package org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime;

import java.io.IOException;
import java.net.InetSocketAddress;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.hdfs.tools.offlineImageViewer.PBImageXmlWriter;
import org.apache.hadoop.registry.client.types.AddressTypes;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.shaded.com.google.common.annotations.VisibleForTesting;
import org.apache.hadoop.util.Shell;
import org.apache.hadoop.yarn.api.CsiAdaptorProtocol;
import org.apache.hadoop.yarn.api.impl.pb.client.CsiAdaptorProtocolPBClientImpl;
import org.apache.hadoop.yarn.exceptions.YarnException;
import org.apache.hadoop.yarn.server.nodemanager.Context;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.privileged.PrivilegedOperationExecutor;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.resources.CGroupsHandler;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.resources.ResourceHandlerModule;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerExecutionException;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntimeContext;
import org.apache.hadoop.yarn.util.csi.CsiConfigUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
@InterfaceStability.Unstable
/* loaded from: input_file:org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/OCIContainerRuntime.class */
public abstract class OCIContainerRuntime implements LinuxContainerRuntime {
    private static final Logger LOG = LoggerFactory.getLogger(OCIContainerRuntime.class);
    private static final Pattern HOSTNAME_PATTERN = Pattern.compile("^[a-zA-Z0-9][a-zA-Z0-9_.-]+$");
    static final Pattern USER_MOUNT_PATTERN = Pattern.compile("(?<=^|,)([^:\\x00]+):([^:\\x00]+)(:(r[ow]|(r[ow][+])?(r?shared|r?slave|r?private)))?(?:,|$)");
    static final Pattern TMPFS_MOUNT_PATTERN = Pattern.compile("^/[^:\\x00]+$");
    static final String PORTS_MAPPING_PATTERN = "^:[0-9]+|^[0-9]+:[0-9]+|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]):[0-9]+:[0-9]+$";
    private static final int HOST_NAME_LENGTH = 64;

    @InterfaceAudience.Private
    public static final String RUNTIME_PREFIX = "YARN_CONTAINER_RUNTIME_%s_%s";

    @InterfaceAudience.Private
    public static final String CONTAINER_PID_NAMESPACE_SUFFIX = "CONTAINER_PID_NAMESPACE";

    @InterfaceAudience.Private
    public static final String RUN_PRIVILEGED_CONTAINER_SUFFIX = "RUN_PRIVILEGED_CONTAINER";
    private Map<String, CsiAdaptorProtocol> csiClients;

    abstract Set<String> getAllowedNetworks();

    abstract Set<String> getAllowedRuntimes();

    abstract boolean getHostPidNamespaceEnabled();

    abstract boolean getPrivilegedContainersEnabledOnCluster();

    abstract AccessControlList getPrivilegedContainersAcl();

    abstract String getEnvOciContainerPidNamespace();

    abstract String getEnvOciContainerRunPrivilegedContainer();

    public OCIContainerRuntime(PrivilegedOperationExecutor privilegedOperationExecutor) {
        this(privilegedOperationExecutor, ResourceHandlerModule.getCGroupsHandler());
    }

    public OCIContainerRuntime(PrivilegedOperationExecutor privilegedOperationExecutor, CGroupsHandler cGroupsHandler) {
        this.csiClients = new HashMap();
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.LinuxContainerRuntime
    public void initialize(Configuration configuration, Context context) throws ContainerExecutionException {
    }

