diff --git a/trustzone/docker/standalone/Dockerfile b/trustzone/docker/standalone/Dockerfile new file mode 100644 index 0000000000000000000000000000000000000000..7f02375b1cd90e37606529940e79c84aa461bde5 --- /dev/null +++ b/trustzone/docker/standalone/Dockerfile @@ -0,0 +1,113 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +FROM openeuler-20.03-lts + +ARG spark_uid=185 + +COPY conf/openEuler.repo /etc/yum.repos.d/ + +RUN set -ex && \ + ln -s /lib /lib64 && \ + dnf install -y gnupg2 wget bash krb5 procps net-tools shadow dpkg tar && \ + groupadd --system --gid=${spark_uid} spark && \ + useradd --system --uid=${spark_uid} --gid=spark spark && \ + dnf install -y python3 python3-pip && \ + mkdir -p /opt/spark && \ + mkdir /opt/spark/python && \ + mkdir -p /opt/spark/examples && \ + mkdir -p /opt/spark/work-dir && \ + touch /opt/spark/RELEASE && \ + chown -R spark:spark /opt/spark && \ + rm /bin/sh && \ + ln -sv /bin/bash /bin/sh && \ + echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su && \ + chgrp root /etc/passwd && chmod ug+rw /etc/passwd && \ + rm -rf /var/cache/dnf/* + +# Grab gosu for easy step-down from root +ENV GOSU_VERSION 1.14 + +RUN set -ex; \ + wget -nv -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture)"; \ + chmod +x /usr/local/bin/gosu; \ + gosu nobody true + + +# Install Apache Spark +ENV SPARK_TGZ_URL=https://archive.apache.org/dist/spark/spark-3.1.1/spark-3.1.1-bin-hadoop3.2.tgz \ + SPARK_TGZ_ASC_URL=https://archive.apache.org/dist/spark/spark-3.1.1/spark-3.1.1-bin-hadoop3.2.tgz.asc + +RUN set -ex; \ + export SPARK_TMP="$(mktemp -d)"; \ + cd $SPARK_TMP; \ + wget -nv -O spark.tgz "$SPARK_TGZ_URL"; \ + \ + tar -xf spark.tgz --strip-components=1; \ + chown -R spark:spark .; \ + mv jars /opt/spark/; \ + mv bin /opt/spark/; \ + mv sbin /opt/spark/; \ + mv kubernetes/dockerfiles/spark/decom.sh /opt/; \ + mv examples /opt/spark/; \ + mv kubernetes/tests /opt/spark/; \ + mv data /opt/spark/; \ + mv python/pyspark /opt/spark/python/pyspark/; \ + mv python/lib /opt/spark/python/lib/; \ + cd ..; \ + rm -rf "$SPARK_TMP"; + +COPY entrypoint.sh /opt/ + +ENV SPARK_HOME /opt/spark + +WORKDIR /opt/spark/work-dir +RUN chmod g+w /opt/spark/work-dir +RUN chmod a+x /opt/decom.sh +RUN chmod a+x /opt/entrypoint.sh + +# Install bisheng jdk +ENV JDK_URL=https://mirrors.huaweicloud.com/kunpeng/archive/compiler/bisheng_jdk/bisheng-jdk-8u392-linux-aarch64.tar.gz + +RUN set -ex; \ + cd /usr/local; \ + wget -nv -O jdk.tar.gz "$JDK_URL"; \ + mv bisheng-jdk1.8.0_392 java; \ + rm -rf /usr/local/jdk.tar.gz + +ENV JAVA_HOME /usr/local/java +ENV PATH /usr/local/java/bin:$PATH + +# Install tee os +COPY *.so /usr/lib64/ +COPY tlogcat agentd tee_teleport /usr/bin/ + +# replace shell for tee spark +COPY bin/* /opt/spark/bin/ +COPY sbin/* /opt/spark/sbin/ + +RUN set -ex; \ + mkdir -p /home/spark; \ + mkdir -p /opt/spark/trustzone/master; \ + mkdir -p /opt/spark/trustzone/worker; \ + mkdir -p /opt/spark/trustzone/sec; \ + chmod a+x /opt/spark/sbin/*; \ + chmod a+x /opt/spark/bin/spark-class + +COPY jars.sec /opt/spark/trustzone/sec +COPY spconf.sec /opt/spark/trustzone/sec + +#ENTRYPOINT [ "/opt/entrypoint.sh" ] \ No newline at end of file diff --git a/trustzone/docker/standalone/README.md b/trustzone/docker/standalone/README.md new file mode 100644 index 0000000000000000000000000000000000000000..21bb9e789b8c15c1889af5b94936b00eb79e2235 --- /dev/null +++ b/trustzone/docker/standalone/README.md @@ -0,0 +1,121 @@ +Quick Start + +1. 