package org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime;

import java.io.File;
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.nio.ByteBuffer;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.hdfs.protocol.datatransfer.IOStreamPair;
import org.apache.hadoop.registry.client.api.RegistryConstants;
import org.apache.hadoop.registry.client.binding.RegistryPathUtils;
import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.thirdparty.com.google.common.annotations.VisibleForTesting;
import org.apache.hadoop.util.StringUtils;
import org.apache.hadoop.yarn.api.ApplicationConstants;
import org.apache.hadoop.yarn.api.records.ContainerId;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.exceptions.YarnException;
import org.apache.hadoop.yarn.server.nodemanager.ContainerExecutor;
import org.apache.hadoop.yarn.server.nodemanager.Context;
import org.apache.hadoop.yarn.server.nodemanager.api.deviceplugin.MountDeviceSpec;
import org.apache.hadoop.yarn.server.nodemanager.api.deviceplugin.MountVolumeSpec;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.launcher.ContainerLaunch;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.privileged.PrivilegedOperation;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.privileged.PrivilegedOperationException;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.privileged.PrivilegedOperationExecutor;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.resources.CGroupsHandler;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.resources.ResourceHandlerModule;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.docker.DockerClient;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.docker.DockerCommand;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.docker.DockerCommandExecutor;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.docker.DockerExecCommand;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.docker.DockerInspectCommand;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.docker.DockerKillCommand;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.docker.DockerPullCommand;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.docker.DockerRmCommand;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.docker.DockerRunCommand;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.docker.DockerStartCommand;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.docker.DockerVolumeCommand;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.resourceplugin.DockerCommandPlugin;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.resourceplugin.ResourcePlugin;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerExecutionException;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntimeConstants;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntimeContext;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.volume.csi.ContainerVolumePublisher;
import org.apache.hadoop.yarn.server.nodemanager.executor.ContainerExecContext;
import org.apache.hadoop.yarn.util.DockerClientConfigHandler;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
@InterfaceStability.Unstable
/* loaded from: input_file:org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.class */
public class DockerLinuxContainerRuntime extends OCIContainerRuntime {
    private static final String DEFAULT_PROCFS = "/proc";

    @InterfaceAudience.Private
    public static final String ENV_DOCKER_CONTAINER_IMAGE = "YARN_CONTAINER_RUNTIME_DOCKER_IMAGE";

    @InterfaceAudience.Private
    public static final String ENV_DOCKER_CONTAINER_NETWORK = "YARN_CONTAINER_RUNTIME_DOCKER_CONTAINER_NETWORK";

    @InterfaceAudience.Private
    public static final String ENV_DOCKER_CONTAINER_HOSTNAME = "YARN_CONTAINER_RUNTIME_DOCKER_CONTAINER_HOSTNAME";

    @InterfaceAudience.Private
    public static final String ENV_DOCKER_CONTAINER_MOUNTS = "YARN_CONTAINER_RUNTIME_DOCKER_MOUNTS";

    @InterfaceAudience.Private
    public static final String ENV_DOCKER_CONTAINER_TMPFS_MOUNTS = "YARN_CONTAINER_RUNTIME_DOCKER_TMPFS_MOUNTS";

    @InterfaceAudience.Private
    public static final String ENV_DOCKER_CONTAINER_DELAYED_REMOVAL = "YARN_CONTAINER_RUNTIME_DOCKER_DELAYED_REMOVAL";

    @InterfaceAudience.Private
    public static final String ENV_DOCKER_CONTAINER_PORTS_MAPPING = "YARN_CONTAINER_RUNTIME_DOCKER_PORTS_MAPPING";

    @InterfaceAudience.Private
    public static final String ENV_DOCKER_CONTAINER_YARN_SYSFS = "YARN_CONTAINER_RUNTIME_YARN_SYSFS_ENABLE";

    @InterfaceAudience.Private
    public static final String ENV_DOCKER_CONTAINER_DOCKER_RUNTIME = "YARN_CONTAINER_RUNTIME_DOCKER_RUNTIME";

    @InterfaceAudience.Private
    public static final String ENV_DOCKER_CONTAINER_DOCKER_SERVICE_MODE = "YARN_CONTAINER_RUNTIME_DOCKER_SERVICE_MODE";
    private Configuration conf;
    private Context nmContext;
    private DockerClient dockerClient;
    private PrivilegedOperationExecutor privilegedOperationExecutor;
    private String defaultImageName;
    private Boolean defaultImageUpdate;
    private Set<String> allowedNetworks;
    private Set<String> allowedRuntimes;
    private String defaultNetwork;
    private CGroupsHandler cGroupsHandler;
    private AccessControlList privilegedContainersAcl;
    private boolean enableUserReMapping;
    private int userRemappingUidThreshold;
    private int userRemappingGidThreshold;
    private Set<String> capabilities;
    private boolean delayedRemovalAllowed;
    private Set<String> defaultROMounts;
    private Set<String> defaultRWMounts;
    private Set<String> defaultTmpfsMounts;
    private static final Logger LOG = LoggerFactory.getLogger(DockerLinuxContainerRuntime.class);
    public static final String DOCKER_IMAGE_PATTERN = "^(([a-zA-Z0-9.-]+)(:\\d+)?/)?([a-z0-9_./-]+)(:[\\w.-]+)?$";
    private static final Pattern dockerImagePattern = Pattern.compile(DOCKER_IMAGE_PATTERN);

    @InterfaceAudience.Private
    private static final String RUNTIME_TYPE = "DOCKER";

