package org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime;

import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.hbase.shaded.com.google.common.annotations.VisibleForTesting;
import org.apache.hadoop.registry.client.binding.RegistryPathUtils;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.util.Shell;
import org.apache.hadoop.util.StringUtils;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.server.nodemanager.ContainerExecutor;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.launcher.ContainerLaunch;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.privileged.PrivilegedOperation;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.privileged.PrivilegedOperationException;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.privileged.PrivilegedOperationExecutor;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.resources.CGroupsHandler;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.resources.ResourceHandlerModule;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.docker.DockerClient;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.docker.DockerInspectCommand;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.docker.DockerRunCommand;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.docker.DockerStopCommand;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerExecutionException;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntimeConstants;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntimeContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
@InterfaceStability.Unstable
/* loaded from: input_file:org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.class */
public class DockerLinuxContainerRuntime implements LinuxContainerRuntime {
    private static final Logger LOG = LoggerFactory.getLogger(DockerLinuxContainerRuntime.class);
    public static final String DOCKER_IMAGE_PATTERN = "^(([a-zA-Z0-9.-]+)(:\\d+)?/)?([a-z0-9_./-]+)(:[\\w.-]+)?$";
    private static final Pattern dockerImagePattern = Pattern.compile(DOCKER_IMAGE_PATTERN);
    public static final String HOSTNAME_PATTERN = "^[a-zA-Z0-9][a-zA-Z0-9_.-]+$";
    private static final Pattern hostnamePattern = Pattern.compile(HOSTNAME_PATTERN);

    @InterfaceAudience.Private
    public static final String ENV_DOCKER_CONTAINER_IMAGE = "YARN_CONTAINER_RUNTIME_DOCKER_IMAGE";

    @InterfaceAudience.Private
    public static final String ENV_DOCKER_CONTAINER_IMAGE_FILE = "YARN_CONTAINER_RUNTIME_DOCKER_IMAGE_FILE";

    @InterfaceAudience.Private
    public static final String ENV_DOCKER_CONTAINER_RUN_OVERRIDE_DISABLE = "YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE";

    @InterfaceAudience.Private
    public static final String ENV_DOCKER_CONTAINER_NETWORK = "YARN_CONTAINER_RUNTIME_DOCKER_CONTAINER_NETWORK";

    @InterfaceAudience.Private
    public static final String ENV_DOCKER_CONTAINER_HOSTNAME = "YARN_CONTAINER_RUNTIME_DOCKER_CONTAINER_HOSTNAME";

    @InterfaceAudience.Private
    public static final String ENV_DOCKER_CONTAINER_RUN_PRIVILEGED_CONTAINER = "YARN_CONTAINER_RUNTIME_DOCKER_RUN_PRIVILEGED_CONTAINER";

    @InterfaceAudience.Private
    public static final String ENV_DOCKER_CONTAINER_RUN_ENABLE_USER_REMAPPING = "YARN_CONTAINER_RUNTIME_DOCKER_RUN_ENABLE_USER_REMAPPING";

    @InterfaceAudience.Private
    public static final String ENV_DOCKER_CONTAINER_LOCAL_RESOURCE_MOUNTS = "YARN_CONTAINER_RUNTIME_DOCKER_LOCAL_RESOURCE_MOUNTS";
    private Configuration conf;
    private DockerClient dockerClient;
    private PrivilegedOperationExecutor privilegedOperationExecutor;
    private Set<String> allowedNetworks;
    private String defaultNetwork;
    private String cgroupsRootDirectory;
    private CGroupsHandler cGroupsHandler;
    private AccessControlList privilegedContainersAcl;
    private boolean enableUserReMapping;
    private int userRemappingUidThreshold;
    private int userRemappingGidThreshold;
    private Set<String> capabilities;

    public static boolean isDockerContainerRequested(Map<String, String> map) {
        String str;
        return (map == null || (str = map.get(ContainerRuntimeConstants.ENV_CONTAINER_TYPE)) == null || !str.equals("docker")) ? false : true;
    }

    public DockerLinuxContainerRuntime(PrivilegedOperationExecutor privilegedOperationExecutor) {
        this(privilegedOperationExecutor, ResourceHandlerModule.getCGroupsHandler());
    }