使用前的准备工作 + + 1.宿主机teeOS 环境已经部署完成,且升级为CCOS + + 2.tee os 的java环境部署完成 + + 3.准备好teeos + spark 的镜像 + + 基于openEuler 20.03 构建tee + spark 镜像: + 1.参考Dockefile构建镜像, docker build -t spark:test . + + 2.Dockefile 所在目录结构如下: + . + ├── conf + │ └── openEuler.repo + ├── Dockerfile + ├── sec + │ ├── jars.sec + │ └── spconf.sec + ├── sparkshell + │ ├── bin + │ │ └── spark-class + │ └── sbin + │ ├── spark-daemon.sh + │ ├── stop-master.sh + │ ├── stop-worker.sh + │ └── tee.sh + └── teeosbin + ├── agentd + ├── libboundscheck.so + ├── libsecurec.so + ├── libteec.so + ├── tee_teleport + └── tlogcat + + 3.xx.so 从宿主机环境 /usr/lib64 拷贝, agentd tee_teleport tlogcat 从宿主机 /usr/bin 拷贝 + + 4.jar.sec 和 spconf.sec 在宿主机上通过 python3 pack.py xxx 对spark jars 和 conf 打包后得到 + + 5.openeuler-20.03-lts 基础镜像(aarch64)获取地址:https://repo.openeuler.org/openEuler-20.03-LTS/docker_img/aarch64/ + +1. 启动Standalone master + + ```shell + #!/bin/bash + set -e + + repo_tag=spark:test + + cat > /home/txdemo/ms.sh < ms.log;tail -f ms.log;" + ``` + 其中 --mount 和 --device 是使用机密容器的必要选项, host_ip 为master启动的IP地址,按照实际情况自行修改 + +3. 启动Standalone worker + ```shell + #!/bin/bash + + set -e + + repo_tag=spark:test + + master_ip=`docker inspect -f "{{.NetworkSettings.IPAddress}}" spark-master` + + docker run -it \ + --mount type=bind,source=/var/itrustee/teecd,target=/var/itrustee/teecd,readonly \ + --device /dev/teelog:/dev/teelog:wr \ + --device /dev/tc_ns_cvm:/dev/tc_ns_cvm:wr \ + --name spark-worker \ + $repo_tag \ + sh -c "sh /opt/spark/sbin/start-worker.sh $master_ip:7077 >wk.log;tail -f wk.log;" + ``` +4. 提交作业(以spark pi 为例) + ```shell + #!/bin/bash + + repo_tag=spark:test + + master_ip=`docker inspect -f "{{.NetworkSettings.IPAddress}}" spark-master` + + cat > /home/runjob.sh <> /etc/passwd + else + echo "Container ENTRYPOINT failed to add passwd entry for anonymous UID" + fi +fi + +if [ -z "$JAVA_HOME" ]; then + JAVA_HOME=$(java -XshowSettings:properties -version 2>&1 > /dev/null | grep 'java.home' | awk '{print $3}') +fi + +SPARK_CLASSPATH="$SPARK_CLASSPATH:${SPARK_HOME}/jars/*" +env | grep SPARK_JAVA_OPT_ | sort -t_ -k4 -n | sed 's/[^=]*=\(.*\)/\1/g' > /tmp/java_opts.txt +readarray -t SPARK_EXECUTOR_JAVA_OPTS < /tmp/java_opts.txt + +if [ -n "$SPARK_EXTRA_CLASSPATH" ]; then + SPARK_CLASSPATH="$SPARK_CLASSPATH:$SPARK_EXTRA_CLASSPATH" +fi + +if ! [ -z ${PYSPARK_PYTHON+x} ]; then + export PYSPARK_PYTHON +fi +if ! [ -z ${PYSPARK_DRIVER_PYTHON+x} ]; then + export PYSPARK_DRIVER_PYTHON +fi + +# If HADOOP_HOME is set and SPARK_DIST_CLASSPATH is not set, set it here so Hadoop jars are available to the executor. +# It does not set SPARK_DIST_CLASSPATH if already set, to avoid overriding customizations of this value from elsewhere e.g. Docker/K8s. +if [ -n "${HADOOP_HOME}" ] && [ -z "${SPARK_DIST_CLASSPATH}" ]; then + export SPARK_DIST_CLASSPATH="$($HADOOP_HOME/bin/hadoop classpath)" +fi + +if ! [ -z ${HADOOP_CONF_DIR+x} ]; then + SPARK_CLASSPATH="$HADOOP_CONF_DIR:$SPARK_CLASSPATH"; +fi + +if ! [ -z ${SPARK_CONF_DIR+x} ]; then + SPARK_CLASSPATH="$SPARK_CONF_DIR:$SPARK_CLASSPATH"; +elif ! [ -z ${SPARK_HOME+x} ]; then + SPARK_CLASSPATH="$SPARK_HOME/conf:$SPARK_CLASSPATH"; +fi + +IS_EXEC=0 +case "$1" in + driver) + shift 1 + CMD=( + "$SPARK_HOME/bin/spark-submit" + --conf "spark.driver.bindAddress=$SPARK_DRIVER_BIND_ADDRESS" + --conf "spark.driver.host=$SPARK_DRIVER_BIND_ADDRESS" + --deploy-mode client + "$@" + ) + ;; + executor) + shift 1 + IS_EXEC=1 + CMD=( + tee_teleport + -r org.apache.spark.executor.CoarseGrainedExecutorBackend.class + -i sessionID.txt + -p "-cp jars/*:jars/spark-core_2.12-3.1.1.jar --driver-url $SPARK_DRIVER_URL --executor-id $SPARK_EXECUTOR_ID --cores $SPARK_EXECUTOR_CORES --app-id $SPARK_APPLICATION_ID --hostname $SPARK_EXECUTOR_POD_IP --resourceProfileId $SPARK_RESOURCE_PROFILE_ID" + --env "sep=:;SPARK_HOME=.:OS=TEE" + ) + ;; + + *) + # Non-spark-on-k8s command provided, proceeding in pass-through mode... + CMD=("$@") + ;; +esac + +# Switch to spark if no USER specified (root by default) otherwise use USER directly +switch_spark_if_root() { + if [ $(id -u) -eq 0 ]; then + echo gosu spark + fi +} + +echo "num : $IS_EXEC" + +if [ "$IS_EXEC" = "1" ]; then + echo "run executor" + tee_teleport -c /opt/spark/trustzone/sec/spconf.sec + tee_teleport -n /opt/spark/trustzone/sec/jars.sec -t code -i sessionID.txt + echo "tee cmd is : ${CMD[@]}" + exec "${CMD[@]}" +else + exec $(switch_spark_if_root) "${CMD[@]}" +fi \ No newline at end of file diff --git a/trustzone/docker/standalone/executor.yaml b/trustzone/docker/standalone/executor.yaml new file mode 100644 index 0000000000000000000000000000000000000000..2606cdfe741168d68dfd1efccce01d877c10c8b0 --- /dev/null +++ b/trustzone/docker/standalone/executor.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Pod +metadata: + name: spark-executor + labels: + app: spark-executor +spec: + containers: + - name: spark-executor + volumeMounts: + - mountPath: /dev/teelog + name: teelog + - mountPath: /dev/tc_ns_cvm + name: cvm + - mountPath: /var/itrustee + name: itrustee + securityContext: + privileged: true + # image: sp:test + #imagePullPolicy: IfNotPresent + #command: [ "/bin/bash", "-c", "--" ] + #args: [ "while true; do sleep 30; done;" ] + volumes: + - name: teelog + hostPath: + path: /dev/teelog + - name: cvm + hostPath: + path: /dev/tc_ns_cvm + - name: itrustee + hostPath: + path: /var/itrustee diff --git a/trustzone/docker/standalone/sbin/tee.sh b/trustzone/docker/standalone/sbin/tee.sh index 105dcfe1a1c033ceaf1403820d05a56c5326fb11..d79e666513fdc584ca29b498409adb1ade5065af 100644 --- a/trustzone/docker/standalone/sbin/tee.sh +++ b/trustzone/docker/standalone/sbin/tee.sh @@ -53,6 +53,9 @@ tee_teleport -c ${SPARK_HOME}/trustzone/sec/spconf.sec tee_teleport -n ${SPARK_HOME}/trustzone/sec/jars.sec -t code -i sessionID.txt echo "put spark sec success" +#create log dir +mkdir -p /home/spark/log/ + #todo read env from conf P_ENV='sep=:;' if [ "$P_TYPE" = "master" ]; then diff --git "a/trustzone/files/TEE OS-Spark\344\275\277\347\224\250.docx" "b/trustzone/files/TEE OS-Spark\344\275\277\347\224\250.docx" new file mode 100644 index 0000000000000000000000000000000000000000..7729ed08348bcd96ea687d6b329bf5ee32dc401a Binary files /dev/null and "b/trustzone/files/TEE OS-Spark\344\275\277\347\224\250.docx" differ diff --git a/trustzone/files/jars/commons-crypto-1.1.0.jar b/trustzone/files/jars/commons-crypto-1.1.0.jar new file mode 100644 index 0000000000000000000000000000000000000000..cfe0cdd41ffa3f5f8ef7a2b59ce4615c0e9db47f Binary files /dev/null and b/trustzone/files/jars/commons-crypto-1.1.0.jar differ diff --git a/trustzone/files/jars/hadoop-common-3.2.0.jar