserNamespace(10_000, 11_000); + private final UserNamespace userNamespace = new UserNamespace(10_000, 11_000, 10000); private final VespaUser vespaUser = new VespaUser("vespa", "users", 1000, 100); private final ContainerUserPrincipalLookupService userPrincipalLookupService = new ContainerUserPrincipalLookupService(TestFileSystem.create().getUserPrincipalLookupService(), userNamespace, vespaUser); |