hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Varun Vasudev (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-5280) Allow YARN containers to run with Java Security Manager
Date Mon, 14 Nov 2016 04:24:58 GMT

    [ https://issues.apache.org/jira/browse/YARN-5280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15662718#comment-15662718
] 

Varun Vasudev commented on YARN-5280:
-------------------------------------

Thanks for the patch [~gphillips]. My apologies for the late comments - 
1)
{code}
   @Override
+  public void writeLaunchEnv(OutputStream out, Map<String, String> environment,
+      Map<Path, List<String>> resources, List<String> command, Path logDir,
+      String user) throws IOException {
+    try {
+      linuxContainerRuntime.prepareContainer(environment, resources, command);
+    } catch (ContainerExecutionException e) {
+      throw new IOException("Unable to prepare container: ", e);
+    }
+    super.writeLaunchEnv(out, environment, resources, command, logDir, user);
+  }
+
{code}

Can you please explain why you need this block? prepareContainer is really not meant to be
called as part of the writeLaunchEnv

2)
{code}
+        linuxContainerRuntime.reapContainer(runtimeContext);
{code}
Similar to the above - any reason why you’re calling reapContainer as part of the launchContainer
call?

3)
{code}
-  public void prepareContainer(ContainerRuntimeContext ctx)
+  public void prepareContainer(Map<String, String> environment,
+      Map<Path, List<String>> resources, List<String> command)
       throws ContainerExecutionException {
     //nothing to do here at the moment.
   }
{code}
Please don’t change these interfaces. ContainerExecutor interfaces are a public interface
to allow users to plug their own implementations. If some field is missing, please add it
to the context.

> Allow YARN containers to run with Java Security Manager
> -------------------------------------------------------
>
>                 Key: YARN-5280
>                 URL: https://issues.apache.org/jira/browse/YARN-5280
>             Project: Hadoop YARN
>          Issue Type: New Feature
>          Components: nodemanager, yarn
>    Affects Versions: 2.6.4
>            Reporter: Greg Phillips
>            Assignee: Greg Phillips
>            Priority: Minor
>              Labels: oct16-medium
>         Attachments: YARN-5280.001.patch, YARN-5280.002.patch, YARN-5280.003.patch, YARN-5280.004.patch,
YARN-5280.patch, YARNContainerSandbox.pdf
>
>
> YARN applications have the ability to perform privileged actions which have the potential
to add instability into the cluster. The Java Security Manager can be used to prevent users
from running privileged actions while still allowing their core data processing use cases.

> Introduce a YARN flag which will allow a Hadoop administrator to enable the Java Security
Manager for user code, while still providing complete permissions to core Hadoop libraries.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message