b/trustzone/files/jars/hadoop-common-3.2.0.jar new file mode 100644 index 0000000000000000000000000000000000000000..9919ccfe2b980d5b30932e0e34131a6c7e369c94 Binary files /dev/null and b/trustzone/files/jars/hadoop-common-3.2.0.jar differ diff --git a/trustzone/files/jars/jline-2.14.6.jar b/trustzone/files/jars/jline-2.14.6.jar new file mode 100644 index 0000000000000000000000000000000000000000..fa0198b1a8154ad079cf468a668ccb90c80fa040 Binary files /dev/null and b/trustzone/files/jars/jline-2.14.6.jar differ diff --git a/trustzone/files/jars/leveldbjni-all-1.8.jar b/trustzone/files/jars/leveldbjni-all-1.8.jar new file mode 100644 index 0000000000000000000000000000000000000000..32576dab01e17bdd514b34b6c91a15bc4ed13d20 Binary files /dev/null and b/trustzone/files/jars/leveldbjni-all-1.8.jar differ diff --git a/trustzone/files/jars/lz4-java-1.7.1.jar b/trustzone/files/jars/lz4-java-1.7.1.jar new file mode 100644 index 0000000000000000000000000000000000000000..8b3082b4a1c6c6681cfe5f009beea69f9a39576b Binary files /dev/null and b/trustzone/files/jars/lz4-java-1.7.1.jar differ diff --git a/trustzone/files/jars/netty-all-4.1.51.Final.jar b/trustzone/files/jars/netty-all-4.1.51.Final.jar new file mode 100644 index 0000000000000000000000000000000000000000..efa5c40c02a981f23704d6fd46b8f8f9b724da32 Binary files /dev/null and b/trustzone/files/jars/netty-all-4.1.51.Final.jar differ diff --git a/trustzone/files/jars/scala-compiler-2.12.10.jar b/trustzone/files/jars/scala-compiler-2.12.10.jar new file mode 100644 index 0000000000000000000000000000000000000000..3482e0124f85b980bdac159cd1d128829a4c91c7 Binary files /dev/null and b/trustzone/files/jars/scala-compiler-2.12.10.jar differ diff --git a/trustzone/files/jars/snappy-java-1.1.8.2.jar b/trustzone/files/jars/snappy-java-1.1.8.2.jar new file mode 100644 index 0000000000000000000000000000000000000000..c33314142fd79e904bd1f85f026ecf46b2cacd29 Binary files /dev/null and b/trustzone/files/jars/snappy-java-1.1.8.2.jar differ diff --git a/trustzone/files/jars/spark-core_2.12-3.1.1.jar b/trustzone/files/jars/spark-core_2.12-3.1.1.jar new file mode 100644 index 0000000000000000000000000000000000000000..3a6852c90e4ba12b059c9b578a6f1d31b9970643 Binary files /dev/null and b/trustzone/files/jars/spark-core_2.12-3.1.1.jar differ diff --git a/trustzone/files/jars/spark-network-common_2.12-3.1.1.jar b/trustzone/files/jars/spark-network-common_2.12-3.1.1.jar new file mode 100644 index 0000000000000000000000000000000000000000..b01c3de2a2ca9474027ae478ce75fe88abdcbb24 Binary files /dev/null and b/trustzone/files/jars/spark-network-common_2.12-3.1.1.jar differ diff --git a/trustzone/files/jars/spark-sql-example-1.0-printstack.jar b/trustzone/files/jars/spark-sql-example-1.0-printstack.jar new file mode 100644 index 0000000000000000000000000000000000000000..35c9653d3f3d956338aa439589e03acb786351e0 Binary files /dev/null and b/trustzone/files/jars/spark-sql-example-1.0-printstack.jar differ diff --git a/trustzone/files/jars/zstd-jni-1.4.8-1.jar b/trustzone/files/jars/zstd-jni-1.4.8-1.jar new file mode 100644 index 0000000000000000000000000000000000000000..197f30e818c02b9a250c16ab59d8ce5b372a5bec Binary files /dev/null and b/trustzone/files/jars/zstd-jni-1.4.8-1.jar differ diff --git a/trustzone/files/python/daemon.py b/trustzone/files/python/daemon.py new file mode 100644 index 