    @InterfaceAudience.Private
    public static final String ENV_OCI_CONTAINER_PID_NAMESPACE = formatOciEnvKey(RUNTIME_TYPE, OCIContainerRuntime.CONTAINER_PID_NAMESPACE_SUFFIX);

    @InterfaceAudience.Private
    public static final String ENV_OCI_CONTAINER_RUN_PRIVILEGED_CONTAINER = formatOciEnvKey(RUNTIME_TYPE, OCIContainerRuntime.RUN_PRIVILEGED_CONTAINER_SUFFIX);

    public static boolean isDockerContainerRequested(Configuration configuration, Map<String, String> map) {
        String str = map == null ? null : map.get(ContainerRuntimeConstants.ENV_CONTAINER_TYPE);
        if (str == null) {
            str = configuration.get(YarnConfiguration.LINUX_CONTAINER_RUNTIME_TYPE);
        }
        return str != null && str.equals(ContainerRuntimeConstants.CONTAINER_RUNTIME_DOCKER);
    }

    public DockerLinuxContainerRuntime(PrivilegedOperationExecutor privilegedOperationExecutor) {
        this(privilegedOperationExecutor, ResourceHandlerModule.getCGroupsHandler());
    }

    @VisibleForTesting
    public DockerLinuxContainerRuntime(PrivilegedOperationExecutor privilegedOperationExecutor, CGroupsHandler cGroupsHandler) {
        super(privilegedOperationExecutor, cGroupsHandler);
        this.allowedNetworks = new HashSet();
        this.allowedRuntimes = new HashSet();
        this.defaultROMounts = new HashSet();
        this.defaultRWMounts = new HashSet();
        this.defaultTmpfsMounts = new HashSet();
        this.privilegedOperationExecutor = privilegedOperationExecutor;
        if (cGroupsHandler == null) {
            LOG.info("cGroupsHandler is null - cgroups not in use.");
        } else {
            this.cGroupsHandler = cGroupsHandler;
        }
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.OCIContainerRuntime, org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.LinuxContainerRuntime
    public void initialize(Configuration configuration, Context context) throws ContainerExecutionException {
        super.initialize(configuration, context);
        this.nmContext = context;
        this.conf = configuration;
        this.dockerClient = new DockerClient();
        this.allowedNetworks.clear();
        this.allowedRuntimes.clear();
        this.defaultROMounts.clear();
        this.defaultRWMounts.clear();
        this.defaultTmpfsMounts.clear();
        this.defaultImageName = configuration.getTrimmed(YarnConfiguration.NM_DOCKER_IMAGE_NAME, "");
        this.defaultImageUpdate = Boolean.valueOf(configuration.getBoolean(YarnConfiguration.NM_DOCKER_IMAGE_UPDATE, false));
        this.allowedNetworks.addAll(Arrays.asList(configuration.getTrimmedStrings(YarnConfiguration.NM_DOCKER_ALLOWED_CONTAINER_NETWORKS, YarnConfiguration.DEFAULT_NM_DOCKER_ALLOWED_CONTAINER_NETWORKS)));
        this.defaultNetwork = configuration.getTrimmed(YarnConfiguration.NM_DOCKER_DEFAULT_CONTAINER_NETWORK, "host");
        this.allowedRuntimes.addAll(Arrays.asList(configuration.getTrimmedStrings(YarnConfiguration.NM_DOCKER_ALLOWED_CONTAINER_RUNTIMES, YarnConfiguration.DEFAULT_NM_DOCKER_ALLOWED_CONTAINER_RUNTIMES)));
        if (!this.allowedNetworks.contains(this.defaultNetwork)) {
            String str = "Default network: " + this.defaultNetwork + " is not in the set of allowed networks: " + this.allowedNetworks;
            if (LOG.isWarnEnabled()) {
                LOG.warn(str + ". Please check configuration");
            }
            throw new ContainerExecutionException(str);
        }
        initiateCsiClients(configuration);
        this.privilegedContainersAcl = new AccessControlList(configuration.getTrimmed(YarnConfiguration.NM_DOCKER_PRIVILEGED_CONTAINERS_ACL, ""));
        this.enableUserReMapping = configuration.getBoolean(YarnConfiguration.NM_DOCKER_ENABLE_USER_REMAPPING, true);
        this.userRemappingUidThreshold = configuration.getInt(YarnConfiguration.NM_DOCKER_USER_REMAPPING_UID_THRESHOLD, 1);
        this.userRemappingGidThreshold = configuration.getInt(YarnConfiguration.NM_DOCKER_USER_REMAPPING_GID_THRESHOLD, 1);
        this.capabilities = getDockerCapabilitiesFromConf();
        this.delayedRemovalAllowed = configuration.getBoolean(YarnConfiguration.NM_DOCKER_ALLOW_DELAYED_REMOVAL, false);
        this.defaultROMounts.addAll(Arrays.asList(configuration.getTrimmedStrings(YarnConfiguration.NM_DOCKER_DEFAULT_RO_MOUNTS)));
        this.defaultRWMounts.addAll(Arrays.asList(configuration.getTrimmedStrings(YarnConfiguration.NM_DOCKER_DEFAULT_RW_MOUNTS)));
        this.defaultTmpfsMounts.addAll(Arrays.asList(configuration.getTrimmedStrings(YarnConfiguration.NM_DOCKER_DEFAULT_TMPFS_MOUNTS)));
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.LinuxContainerRuntime
    public boolean isRuntimeRequested(Map<String, String> map) {
        return isDockerContainerRequested(this.conf, map);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v5, types: [java.util.Set] */
    private Set<String> getDockerCapabilitiesFromConf() throws ContainerExecutionException {
        HashSet hashSet = new HashSet(Arrays.asList(this.conf.getTrimmedStrings(YarnConfiguration.NM_DOCKER_CONTAINER_CAPABILITIES, YarnConfiguration.DEFAULT_NM_DOCKER_CONTAINER_CAPABILITIES)));
        if (hashSet.contains("none") || hashSet.contains("NONE")) {
            if (hashSet.size() > 1) {
                throw new ContainerExecutionException("Mixing capabilities with the none keyword is not supported");
            }
            hashSet = Collections.emptySet();
        }
        return hashSet;
    }

