hadoop-yarn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Miklos Szegedi (JIRA)" <j...@apache.org>
Subject [jira] [Created] (YARN-6456) Isolation of Docker containers In LinuxContainerExecutor
Date Sat, 08 Apr 2017 01:53:41 GMT
Miklos Szegedi created YARN-6456:
------------------------------------

             Summary: Isolation of Docker containers In LinuxContainerExecutor
                 Key: YARN-6456
                 URL: https://issues.apache.org/jira/browse/YARN-6456
             Project: Hadoop YARN
          Issue Type: Bug
          Components: nodemanager
            Reporter: Miklos Szegedi


One reason to use Docker containers is to be able to isolate different workloads, even, if
they run as the same user.
I have noticed some issues in the current design:
1. DockerLinuxContainerRuntime mounts containerLocalDirs {{nm-local-dir/usercache/user/appcache/application_1491598755372_0011/}}
and userLocalDirs {{nm-local-dir/usercache/user/}}, so that a container can see and modify
the files of another container. I think the application file cache directory should be enough
for the container to run in most of the cases.
2. The whole cgroups directory is mounted. Would the container directory be enough?
3. There is no way to enforce exclusive use of Docker for all containers. There should be
an option that it is not the user but the admin that requires to use Docker.




--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-dev-help@hadoop.apache.org


Mime
View raw message