0000000000000000000000000000000000000000..ca68d78c2ca87ba53f97f55f314e7a5dd444c3ef --- /dev/null +++ b/trustzone/files/python/daemon.py @@ -0,0 +1,220 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +import numbers +import os +import signal +import select +import socket +import sys +import traceback +import time +import gc +from errno import EINTR, EAGAIN +from socket import AF_INET, SOCK_STREAM, SOMAXCONN +from signal import SIGHUP, SIGTERM, SIGCHLD, SIG_DFL, SIG_IGN, SIGINT + +from pyspark.worker import main as worker_main +from pyspark.serializers import read_int, write_int, write_with_length, UTF8Deserializer + + +def compute_real_exit_code(exit_code): + # SystemExit's code can be integer or string, but os._exit only accepts integers + if isinstance(exit_code, numbers.Integral): + return exit_code + else: + return 1 + + +def worker(sock, authenticated): + """ + Called by a worker process after the fork(). + """ + signal.signal(SIGHUP, SIG_DFL) + signal.signal(SIGCHLD, SIG_DFL) + signal.signal(SIGTERM, SIG_DFL) + # restore the handler for SIGINT, + # it's useful for debugging (show the stacktrace before exit) + signal.signal(SIGINT, signal.default_int_handler) + + # Read the socket using fdopen instead of socket.makefile() because the latter + # seems to be very slow; note that we need to dup() the file descriptor because + # otherwise writes also cause a seek that makes us miss data on the read side. + buffer_size = int(os.environ.get("SPARK_BUFFER_SIZE", 65536)) + infile = os.fdopen(os.dup(sock.fileno()), "rb", buffer_size) + outfile = os.fdopen(os.dup(sock.fileno()), "wb", buffer_size) + + if not authenticated: + client_secret = UTF8Deserializer().loads(infile) + if os.environ["PYTHON_WORKER_FACTORY_SECRET"] == client_secret: + write_with_length("ok".encode("utf-8"), outfile) + outfile.flush() + else: + write_with_length("err".encode("utf-8"), outfile) + outfile.flush() + sock.close() + return 1 + + exit_code = 0 + try: + worker_main(infile, outfile) + except SystemExit as exc: + exit_code = compute_real_exit_code(exc.code) + finally: + try: + outfile.flush() + except Exception: + pass + return exit_code + + +def manager(): + # Create a new process group to corral our children + os.setpgid(0, 0) + + # Create a listening socket on the AF_INET loopback interface + listen_sock = socket.socket(AF_INET, SOCK_STREAM) + listen_sock.bind(('127.0.0.1', 0)) + listen_sock.listen(max(1024, SOMAXCONN)) + listen_host, listen_port = listen_sock.getsockname() + + # re-open stdin/stdout in 'wb' mode + stdin_bin = os.fdopen(sys.stdin.fileno(), 'rb', 4) + stdout_bin = os.fdopen(sys.stdout.fileno(), 'wb', 4) + write_int(listen_port, stdout_bin) + stdout_bin.flush() + + def shutdown(code): + signal.signal(SIGTERM, SIG_DFL) + # Send SIGHUP to notify workers of shutdown + os.kill(0, SIGHUP) + sys.exit(code) + + def handle_sigterm(*args): + shutdown(1) + signal.signal(SIGTERM, handle_sigterm) # Gracefully exit on SIGTERM + signal.signal(SIGHUP, SIG_IGN) # Don't die on SIGHUP + signal.signal(SIGCHLD, SIG_IGN) + + reuse = os.environ.get("SPARK_REUSE_WORKER") + + # Initialization complete + try: + while True: + try: + ready_fds = select.select([0, listen_sock], [], [], 1)[0] + except select.error as ex: + if ex[0] == EINTR: + continue + else: + raise + + if 0 in ready_fds: + try: + worker_pid = read_int(stdin_bin) + except EOFError: + # Spark told us to