    public Set<String> getCapabilities() {
        return this.capabilities;
    }

    private String runDockerVolumeCommand(DockerVolumeCommand dockerVolumeCommand, Container container) throws ContainerExecutionException {
        try {
            String writeCommandToTempFile = this.dockerClient.writeCommandToTempFile(dockerVolumeCommand, container.getContainerId(), this.nmContext);
            PrivilegedOperation privilegedOperation = new PrivilegedOperation(PrivilegedOperation.OperationType.RUN_DOCKER_CMD);
            privilegedOperation.appendArgs(writeCommandToTempFile);
            String executePrivilegedOperation = this.privilegedOperationExecutor.executePrivilegedOperation(null, privilegedOperation, null, null, true, false);
            LOG.info("ContainerId=" + container.getContainerId() + ", docker volume output for " + dockerVolumeCommand + ": " + executePrivilegedOperation);
            return executePrivilegedOperation;
        } catch (PrivilegedOperationException e) {
            LOG.error("Error when executing command, command=" + dockerVolumeCommand, e);
            throw new ContainerExecutionException(e);
        } catch (ContainerExecutionException e2) {
            LOG.error("Error when writing command to temp file, command=" + dockerVolumeCommand, e2);
            throw e2;
        }
    }

    private void checkDockerVolumeCreated(DockerVolumeCommand dockerVolumeCommand, Container container) throws ContainerExecutionException {
        DockerVolumeCommand dockerVolumeCommand2 = new DockerVolumeCommand("ls");
        String runDockerVolumeCommand = runDockerVolumeCommand(dockerVolumeCommand2, container);
        String volumeName = dockerVolumeCommand.getVolumeName();
        String driverName = dockerVolumeCommand.getDriverName();
        if (driverName == null) {
            driverName = "local";
        }
        for (String str : runDockerVolumeCommand.split("\n")) {
            String trim = str.trim();
            if (trim.contains(volumeName) && trim.contains(driverName)) {
                LOG.info("Docker volume-name=" + volumeName + " driver-name=" + driverName + " already exists for container=" + container.getContainerId() + ", continue...");
                return;
            }
        }
        String str2 = " Couldn't find volume=" + volumeName + " driver=" + driverName + " for container=" + container.getContainerId() + ", please check error message in log to understand why this happens.";
        LOG.error(str2);
        LOG.debug("All docker volumes in the system, command={}", dockerVolumeCommand2);
        throw new ContainerExecutionException(str2);
    }

    private void setHostname(DockerRunCommand dockerRunCommand, String str, String str2, String str3) throws ContainerExecutionException {
        if (str2.equalsIgnoreCase("host")) {
            if (str3 == null || str3.isEmpty()) {
                return;
            }
            LOG.info("setting hostname in container to: " + str3);
            dockerRunCommand.setHostname(str3);
            return;
        }
        if (str3 == null || str3.isEmpty()) {
            str3 = RegistryPathUtils.encodeYarnID(str);
            String str4 = this.conf.get(RegistryConstants.KEY_DNS_DOMAIN);
            if (str4 != null) {
                str3 = str3 + "." + str4;
            }
            validateHostname(str3);
        }
        LOG.info("setting hostname in container to: " + str3);
        dockerRunCommand.setHostname(str3);
    }

    @VisibleForTesting
    protected void addCGroupParentIfRequired(String str, String str2, DockerRunCommand dockerRunCommand) {
        if (this.cGroupsHandler == null) {
            LOG.debug("cGroupsHandler is null. cgroups are not in use. nothing to do.");
            return;
        }
        if (str.equals("cgroups=none")) {
            LOG.debug("no resource restrictions specified. not using docker's cgroup options");
            return;
        }
        LOG.debug("using docker's cgroups options");
        String str3 = "/" + this.cGroupsHandler.getRelativePathForCGroup(str2);
        LOG.debug("using cgroup parent: {}", str3);
        dockerRunCommand.setCGroupParent(str3);
    }

