Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 44CAA200BCE for ; Thu, 17 Nov 2016 16:35:01 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 441B0160AD8; Thu, 17 Nov 2016 15:35:01 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 9E6D1160B0B for ; Thu, 17 Nov 2016 16:35:00 +0100 (CET) Received: (qmail 45475 invoked by uid 500); 17 Nov 2016 15:34:59 -0000 Mailing-List: contact yarn-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list yarn-issues@hadoop.apache.org Received: (qmail 45416 invoked by uid 99); 17 Nov 2016 15:34:59 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 17 Nov 2016 15:34:59 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id 9B46A2C4C7D for ; Thu, 17 Nov 2016 15:34:59 +0000 (UTC) Date: Thu, 17 Nov 2016 15:34:59 +0000 (UTC) From: "Varun Vasudev (JIRA)" To: yarn-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (YARN-5280) Allow YARN containers to run with Java Security Manager MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Thu, 17 Nov 2016 15:35:01 -0000 [ https://issues.apache.org/jira/browse/YARN-5280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15673999#comment-15673999 ] Varun Vasudev commented on YARN-5280: ------------------------------------- {quote} The difficulty arises when moving the functionality from prepareContainer to launchContainer. In particular I need to modify the actual java run command instead of the container launch command. The only way I have found to modify the run command found within the launch_container.sh is through the LinuxContainerExecutor#writeLaunchEnv. A method which links the LinuxContainerExecutor with the ContainerRuntime prior to the environment being written seems necessary for this feature. I am very interested in your thoughts on this matter. {quote} Ah you're correct. I missed this. How about we add a new method called prepareContainer in the ContainerExecutor base class which does nothing by default and override it in the LinuxContainerExecutor class to call the runtime's prepareContainer method? We can call this method before we call writeLaunchEnv. That should solve your requirement, correct? > Allow YARN containers to run with Java Security Manager > ------------------------------------------------------- > > Key: YARN-5280 > URL: https://issues.apache.org/jira/browse/YARN-5280 > Project: Hadoop YARN > Issue Type: New Feature > Components: nodemanager, yarn > Affects Versions: 2.6.4 > Reporter: Greg Phillips > Assignee: Greg Phillips > Priority: Minor > Labels: oct16-medium > Attachments: YARN-5280.001.patch, YARN-5280.002.patch, YARN-5280.003.patch, YARN-5280.004.patch, YARN-5280.patch, YARNContainerSandbox.pdf > > > YARN applications have the ability to perform privileged actions which have the potential to add instability into the cluster. The Java Security Manager can be used to prevent users from running privileged actions while still allowing their core data processing use cases. > Introduce a YARN flag which will allow a Hadoop administrator to enable the Java Security Manager for user code, while still providing complete permissions to core Hadoop libraries. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org For additional commands, e-mail: yarn-issues-help@hadoop.apache.org