hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Varun Vasudev (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-5280) Allow YARN containers to run with Java Security Manager
Date Thu, 17 Nov 2016 15:34:59 GMT

    [ https://issues.apache.org/jira/browse/YARN-5280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15673999#comment-15673999

Varun Vasudev commented on YARN-5280:

The difficulty arises when moving the functionality from prepareContainer to launchContainer.
In particular I need to modify the actual java run command instead of the container launch
command. The only way I have found to modify the run command found within the launch_container.sh
is through the LinuxContainerExecutor#writeLaunchEnv. A method which links the LinuxContainerExecutor
with the ContainerRuntime prior to the environment being written seems necessary for this
feature. I am very interested in your thoughts on this matter.

Ah you're correct. I missed this. How about we add a new method called prepareContainer in
the ContainerExecutor base class which does nothing by default and override it in the LinuxContainerExecutor
class to call the runtime's prepareContainer method? We can call this method before we call
writeLaunchEnv. That should solve your requirement, correct?

> Allow YARN containers to run with Java Security Manager
> -------------------------------------------------------
>                 Key: YARN-5280
>                 URL: https://issues.apache.org/jira/browse/YARN-5280
>             Project: Hadoop YARN
>          Issue Type: New Feature
>          Components: nodemanager, yarn
>    Affects Versions: 2.6.4
>            Reporter: Greg Phillips
>            Assignee: Greg Phillips
>            Priority: Minor
>              Labels: oct16-medium
>         Attachments: YARN-5280.001.patch, YARN-5280.002.patch, YARN-5280.003.patch, YARN-5280.004.patch,
YARN-5280.patch, YARNContainerSandbox.pdf
> YARN applications have the ability to perform privileged actions which have the potential
to add instability into the cluster. The Java Security Manager can be used to prevent users
from running privileged actions while still allowing their core data processing use cases.

> Introduce a YARN flag which will allow a Hadoop administrator to enable the Java Security
Manager for user code, while still providing complete permissions to core Hadoop libraries.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message