    private boolean checkUseEntryPoint(Map<String, String> map) {
        String name = ApplicationConstants.Environment.YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE.name();
        return Boolean.parseBoolean(map.get(name) != null ? map.get(name) : System.getenv(name));
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntime
    public void launchContainer(ContainerRuntimeContext containerRuntimeContext) throws ContainerExecutionException {
        Container container = containerRuntimeContext.getContainer();
        ContainerId containerId = container.getContainerId();
        String containerId2 = containerId.toString();
        Map<String, String> environment = container.getLaunchContext().getEnvironment();
        String str = environment.get(ENV_DOCKER_CONTAINER_IMAGE);
        String str2 = environment.get(ENV_DOCKER_CONTAINER_NETWORK);
        String str3 = environment.get(ENV_DOCKER_CONTAINER_HOSTNAME);
        String str4 = environment.get(ENV_DOCKER_CONTAINER_DOCKER_RUNTIME);
        boolean parseBoolean = Boolean.parseBoolean(environment.get(ENV_DOCKER_CONTAINER_DOCKER_SERVICE_MODE));
        boolean z = parseBoolean || checkUseEntryPoint(environment);
        if (str == null || str.isEmpty()) {
            str = this.defaultImageName;
        }
        if (str2 == null || str2.isEmpty()) {
            str2 = this.defaultNetwork;
        }
        validateContainerNetworkType(str2);
        validateHostname(str3);
        validateImageName(str);
        validateContainerRuntimeType(str4);
        if (this.defaultImageUpdate.booleanValue()) {
            pullImageFromRemote(containerId2, str);
        }
        String str5 = (String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.RUN_AS_USER);
        String str6 = str5;
        Path path = (Path) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.CONTAINER_WORK_DIR);
        String[] strArr = null;
        if (this.enableUserReMapping) {
            String userIdInfo = getUserIdInfo(str5);
            strArr = getGroupIdInfo(str5);
            String str7 = strArr[0];
            if (Integer.parseInt(userIdInfo) < this.userRemappingUidThreshold) {
                throw new ContainerExecutionException("uid: " + userIdInfo + " below threshold: " + this.userRemappingUidThreshold);
            }
            for (String str8 : strArr) {
                if (Integer.parseInt(str8) < this.userRemappingGidThreshold) {
                    throw new ContainerExecutionException("gid: " + str8 + " below threshold: " + this.userRemappingGidThreshold);
                }
            }
            str6 = !allowPrivilegedContainerExecution(container) ? userIdInfo + ":" + str7 : (String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.USER);
        }
        List<String> list = (List) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.FILECACHE_DIRS);
        List<String> list2 = (List) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.CONTAINER_LOG_DIRS);
        List<String> list3 = (List) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.USER_FILECACHE_DIRS);
        List<String> list4 = (List) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.APPLICATION_LOCAL_DIRS);
        Map<Path, List<String>> map = (Map) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.LOCALIZED_RESOURCES);
        DockerRunCommand networkType = new DockerRunCommand(containerId2, str6, str).setNetworkType(str2);
        setHostname(networkType, containerId2, str2, str3);
        if (environment.containsKey(ENV_DOCKER_CONTAINER_PORTS_MAPPING)) {
            for (String str9 : environment.get(ENV_DOCKER_CONTAINER_PORTS_MAPPING).split(",")) {
                if (!Pattern.matches("^:[0-9]+|^[0-9]+:[0-9]+|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]):[0-9]+:[0-9]+$", str9)) {
                    throw new ContainerExecutionException("Invalid port mappings: " + str9);
                }
                networkType.addPortsMapping(str9);
            }
        }
        networkType.setCapabilities(this.capabilities);
        if (str4 != null && !str4.isEmpty()) {
            networkType.addRuntime(str4);
        }
        if (!parseBoolean) {
            networkType.addAllReadWriteMountLocations(list2);
            networkType.addAllReadWriteMountLocations(list4);
            networkType.addAllReadOnlyMountLocations(list);
            networkType.addAllReadOnlyMountLocations(list3);
        }
        if (environment.containsKey(ENV_DOCKER_CONTAINER_MOUNTS)) {
            Matcher matcher = USER_MOUNT_PATTERN.matcher(environment.get(ENV_DOCKER_CONTAINER_MOUNTS));
            if (!matcher.find()) {
                throw new ContainerExecutionException("Unable to parse user supplied mount list: " + environment.get(ENV_DOCKER_CONTAINER_MOUNTS));
            }
            matcher.reset();
            long j = 0;
            while (matcher.find()) {
                j++;
                String group = matcher.group(1);
                if (!Paths.get(group, new String[0]).isAbsolute()) {
                    group = mountReadOnlyPath(group, map);
                }
                String group2 = matcher.group(2);
                String group3 = matcher.group(4);
                if (group3 == null) {
                    group3 = MountDeviceSpec.RW;
                } else if (!group3.startsWith(MountVolumeSpec.READONLYOPTION) && !group3.startsWith(MountDeviceSpec.RW)) {
                    group3 = "rw+" + group3;
                }
                networkType.addMountLocation(group, group2, group3);
            }
            if (j != environment.get(ENV_DOCKER_CONTAINER_MOUNTS).chars().filter(i -> {
                return i == 44;
            }).count() + 1) {
                throw new ContainerExecutionException("Unable to parse some mounts in user supplied mount list: " + environment.get(ENV_DOCKER_CONTAINER_MOUNTS));
            }
        }
        if (this.defaultROMounts != null && !this.defaultROMounts.isEmpty()) {
            for (String str10 : this.defaultROMounts) {
                String[] split = StringUtils.split(str10, ':');
                if (split.length != 2) {
                    throw new ContainerExecutionException("Invalid mount : " + str10);
                }
                networkType.addReadOnlyMountLocation(split[0], split[1]);
            }
        }
        if (this.defaultRWMounts != null && !this.defaultRWMounts.isEmpty()) {
            for (String str11 : this.defaultRWMounts) {
                String[] split2 = StringUtils.split(str11, ':');
                if (split2.length != 2) {
                    throw new ContainerExecutionException("Invalid mount : " + str11);
                }
                networkType.addReadWriteMountLocation(split2[0], split2[1]);
            }
        }
        try {
            new ContainerVolumePublisher(container, container.getCsiVolumesRootDir(), this).publishVolumes().forEach((str12, str13) -> {
                networkType.addReadWriteMountLocation(str12, str13);
            });
            if (environment.containsKey(ENV_DOCKER_CONTAINER_TMPFS_MOUNTS)) {
                for (String str14 : environment.get(ENV_DOCKER_CONTAINER_TMPFS_MOUNTS).split(",")) {
                    if (!TMPFS_MOUNT_PATTERN.matcher(str14).matches()) {
                        throw new ContainerExecutionException("Invalid tmpfs mount : " + str14);
                    }
                    networkType.addTmpfsMount(str14);
                }
            }
            if (this.defaultTmpfsMounts != null && !this.defaultTmpfsMounts.isEmpty()) {
                for (String str15 : this.defaultTmpfsMounts) {
                    if (!TMPFS_MOUNT_PATTERN.matcher(str15).matches()) {
                        throw new ContainerExecutionException("Invalid tmpfs mount : " + str15);
                    }
                    networkType.addTmpfsMount(str15);
                }
            }
            if (allowHostPidNamespace(container)) {
                networkType.setPidNamespace("host");
            }
            if (allowPrivilegedContainerExecution(container)) {
                networkType.setPrivileged();
            }
            addDockerClientConfigToRunCommand(containerRuntimeContext, networkType);
            addCGroupParentIfRequired((String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.RESOURCES_OPTIONS), containerId2, networkType);
            if (environment.containsKey(ENV_DOCKER_CONTAINER_YARN_SYSFS) && Boolean.parseBoolean(environment.get(ENV_DOCKER_CONTAINER_YARN_SYSFS))) {
                networkType.setYarnSysFS(true);
            }
            List<String> commands = container.getLaunchContext().getCommands();
            if (parseBoolean) {
                commands = Arrays.asList(String.join(" ", commands).split("1>")[0].split(" "));
            }
            if (z) {
                networkType.setOverrideDisabled(true);
                networkType.addEnv(environment);
                networkType.setOverrideCommandWithArgs(commands);
                networkType.disableDetach();
                networkType.setLogDir(container.getLogDir());
            } else {
                ArrayList arrayList = new ArrayList();
                Path path2 = new Path(path, ContainerLaunch.CONTAINER_SCRIPT);
                arrayList.add("bash");
                arrayList.add(path2.toUri().getPath());
                networkType.setContainerWorkDir(path.toString());
                networkType.setOverrideCommandWithArgs(arrayList);
                networkType.detachOnRun();
            }
            if (parseBoolean) {
                networkType.setServiceMode(parseBoolean);
            }
            if (this.enableUserReMapping && !allowPrivilegedContainerExecution(container)) {
                networkType.groupAdd(strArr);
            }
            if (this.nmContext != null && this.nmContext.getResourcePluginManager().getNameToPlugins() != null) {