    @VisibleForTesting
    public DockerLinuxContainerRuntime(PrivilegedOperationExecutor privilegedOperationExecutor, CGroupsHandler cGroupsHandler) {
        this.allowedNetworks = new HashSet();
        this.privilegedOperationExecutor = privilegedOperationExecutor;
        if (cGroupsHandler == null) {
            LOG.info("cGroupsHandler is null - cgroups not in use.");
        } else {
            this.cGroupsHandler = cGroupsHandler;
            this.cgroupsRootDirectory = cGroupsHandler.getCGroupMountPath();
        }
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.LinuxContainerRuntime
    public void initialize(Configuration configuration) throws ContainerExecutionException {
        this.conf = configuration;
        this.dockerClient = new DockerClient(configuration);
        this.allowedNetworks.clear();
        this.allowedNetworks.addAll(Arrays.asList(configuration.getTrimmedStrings(YarnConfiguration.NM_DOCKER_ALLOWED_CONTAINER_NETWORKS, YarnConfiguration.DEFAULT_NM_DOCKER_ALLOWED_CONTAINER_NETWORKS)));
        this.defaultNetwork = configuration.getTrimmed(YarnConfiguration.NM_DOCKER_DEFAULT_CONTAINER_NETWORK, "host");
        if (!this.allowedNetworks.contains(this.defaultNetwork)) {
            String str = "Default network: " + this.defaultNetwork + " is not in the set of allowed networks: " + this.allowedNetworks;
            if (LOG.isWarnEnabled()) {
                LOG.warn(str + ". Please check configuration");
            }
            throw new ContainerExecutionException(str);
        }
        this.privilegedContainersAcl = new AccessControlList(configuration.getTrimmed(YarnConfiguration.NM_DOCKER_PRIVILEGED_CONTAINERS_ACL, ""));
        this.enableUserReMapping = configuration.getBoolean(YarnConfiguration.NM_DOCKER_ENABLE_USER_REMAPPING, true);
        this.userRemappingUidThreshold = configuration.getInt(YarnConfiguration.NM_DOCKER_USER_REMAPPING_UID_THRESHOLD, 1);
        this.userRemappingGidThreshold = configuration.getInt(YarnConfiguration.NM_DOCKER_USER_REMAPPING_GID_THRESHOLD, 1);
        this.capabilities = getDockerCapabilitiesFromConf();
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v5, types: [java.util.Set] */
    private Set<String> getDockerCapabilitiesFromConf() throws ContainerExecutionException {
        HashSet hashSet = new HashSet(Arrays.asList(this.conf.getTrimmedStrings(YarnConfiguration.NM_DOCKER_CONTAINER_CAPABILITIES, YarnConfiguration.DEFAULT_NM_DOCKER_CONTAINER_CAPABILITIES)));
        if (hashSet.contains("none") || hashSet.contains("NONE")) {
            if (hashSet.size() > 1) {
                throw new ContainerExecutionException("Mixing capabilities with the none keyword is not supported");
            }
            hashSet = Collections.emptySet();
        }
        return hashSet;
    }

    public Set<String> getCapabilities() {
        return this.capabilities;
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntime
    public boolean useWhitelistEnv(Map<String, String> map) {
        return false;
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntime
    public void prepareContainer(ContainerRuntimeContext containerRuntimeContext) throws ContainerExecutionException {
    }

    private void validateContainerNetworkType(String str) throws ContainerExecutionException {
        if (!this.allowedNetworks.contains(str)) {
            throw new ContainerExecutionException("Disallowed network:  '" + str + "' specified. Allowed networks: are " + this.allowedNetworks.toString());
        }
    }

    public static void validateHostname(String str) throws ContainerExecutionException {
        if (str != null && !str.isEmpty() && !hostnamePattern.matcher(str).matches()) {
            throw new ContainerExecutionException("Hostname '" + str + "' doesn't match docker hostname pattern");
        }
    }

    private void setHostname(DockerRunCommand dockerRunCommand, String str, String str2) throws ContainerExecutionException {
        if (str2 == null || str2.isEmpty()) {
            str2 = RegistryPathUtils.encodeYarnID(str);
            validateHostname(str2);
        }
        LOG.info("setting hostname in container to: " + str2);
        dockerRunCommand.setHostname(str2);
    }

