hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sidharta Seethana (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-5280) Allow YARN containers to run with Java Security Manager
Date Tue, 15 Nov 2016 00:05:58 GMT

    [ https://issues.apache.org/jira/browse/YARN-5280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15665449#comment-15665449
] 

Sidharta Seethana commented on YARN-5280:
-----------------------------------------

YARN-3853 added the ContainerRuntime interface. The objective of adding the ‘prepareContainer()’
and ‘reapContainer()’ methods was to provide finer grained control of the container lifecycle
(and at some point add corresponding instrumentation to track where time is spent in the container
lifecycle). Using docker containers as an example, ‘prepareContainer()’ could be hooked
into docker ‘create’ (and maybe even image localization). reapContainer() could be used
for (optional) post complete container deletion. 

Once container runtimes were introduced, the interaction with resource handlers got a bit
… trickier. Right now, the same cgroups based resource handlers can be used across the ‘default’
and ‘docker’ container runtimes (mainly due to docker’s cgroup-parent support). In this
case, ‘postExecute()’ is used to clean up the container cgroups created by YARN and ‘reapContainer()’
could be used to clean up/remove the container itself.  
I hope that helps.

> Allow YARN containers to run with Java Security Manager
> -------------------------------------------------------
>
>                 Key: YARN-5280
>                 URL: https://issues.apache.org/jira/browse/YARN-5280
>             Project: Hadoop YARN
>          Issue Type: New Feature
>          Components: nodemanager, yarn
>    Affects Versions: 2.6.4
>            Reporter: Greg Phillips
>            Assignee: Greg Phillips
>            Priority: Minor
>              Labels: oct16-medium
>         Attachments: YARN-5280.001.patch, YARN-5280.002.patch, YARN-5280.003.patch, YARN-5280.004.patch,
YARN-5280.patch, YARNContainerSandbox.pdf
>
>
> YARN applications have the ability to perform privileged actions which have the potential
to add instability into the cluster. The Java Security Manager can be used to prevent users
from running privileged actions while still allowing their core data processing use cases.

> Introduce a YARN flag which will allow a Hadoop administrator to enable the Java Security
Manager for user code, while still providing complete permissions to core Hadoop libraries.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message