                Iterator<ResourcePlugin> it = this.nmContext.getResourcePluginManager().getNameToPlugins().values().iterator();
                while (it.hasNext()) {
                    DockerCommandPlugin dockerCommandPluginInstance = it.next().getDockerCommandPluginInstance();
                    if (dockerCommandPluginInstance != null) {
                        DockerVolumeCommand createDockerVolumeCommand = dockerCommandPluginInstance.getCreateDockerVolumeCommand(containerRuntimeContext.getContainer());
                        if (createDockerVolumeCommand != null) {
                            runDockerVolumeCommand(createDockerVolumeCommand, container);
                            if (createDockerVolumeCommand.getSubCommand().equals("create")) {
                                checkDockerVolumeCreated(createDockerVolumeCommand, container);
                            }
                        }
                        dockerCommandPluginInstance.updateDockerRunCommand(networkType, container);
                    }
                }
            }
            PrivilegedOperation buildLaunchOp = buildLaunchOp(containerRuntimeContext, this.dockerClient.writeCommandToTempFile(networkType, containerId, this.nmContext), networkType);
            buildLaunchOp.disableFailureLogging();
            try {
                this.privilegedOperationExecutor.executePrivilegedOperation(null, buildLaunchOp, null, null, false, false);
            } catch (PrivilegedOperationException e) {
                throw new ContainerExecutionException("Launch container failed", e.getExitCode(), e.getOutput(), e.getErrorOutput());
            }
        } catch (IOException | YarnException e2) {
            throw new ContainerExecutionException("Container requests for volume resource but we are failed to publish volumes on this node");
        }
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntime
    public void relaunchContainer(ContainerRuntimeContext containerRuntimeContext) throws ContainerExecutionException {
        ContainerId containerId = containerRuntimeContext.getContainer().getContainerId();
        String containerId2 = containerId.toString();
        DockerCommandExecutor.DockerContainerStatus containerStatus = DockerCommandExecutor.getContainerStatus(containerId2, this.privilegedOperationExecutor, this.nmContext);
        if (containerStatus == null || !DockerCommandExecutor.isStartable(containerStatus)) {
            throw new ContainerExecutionException("Container is not in a startable state, unable to relaunch: " + containerId2);
        }
        DockerStartCommand dockerStartCommand = new DockerStartCommand(containerId2);
        PrivilegedOperation buildLaunchOp = buildLaunchOp(containerRuntimeContext, this.dockerClient.writeCommandToTempFile(dockerStartCommand, containerId, this.nmContext), dockerStartCommand);
        buildLaunchOp.disableFailureLogging();
        try {
            this.privilegedOperationExecutor.executePrivilegedOperation(null, buildLaunchOp, null, null, false, false);
        } catch (PrivilegedOperationException e) {
            throw new ContainerExecutionException("Relaunch container failed", e.getExitCode(), e.getOutput(), e.getErrorOutput());
        }
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntime
    public void signalContainer(ContainerRuntimeContext containerRuntimeContext) throws ContainerExecutionException {
        ContainerExecutor.Signal signal = (ContainerExecutor.Signal) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.SIGNAL);
        Map<String, String> environment = containerRuntimeContext.getContainer().getLaunchContext().getEnvironment();
        try {
            if (ContainerExecutor.Signal.NULL.equals(signal)) {
                executeLivelinessCheck(containerRuntimeContext);
            } else if (ContainerExecutor.Signal.TERM.equals(signal)) {
                handleContainerStop(containerRuntimeContext.getContainer().getContainerId(), environment);
            } else {
                handleContainerKill(containerRuntimeContext, environment, signal);
            }
        } catch (ContainerExecutionException e) {
            throw new ContainerExecutionException("Signal docker container failed", e.getExitCode(), e.getOutput(), e.getErrorOutput());
        }
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntime
    public void reapContainer(ContainerRuntimeContext containerRuntimeContext) throws ContainerExecutionException {
        DockerVolumeCommand cleanupDockerVolumesCommand;
        handleContainerRemove(containerRuntimeContext.getContainer().getContainerId().toString(), containerRuntimeContext.getContainer().getLaunchContext().getEnvironment());
        if (this.nmContext == null || this.nmContext.getResourcePluginManager().getNameToPlugins() == null) {
            return;
        }
        Iterator<ResourcePlugin> it = this.nmContext.getResourcePluginManager().getNameToPlugins().values().iterator();
        while (it.hasNext()) {
            DockerCommandPlugin dockerCommandPluginInstance = it.next().getDockerCommandPluginInstance();
            if (dockerCommandPluginInstance != null && (cleanupDockerVolumesCommand = dockerCommandPluginInstance.getCleanupDockerVolumesCommand(containerRuntimeContext.getContainer())) != null) {
                runDockerVolumeCommand(cleanupDockerVolumesCommand, containerRuntimeContext.getContainer());
            }
        }
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntime
    public IOStreamPair execContainer(ContainerExecContext containerExecContext) throws ContainerExecutionException {
        String containerId = containerExecContext.getContainer().getContainerId().toString();
        DockerExecCommand dockerExecCommand = new DockerExecCommand(containerId);
        dockerExecCommand.setInteractive();
        dockerExecCommand.setTTY();
        ArrayList arrayList = new ArrayList();
        arrayList.add("/bin/" + containerExecContext.getShell());
        arrayList.add("-i");
        dockerExecCommand.setOverrideCommandWithArgs(arrayList);
        String writeCommandToTempFile = this.dockerClient.writeCommandToTempFile(dockerExecCommand, ContainerId.fromString(containerId), this.nmContext);
        PrivilegedOperation privilegedOperation = new PrivilegedOperation(PrivilegedOperation.OperationType.EXEC_CONTAINER);
        privilegedOperation.appendArgs(writeCommandToTempFile);
        privilegedOperation.disableFailureLogging();
        try {
            IOStreamPair executePrivilegedInteractiveOperation = this.privilegedOperationExecutor.executePrivilegedInteractiveOperation(null, privilegedOperation);
            LOG.info("ContainerId=" + containerId + ", docker exec output for " + dockerExecCommand + ": " + executePrivilegedInteractiveOperation);
            return executePrivilegedInteractiveOperation;
        } catch (InterruptedException e) {
            LOG.warn("InterruptedException executing command: ", e);
            throw new ContainerExecutionException(e.getMessage());
        } catch (PrivilegedOperationException e2) {
            throw new ContainerExecutionException("Execute container interactive shell failed", e2.getExitCode(), e2.getOutput(), e2.getErrorOutput());
        }
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntime
    public String[] getIpAndHost(Container container) {
        String str;
        ContainerId containerId = container.getContainerId();
        try {
            String executeDockerInspect = executeDockerInspect(containerId, new DockerInspectCommand(containerId.toString()).getIpAndHost());
            LOG.info("Docker inspect output for " + containerId + ": " + executeDockerInspect);
            String replaceAll = executeDockerInspect.replaceAll("['\"]", "");
            int lastIndexOf = replaceAll.lastIndexOf(44);
            if (lastIndexOf == -1) {
                LOG.error("Incorrect format for ip and host");
                return null;
            }
            String trim = replaceAll.substring(0, lastIndexOf).trim();
            String trim2 = replaceAll.substring(lastIndexOf + 1).trim();
            if (trim.equals("")) {
                try {
                    str = container.getLaunchContext().getEnvironment().get(ENV_DOCKER_CONTAINER_NETWORK);
                    if (str == null || str.isEmpty()) {
                        str = this.defaultNetwork;
                    }
                } catch (NullPointerException e) {
                    str = this.defaultNetwork;
                }
                if (str.equalsIgnoreCase("host")) {
                    try {
                        trim = InetAddress.getLocalHost().getHostAddress();
                    } catch (UnknownHostException e2) {
                        LOG.error("Can not determine IP for container:" + containerId);
                    }
                }
            }
            return new String[]{trim, trim2};
        } catch (PrivilegedOperationException e3) {
            LOG.error("Error when executing command.", e3);
            return null;
        } catch (ContainerExecutionException e4) {
            LOG.error("Error when writing command to temp file", e4);
            return null;
        }
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntime
    public String getExposedPorts(Container container) {
        ContainerId containerId = container.getContainerId();
        try {
            return executeDockerInspect(containerId, new DockerInspectCommand(containerId.toString()).getExposedPorts());
        } catch (PrivilegedOperationException e) {
            LOG.error("Error when executing command.", e);
            return null;
        } catch (ContainerExecutionException e2) {
            LOG.error("Error when writing command to temp file", e2);
            return null;
        }
    }