    @VisibleForTesting
    protected void addCGroupParentIfRequired(String str, String str2, DockerRunCommand dockerRunCommand) {
        if (this.cGroupsHandler == null) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("cGroupsHandler is null. cgroups are not in use. nothing to do.");
            }
        } else if (str.equals("cgroups=none")) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("no resource restrictions specified. not using docker's cgroup options");
            }
        } else {
            if (LOG.isDebugEnabled()) {
                LOG.debug("using docker's cgroups options");
            }
            String str3 = "/" + this.cGroupsHandler.getRelativePathForCGroup(str2);
            if (LOG.isDebugEnabled()) {
                LOG.debug("using cgroup parent: " + str3);
            }
            dockerRunCommand.setCGroupParent(str3);
        }
    }

    private boolean allowPrivilegedContainerExecution(Container container) throws ContainerExecutionException {
        String str = container.getLaunchContext().getEnvironment().get(ENV_DOCKER_CONTAINER_RUN_PRIVILEGED_CONTAINER);
        if (str == null) {
            return false;
        }
        if (!str.equalsIgnoreCase("true")) {
            LOG.warn("NOT running a privileged container. Value of YARN_CONTAINER_RUNTIME_DOCKER_RUN_PRIVILEGED_CONTAINERis invalid: " + str);
            return false;
        }
        LOG.info("Privileged container requested for : " + container.getContainerId().toString());
        if (!this.conf.getBoolean(YarnConfiguration.NM_DOCKER_ALLOW_PRIVILEGED_CONTAINERS, false)) {
            LOG.warn("Privileged container being requested but privileged containers are not enabled on this cluster");
            throw new ContainerExecutionException("Privileged container being requested but privileged containers are not enabled on this cluster");
        }
        String user = container.getUser();
        if (this.privilegedContainersAcl.isUserAllowed(UserGroupInformation.createRemoteUser(user))) {
            LOG.info("All checks pass. Launching privileged container for : " + container.getContainerId().toString());
            return true;
        }
        String str2 = "Cannot launch privileged container. Submitting user (" + user + ") fails ACL check.";
        LOG.warn(str2);
        throw new ContainerExecutionException(str2);
    }

    @VisibleForTesting
    protected String validateMount(String str, Map<Path, List<String>> map) throws ContainerExecutionException {
        for (Map.Entry<Path, List<String>> entry : map.entrySet()) {
            if (entry.getValue().contains(str)) {
                java.nio.file.Path path = Paths.get(entry.getKey().toString(), new String[0]);
                if (!path.isAbsolute()) {
                    throw new ContainerExecutionException("Mount must be absolute: " + str);
                }
                if (Files.isSymbolicLink(path)) {
                    throw new ContainerExecutionException("Mount cannot be a symlink: " + str);
                }
                return path.toString();
            }
        }
        throw new ContainerExecutionException("Mount must be a localized resource: " + str);
    }

    private String getUserIdInfo(String str) throws ContainerExecutionException {
        Shell.ShellCommandExecutor shellCommandExecutor = new Shell.ShellCommandExecutor(new String[]{"id", "-u", str});
        try {
            shellCommandExecutor.execute();
            return shellCommandExecutor.getOutput().replaceAll("[^0-9]", "");
        } catch (Exception e) {
            throw new ContainerExecutionException(e);
        }
    }