exit by closing stdin + shutdown(0) + try: + os.kill(worker_pid, signal.SIGKILL) + except OSError: + pass # process already died + + if listen_sock in ready_fds: + try: + sock, _ = listen_sock.accept() + except OSError as e: + if e.errno == EINTR: + continue + raise + + child_sock = sock.dup() + # Launch a worker process + try: + pid = os.fork() + except OSError as e: + if e.errno in (EAGAIN, EINTR): + time.sleep(1) + pid = os.fork() # error here will shutdown daemon + else: + outfile = sock.makefile(mode='wb') + write_int(e.errno, outfile) # Signal that the fork failed + outfile.flush() + outfile.close() + sock.close() + continue + + if pid == 0: + # in child process + + # It should close the standard input in the child process so that + # Python native function executions stay intact. + # + # Note that if we just close the standard input (file descriptor 0), + # the lowest file descriptor (file descriptor 0) will be allocated, + # later when other file descriptors should happen to open. + # + # Therefore, here we redirects it to '/dev/null' by duplicating + # another file descriptor for '/dev/null' to the standard input (0). + # See SPARK-26175. + devnull = open(os.devnull, 'r') + os.dup2(devnull.fileno(), 0) + devnull.close() + time.sleep(1) + child_real_sock = child_sock.dup() + + try: + # Acknowledge that the fork was successful + outfile = child_real_sock.makefile(mode="wb") + write_int(os.getpid(), outfile) + outfile.flush() + outfile.close() + authenticated = False + + while True: + code = worker(child_real_sock, authenticated) + if code == 0: + authenticated = True + if not reuse or code: + # wait for closing + try: + while child_real_sock.recv(1024): + pass + except Exception: + pass + break + gc.collect() + except: + traceback.print_exc() + child_real_sock.close() + os._exit(1) + else: + child_real_sock.close() + os._exit(0) + else: + sock.close() + except Exception as e: + sock.close() + listen_sock.close() + finally: + sock.close() + listen_sock.close() + shutdown(1) + + +if __name__ == '__main__': + manager() diff --git a/trustzone/hook/README.md b/trustzone/hook/README.md index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..c67938c9e213be6be1b5dd1c32ee6c327e97abc0 100644 --- a/trustzone/hook/README.md +++ b/trustzone/hook/README.md @@ -0,0 +1,17 @@ +单机 hook 使用方式 +1. 在环境中创建日志文件 (如 touch /home/posix.log ), 修改 bin 目录下的 hook.c 文件的LOG_PATH, 指定创建好的日志文件(如 #define LOG_PATH "/home/posix.log") +2. 修改 bin 目录下的 build.sh 文件, 添加需要测试(抓取)的方法 (可以参考其中的 run_example 方法,在注释处添加自定义的测试方法) +3. 执行 sh build.sh , 脚本会生成libhook.so文件, 抓取的执行过程中系统调用的全部接口,并将结果记录在 hook.c 中指定的日志文件中 + +spark分布式作业 hook 方式 +前置条件:环境中不能有已经启动的spark集群(如果有已经启动的spark集群需要先关闭它) +1. 修改 bin 目录下的 hook.c 文件的16行的LOG_PATH, 指定日志文件路径(如 #define LOG_PATH "/home/posix.log") +2. 修改 build.sh,注释35行的run_example (如修改 run_example 为 #run_example) +3. 执行 sh build.sh,脚本执行完成后会在当前目录生成 libhook.so 文件 +4. 把生成的libhook.so拷贝到各个节点(如 拷贝到 主、从节点的 /home 目录下) +5. 修改主、从节点spark安装目录下的 conf/spark-env.sh 文件, 在文件末尾追加 export LD_PRELOAD=/home/libhook.so (注意这里填写的libhook.so路径需要和步骤4中填写的路径保持一致) +6. 主节点启动spark集群 (在 spark 安装目录的sbin文件夹下执行 ./start-all.sh) +7. 主节点执行spark分布式作业 +8. 在分布式作业的执行过程中在主、从节点的 /home 目录下都会生成 posix.log , 该文件即为 hook 到的接口文件 + +ps:如果想停止hook, 修改主从节点spark安装目录下的 conf/spark-env.sh 文件删除export LD_PRELOAD=/home/libhook.so,而后停止spark(在 spark 安装目录的sbin文件夹下执行 ./stop-all.sh)集群即可 \ No newline at end of file