    private PrivilegedOperation buildLaunchOp(ContainerRuntimeContext containerRuntimeContext, String str, DockerCommand dockerCommand) {
        String str2 = (String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.RUN_AS_USER);
        String containerId = containerRuntimeContext.getContainer().getContainerId().toString();
        Path path = (Path) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.NM_PRIVATE_CONTAINER_SCRIPT_PATH);
        Path path2 = (Path) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.CONTAINER_WORK_DIR);
        List list = (List) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.LOCAL_DIRS);
        List list2 = (List) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.LOG_DIRS);
        PrivilegedOperation privilegedOperation = new PrivilegedOperation(PrivilegedOperation.OperationType.LAUNCH_DOCKER_CONTAINER);
        privilegedOperation.appendArgs(str2, (String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.USER), Integer.toString(PrivilegedOperation.RunAsUserCommand.LAUNCH_DOCKER_CONTAINER.getValue()), (String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.APPID), containerId, path2.toString(), path.toUri().getPath(), ((Path) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.NM_PRIVATE_TOKENS_PATH)).toUri().getPath());
        Path path3 = (Path) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.NM_PRIVATE_KEYSTORE_PATH);
        Path path4 = (Path) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.NM_PRIVATE_TRUSTSTORE_PATH);
        if (path3 == null || path4 == null) {
            privilegedOperation.appendArgs("--http");
        } else {
            privilegedOperation.appendArgs("--https", path3.toUri().getPath(), path4.toUri().getPath());
        }
        privilegedOperation.appendArgs(((Path) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.PID_FILE_PATH)).toString(), StringUtils.join('%', (Iterable<?>) list), StringUtils.join('%', (Iterable<?>) list2), str);
        String str3 = (String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.TC_COMMAND_FILE);
        if (str3 != null) {
            privilegedOperation.appendArgs(str3);
        }
        LOG.debug("Launching container with cmd: {}", dockerCommand);
        return privilegedOperation;
    }