    private String[] getGroupIdInfo(String str) throws ContainerExecutionException {
        Shell.ShellCommandExecutor shellCommandExecutor = new Shell.ShellCommandExecutor(new String[]{"id", "-G", str});
        try {
            shellCommandExecutor.execute();
            return shellCommandExecutor.getOutput().replace("\n", "").split(" ");
        } catch (Exception e) {
            throw new ContainerExecutionException(e);
        }
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntime
    public void launchContainer(ContainerRuntimeContext containerRuntimeContext) throws ContainerExecutionException {
        Container container = containerRuntimeContext.getContainer();
        Map<String, String> environment = container.getLaunchContext().getEnvironment();
        String str = environment.get(ENV_DOCKER_CONTAINER_IMAGE);
        String str2 = environment.get(ENV_DOCKER_CONTAINER_NETWORK);
        String str3 = environment.get(ENV_DOCKER_CONTAINER_HOSTNAME);
        if (str2 == null || str2.isEmpty()) {
            str2 = this.defaultNetwork;
        }
        validateContainerNetworkType(str2);
        validateHostname(str3);
        validateImageName(str);
        String containerId = container.getContainerId().toString();
        String str4 = (String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.RUN_AS_USER);
        String str5 = str4;
        Path path = (Path) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.CONTAINER_WORK_DIR);
        String[] strArr = null;
        if (this.enableUserReMapping) {
            String userIdInfo = getUserIdInfo(str4);
            strArr = getGroupIdInfo(str4);
            String str6 = strArr[0];
            if (Integer.parseInt(userIdInfo) < this.userRemappingUidThreshold) {
                throw new ContainerExecutionException("uid: " + userIdInfo + " below threshold: " + this.userRemappingUidThreshold);
            }
            for (String str7 : strArr) {
                if (Integer.parseInt(str7) < this.userRemappingGidThreshold) {
                    throw new ContainerExecutionException("gid: " + str7 + " below threshold: " + this.userRemappingGidThreshold);
                }
            }
            str5 = userIdInfo + ":" + str6;
        }
        List list = (List) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.FILECACHE_DIRS);
        List list2 = (List) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.CONTAINER_LOCAL_DIRS);
        List list3 = (List) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.CONTAINER_LOG_DIRS);
        Map<Path, List<String>> map = (Map) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.LOCALIZED_RESOURCES);
        List list4 = (List) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.USER_LOCAL_DIRS);
        DockerRunCommand networkType = new DockerRunCommand(containerId, str5, str).detachOnRun().setContainerWorkDir(path.toString()).setNetworkType(str2);
        setHostname(networkType, containerId, str3);
        networkType.setCapabilities(this.capabilities);
        if (this.cgroupsRootDirectory != null) {
            networkType.addReadOnlyMountLocation(this.cgroupsRootDirectory, this.cgroupsRootDirectory, false);
        }
        ArrayList<String> arrayList = new ArrayList(list2);
        arrayList.addAll(list);
        arrayList.add(path.toString());
        arrayList.addAll(list3);
        arrayList.addAll(list4);
        for (String str8 : arrayList) {
            networkType.addMountLocation(str8, str8, true);
        }
        if (environment.containsKey(ENV_DOCKER_CONTAINER_LOCAL_RESOURCE_MOUNTS)) {
            String str9 = environment.get(ENV_DOCKER_CONTAINER_LOCAL_RESOURCE_MOUNTS);
            if (!str9.isEmpty()) {
                for (String str10 : StringUtils.split(str9)) {
                    String[] split = StringUtils.split(str10, ':');
                    if (split.length != 2) {
                        throw new ContainerExecutionException("Invalid mount : " + str10);
                    }
                    networkType.addReadOnlyMountLocation(validateMount(split[0], map), split[1], true);
                }
            }
        }
        if (allowPrivilegedContainerExecution(container)) {
            networkType.setPrivileged();
        }
        addCGroupParentIfRequired((String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.RESOURCES_OPTIONS), containerId, networkType);
        String str11 = environment.get(ENV_DOCKER_CONTAINER_RUN_OVERRIDE_DISABLE);
        if (str11 == null || !str11.equals("true")) {
            ArrayList arrayList2 = new ArrayList();
            Path path2 = new Path(path, ContainerLaunch.CONTAINER_SCRIPT);
            arrayList2.add("bash");
            arrayList2.add(path2.toUri().getPath());
            networkType.setOverrideCommandWithArgs(arrayList2);
        } else {
            LOG.info("command override disabled");
        }
        if (this.enableUserReMapping) {
            networkType.groupAdd(strArr);
        }
        try {
            this.privilegedOperationExecutor.executePrivilegedOperation(null, buildLaunchOp(containerRuntimeContext, this.dockerClient.writeCommandToTempFile(networkType, containerId), networkType), null, null, false, false);
        } catch (PrivilegedOperationException e) {
            LOG.warn("Launch container failed. Exception: ", e);
            LOG.info("Docker command used: " + networkType);
            throw new ContainerExecutionException("Launch container failed", e.getExitCode(), e.getOutput(), e.getErrorOutput());
        }
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntime
    public void signalContainer(ContainerRuntimeContext containerRuntimeContext) throws ContainerExecutionException {
        PrivilegedOperation privilegedOperation;
        if (ContainerExecutor.Signal.NULL.equals((ContainerExecutor.Signal) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.SIGNAL))) {
            privilegedOperation = new PrivilegedOperation(PrivilegedOperation.OperationType.SIGNAL_CONTAINER);
            privilegedOperation.appendArgs((String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.RUN_AS_USER), (String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.USER), Integer.toString(PrivilegedOperation.RunAsUserCommand.SIGNAL_CONTAINER.getValue()), (String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.PID), Integer.toString(((ContainerExecutor.Signal) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.SIGNAL)).getValue()));
        } else {
            String containerId = containerRuntimeContext.getContainer().getContainerId().toString();
            String writeCommandToTempFile = this.dockerClient.writeCommandToTempFile(new DockerStopCommand(containerId), containerId);
            privilegedOperation = new PrivilegedOperation(PrivilegedOperation.OperationType.RUN_DOCKER_CMD);
            privilegedOperation.appendArgs(writeCommandToTempFile);
        }
        privilegedOperation.disableFailureLogging();
        try {
            this.privilegedOperationExecutor.executePrivilegedOperation(null, privilegedOperation, null, null, false, false);
        } catch (PrivilegedOperationException e) {
            throw new ContainerExecutionException("Signal container failed", e.getExitCode(), e.getOutput(), e.getErrorOutput());
        }
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntime
    public void reapContainer(ContainerRuntimeContext containerRuntimeContext) throws ContainerExecutionException {
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntime
    public String[] getIpAndHost(Container container) {
        String containerId = container.getContainerId().toString();
        try {
            String writeCommandToTempFile = this.dockerClient.writeCommandToTempFile(new DockerInspectCommand(containerId).getIpAndHost(), containerId);
            PrivilegedOperation privilegedOperation = new PrivilegedOperation(PrivilegedOperation.OperationType.RUN_DOCKER_CMD);
            privilegedOperation.appendArgs(writeCommandToTempFile);
            String executePrivilegedOperation = this.privilegedOperationExecutor.executePrivilegedOperation(null, privilegedOperation, null, null, true, false);
            LOG.info("Docker inspect output for " + containerId + ": " + executePrivilegedOperation);
            int lastIndexOf = executePrivilegedOperation.lastIndexOf(44);
            if (lastIndexOf != -1) {
                return new String[]{executePrivilegedOperation.substring(0, lastIndexOf).trim(), executePrivilegedOperation.substring(lastIndexOf + 1).trim()};
            }
            LOG.error("Incorrect format for ip and host");
            return null;
        } catch (PrivilegedOperationException e) {
            LOG.error("Error when executing command.", e);
            return null;
        } catch (ContainerExecutionException e2) {
            LOG.error("Error when writing command to temp file", e2);
            return null;
        }
    }