    public static boolean isOCICompliantContainerRequested(Configuration configuration, Map<String, String> map) {
        return DockerLinuxContainerRuntime.isDockerContainerRequested(configuration, map) || RuncContainerRuntime.isRuncContainerRequested(configuration, map);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @VisibleForTesting
    public String mountReadOnlyPath(String str, Map<Path, List<String>> map) throws ContainerExecutionException {
        for (Map.Entry<Path, List<String>> entry : map.entrySet()) {
            if (entry.getValue().contains(str)) {
                java.nio.file.Path path = Paths.get(entry.getKey().toString(), new String[0]);
                if (!path.isAbsolute()) {
                    throw new ContainerExecutionException("Mount must be absolute: " + str);
                }
                if (Files.isSymbolicLink(path)) {
                    throw new ContainerExecutionException("Mount cannot be a symlink: " + str);
                }
                return path.toString();
            }
        }
        throw new ContainerExecutionException("Mount must be a localized resource: " + str);
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntime
    public void prepareContainer(ContainerRuntimeContext containerRuntimeContext) throws ContainerExecutionException {
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getUserIdInfo(String str) throws ContainerExecutionException {
        Shell.ShellCommandExecutor shellCommandExecutor = new Shell.ShellCommandExecutor(new String[]{PBImageXmlWriter.SECTION_ID, "-u", str});
        try {
            shellCommandExecutor.execute();
            return shellCommandExecutor.getOutput().replaceAll("[^0-9]", "");
        } catch (Exception e) {
            throw new ContainerExecutionException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String[] getGroupIdInfo(String str) throws ContainerExecutionException {
        Shell.ShellCommandExecutor shellCommandExecutor = new Shell.ShellCommandExecutor(new String[]{PBImageXmlWriter.SECTION_ID, "-G", str});
        try {
            shellCommandExecutor.execute();
            return shellCommandExecutor.getOutput().replace("\n", "").split(" ");
        } catch (Exception e) {
            throw new ContainerExecutionException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateContainerNetworkType(String str) throws ContainerExecutionException {
        Set<String> allowedNetworks = getAllowedNetworks();
        if (!allowedNetworks.contains(str)) {
            throw new ContainerExecutionException("Disallowed network:  '" + str + "' specified. Allowed networks: are " + allowedNetworks.toString());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateContainerRuntimeType(String str) throws ContainerExecutionException {
        Set<String> allowedRuntimes = getAllowedRuntimes();
        if (str != null && !str.isEmpty() && !allowedRuntimes.contains(str)) {
            throw new ContainerExecutionException("Disallowed runtime:  '" + str + "' specified. Allowed runtimes: are " + allowedRuntimes.toString());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean allowHostPidNamespace(Container container) throws ContainerExecutionException {
        Map environment = container.getLaunchContext().getEnvironment();
        String envOciContainerPidNamespace = getEnvOciContainerPidNamespace();
        String str = (String) environment.get(envOciContainerPidNamespace);
        if (str == null) {
            return false;
        }
        if (!str.equalsIgnoreCase(AddressTypes.ADDRESS_HOSTNAME_FIELD)) {
            LOG.warn("NOT requesting PID namespace. Value of " + envOciContainerPidNamespace + "is invalid: " + str);
            return false;
        }
        if (getHostPidNamespaceEnabled()) {
            return true;
        }
        LOG.warn("Host pid namespace being requested but this is not enabled on this cluster");
        throw new ContainerExecutionException("Host pid namespace being requested but this is not enabled on this cluster");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static void validateHostname(String str) throws ContainerExecutionException {
        if (str == null || str.isEmpty()) {
            return;
        }
        if (!HOSTNAME_PATTERN.matcher(str).matches()) {
            throw new ContainerExecutionException("Hostname '" + str + "' doesn't match OCI-compliant hostname pattern");
        }
        if (str.length() > 64) {
            throw new ContainerExecutionException("Hostname can not be greater than 64 characters: " + str);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean allowPrivilegedContainerExecution(Container container) throws ContainerExecutionException {
        if (!isContainerRequestedAsPrivileged(container)) {
            return false;
        }
        LOG.info("Privileged container requested for : " + container.getContainerId().toString());
        if (!getPrivilegedContainersEnabledOnCluster()) {
            LOG.warn("Privileged container being requested but privileged containers are not enabled on this cluster");
            throw new ContainerExecutionException("Privileged container being requested but privileged containers are not enabled on this cluster");
        }
        String user = container.getUser();
        if (getPrivilegedContainersAcl().isUserAllowed(UserGroupInformation.createRemoteUser(user))) {
            LOG.info("All checks pass. Launching privileged container for : " + container.getContainerId().toString());
            return true;
        }
        String str = "Cannot launch privileged container. Submitting user (" + user + ") fails ACL check.";
        LOG.warn(str);
        throw new ContainerExecutionException(str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isContainerRequestedAsPrivileged(Container container) {
        return Boolean.parseBoolean((String) container.getLaunchContext().getEnvironment().get(getEnvOciContainerRunPrivilegedContainer()));
    }

    public Map<String, CsiAdaptorProtocol> getCsiClients() {
        return this.csiClients;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void initiateCsiClients(Configuration configuration) throws ContainerExecutionException {
        String[] csiDriverNames = CsiConfigUtils.getCsiDriverNames(configuration);
        if (csiDriverNames == null || csiDriverNames.length <= 0) {
            return;
        }
        for (String str : csiDriverNames) {
            try {
                InetSocketAddress csiAdaptorAddressForDriver = CsiConfigUtils.getCsiAdaptorAddressForDriver(str, configuration);
                LOG.info("Initializing a csi-adaptor-client for csi-adaptor {}, csi-driver {}", csiAdaptorAddressForDriver.toString(), str);
                this.csiClients.put(str, new CsiAdaptorProtocolPBClientImpl(1L, csiAdaptorAddressForDriver, configuration));
            } catch (IOException | YarnException e) {
                throw new ContainerExecutionException(e.getMessage());
            }
        }
    }

    public static String formatOciEnvKey(String str, String str2) {
        return String.format(RUNTIME_PREFIX, str, str2);
    }
}