    public static void validateImageName(String str) throws ContainerExecutionException {
        if (str == null || str.isEmpty()) {
            throw new ContainerExecutionException("YARN_CONTAINER_RUNTIME_DOCKER_IMAGE not set!");
        }
        if (!dockerImagePattern.matcher(str).matches()) {
            throw new ContainerExecutionException("Image name '" + str + "' doesn't match docker image name pattern");
        }
    }

    public void pullImageFromRemote(String str, String str2) throws ContainerExecutionException {
        long currentTimeMillis = System.currentTimeMillis();
        DockerPullCommand dockerPullCommand = new DockerPullCommand(str2);
        LOG.debug("now pulling docker image. image name: {}, container: {}", str2, str);
        DockerCommandExecutor.executeDockerCommand(dockerPullCommand, str, null, this.privilegedOperationExecutor, false, this.nmContext);
        LOG.debug("pull docker image done with {}ms specnt. image name: {}, container: {}", new Object[]{Long.valueOf(System.currentTimeMillis() - currentTimeMillis), str2, str});
    }

    private void executeLivelinessCheck(ContainerRuntimeContext containerRuntimeContext) throws ContainerExecutionException {
        String str = (String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.PROCFS);
        if (str == null || str.isEmpty()) {
            str = DEFAULT_PROCFS;
        }
        String str2 = (String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.PID);
        if (!new File(str + File.separator + str2).exists()) {
            throw new ContainerExecutionException("Liveliness check failed for PID: " + str2 + ". Container may have already completed.", PrivilegedOperation.ResultCode.INVALID_CONTAINER_PID.getValue());
        }
    }

    private void handleContainerStop(ContainerId containerId, Map<String, String> map) throws ContainerExecutionException {
        DockerCommandExecutor.DockerContainerStatus dockerContainerStatus = DockerCommandExecutor.DockerContainerStatus.UNKNOWN;
        String signal = ContainerExecutor.Signal.TERM.toString();
        try {
            String trim = executeDockerInspect(containerId, new DockerInspectCommand(containerId.toString()).get(new String[]{DockerInspectCommand.STATUS_TEMPLATE, DockerInspectCommand.STOPSIGNAL_TEMPLATE}, ',')).trim();
            if (!trim.isEmpty()) {
                String[] split = StringUtils.split(trim, ',');
                dockerContainerStatus = DockerCommandExecutor.parseContainerStatus(split[0]);
                if (split.length > 1) {
                    signal = split[1];
                }
            }
            if (DockerCommandExecutor.isStoppable(dockerContainerStatus)) {
                DockerCommandExecutor.executeDockerCommand(new DockerKillCommand(containerId.toString()).setSignal(signal), containerId.toString(), map, this.privilegedOperationExecutor, false, this.nmContext);
            } else {
                LOG.debug("{} status is {}, skipping stop", containerId, dockerContainerStatus);
            }
        } catch (PrivilegedOperationException | ContainerExecutionException e) {
            LOG.debug("{} inspect failed, skipping stop", containerId, e);
        }
    }

    private String executeDockerInspect(ContainerId containerId, DockerInspectCommand dockerInspectCommand) throws ContainerExecutionException, PrivilegedOperationException {
        String writeCommandToTempFile = this.dockerClient.writeCommandToTempFile(dockerInspectCommand, containerId, this.nmContext);
        PrivilegedOperation privilegedOperation = new PrivilegedOperation(PrivilegedOperation.OperationType.RUN_DOCKER_CMD);
        privilegedOperation.appendArgs(writeCommandToTempFile);
        String executePrivilegedOperation = this.privilegedOperationExecutor.executePrivilegedOperation(null, privilegedOperation, null, null, true, false);
        LOG.info("{} : docker inspect output {} ", containerId, executePrivilegedOperation);
        return executePrivilegedOperation;
    }