    private PrivilegedOperation buildLaunchOp(ContainerRuntimeContext containerRuntimeContext, String str, DockerRunCommand dockerRunCommand) {
        String str2 = (String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.RUN_AS_USER);
        String containerId = containerRuntimeContext.getContainer().getContainerId().toString();
        Path path = (Path) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.NM_PRIVATE_CONTAINER_SCRIPT_PATH);
        Path path2 = (Path) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.CONTAINER_WORK_DIR);
        List list = (List) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.LOCAL_DIRS);
        List list2 = (List) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.LOG_DIRS);
        String str3 = (String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.RESOURCES_OPTIONS);
        PrivilegedOperation privilegedOperation = new PrivilegedOperation(PrivilegedOperation.OperationType.LAUNCH_DOCKER_CONTAINER);
        privilegedOperation.appendArgs(str2, (String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.USER), Integer.toString(PrivilegedOperation.RunAsUserCommand.LAUNCH_DOCKER_CONTAINER.getValue()), (String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.APPID), containerId, path2.toString(), path.toUri().getPath(), ((Path) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.NM_PRIVATE_TOKENS_PATH)).toUri().getPath(), ((Path) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.PID_FILE_PATH)).toString(), StringUtils.join('%', (Iterable<?>) list), StringUtils.join('%', (Iterable<?>) list2), str, str3);
        String str4 = (String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.TC_COMMAND_FILE);
        if (str4 != null) {
            privilegedOperation.appendArgs(str4);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Launching container with cmd: " + dockerRunCommand);
        }
        return privilegedOperation;
    }

    public static void validateImageName(String str) throws ContainerExecutionException {
        if (str == null || str.isEmpty()) {
            throw new ContainerExecutionException("YARN_CONTAINER_RUNTIME_DOCKER_IMAGE not set!");
        }
        if (!dockerImagePattern.matcher(str).matches()) {
            throw new ContainerExecutionException("Image name '" + str + "' doesn't match docker image name pattern");
        }
    }
}