    private void handleContainerKill(ContainerRuntimeContext containerRuntimeContext, Map<String, String> map, ContainerExecutor.Signal signal) throws ContainerExecutionException {
        Container container = containerRuntimeContext.getContainer();
        try {
            new ContainerVolumePublisher(container, container.getCsiVolumesRootDir(), this).unpublishVolumes();
            boolean parseBoolean = Boolean.parseBoolean(map.get(ENV_DOCKER_CONTAINER_DOCKER_SERVICE_MODE));
            if (isContainerRequestedAsPrivileged(container) || parseBoolean) {
                String containerId = container.getContainerId().toString();
                DockerCommandExecutor.DockerContainerStatus containerStatus = DockerCommandExecutor.getContainerStatus(containerId, this.privilegedOperationExecutor, this.nmContext);
                if (DockerCommandExecutor.isKillable(containerStatus)) {
                    DockerCommandExecutor.executeDockerCommand(new DockerKillCommand(containerId).setSignal(signal.name()), containerId, map, this.privilegedOperationExecutor, false, this.nmContext);
                    return;
                } else {
                    LOG.debug("Container status is {}, skipping kill - {}", containerStatus.getName(), containerId);
                    return;
                }
            }
            PrivilegedOperation privilegedOperation = new PrivilegedOperation(PrivilegedOperation.OperationType.SIGNAL_CONTAINER);
            privilegedOperation.appendArgs((String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.RUN_AS_USER), (String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.USER), Integer.toString(PrivilegedOperation.RunAsUserCommand.SIGNAL_CONTAINER.getValue()), (String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.PID), Integer.toString(((ContainerExecutor.Signal) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.SIGNAL)).getValue()));
            privilegedOperation.disableFailureLogging();
            try {
                this.privilegedOperationExecutor.executePrivilegedOperation(null, privilegedOperation, null, null, false, false);
            } catch (PrivilegedOperationException e) {
                throw new ContainerExecutionException("Signal container failed using signal: " + signal.name(), e.getExitCode(), e.getOutput(), e.getErrorOutput());
            }
        } catch (IOException | YarnException e2) {
            throw new ContainerExecutionException(e2);
        }
    }

    private void handleContainerRemove(String str, Map<String, String> map) throws ContainerExecutionException {
        String str2 = map.get(ENV_DOCKER_CONTAINER_DELAYED_REMOVAL);
        if (this.delayedRemovalAllowed && str2 != null && str2.equalsIgnoreCase("true")) {
            LOG.info("Delayed removal requested and allowed, skipping removal - " + str);
        } else if (DockerCommandExecutor.isRemovable(DockerCommandExecutor.getContainerStatus(str, this.privilegedOperationExecutor, this.nmContext))) {
            DockerCommandExecutor.executeDockerCommand(new DockerRmCommand(str, ResourceHandlerModule.getCgroupsRelativeRoot()), str, map, this.privilegedOperationExecutor, false, this.nmContext);
        }
    }

    private void addDockerClientConfigToRunCommand(ContainerRuntimeContext containerRuntimeContext, DockerRunCommand dockerRunCommand) throws ContainerExecutionException {
        ByteBuffer tokens = containerRuntimeContext.getContainer().getLaunchContext().getTokens();
        if (tokens != null) {
            tokens.rewind();
            if (tokens.hasRemaining()) {
                try {
                    Credentials credentialsFromTokensByteBuffer = DockerClientConfigHandler.getCredentialsFromTokensByteBuffer(tokens);
                    if (credentialsFromTokensByteBuffer.numberOfTokens() > 0) {
                        File file = new File(((Path) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.NM_PRIVATE_CONTAINER_SCRIPT_PATH)).getParent() + "/config.json");
                        try {
                            if (DockerClientConfigHandler.writeDockerCredentialsToPath(file, credentialsFromTokensByteBuffer)) {
                                dockerRunCommand.setClientConfigDir(file.getParent());
                            }
                        } catch (IOException e) {
                            throw new ContainerExecutionException("Unable to write Docker client credentials to " + file);
                        }
                    }
                } catch (IOException e2) {
                    throw new ContainerExecutionException("Unable to read tokens.");
                }
            }
        }
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.OCIContainerRuntime
    boolean getHostPidNamespaceEnabled() {
        return this.conf.getBoolean(YarnConfiguration.NM_DOCKER_ALLOW_HOST_PID_NAMESPACE, false);
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.OCIContainerRuntime
    boolean getPrivilegedContainersEnabledOnCluster() {
        return this.conf.getBoolean(YarnConfiguration.NM_DOCKER_ALLOW_PRIVILEGED_CONTAINERS, false);
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.OCIContainerRuntime
    Set<String> getAllowedNetworks() {
        return this.allowedNetworks;
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.OCIContainerRuntime
    Set<String> getAllowedRuntimes() {
        return this.allowedRuntimes;
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.OCIContainerRuntime
    AccessControlList getPrivilegedContainersAcl() {
        return this.privilegedContainersAcl;
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.OCIContainerRuntime
    String getEnvOciContainerPidNamespace() {
        return ENV_OCI_CONTAINER_PID_NAMESPACE;
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.OCIContainerRuntime
    String getEnvOciContainerRunPrivilegedContainer() {
        return ENV_OCI_CONTAINER_RUN_PRIVILEGED_CONTAINER;
    }
}
