hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Miklos Szegedi (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-6456) Isolation of Docker containers In LinuxContainerExecutor
Date Tue, 11 Apr 2017 18:58:41 GMT

    [ https://issues.apache.org/jira/browse/YARN-6456?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15964813#comment-15964813
] 

Miklos Szegedi commented on YARN-6456:
--------------------------------------

Thank you for the reply [~jlowe]. What I am thinking about is mounting only {{nm-local-dir/usercache/user/filecache}}
and not the whole user folder. This would give the user some protection against malicious/faulty
applications. Ideally {{nm-local-dir/usercache/user/appcache/application_1491598755372_0011/filecache}}
is mounted only together with the current container dir, so that the container directories
are not added but as you also said this might not be possible due to shuffle, other applications,
etc. Maybe the container directories could be outside the application directory. That might
be an overkill.

> Isolation of Docker containers In LinuxContainerExecutor
> --------------------------------------------------------
>
>                 Key: YARN-6456
>                 URL: https://issues.apache.org/jira/browse/YARN-6456
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: nodemanager
>            Reporter: Miklos Szegedi
>
> One reason to use Docker containers is to be able to isolate different workloads, even,
if they run as the same user.
> I have noticed some issues in the current design:
> 1. DockerLinuxContainerRuntime mounts containerLocalDirs {{nm-local-dir/usercache/user/appcache/application_1491598755372_0011/}}
and userLocalDirs {{nm-local-dir/usercache/user/}}, so that a container can see and modify
the files of another container. I think the application file cache directory should be enough
for the container to run in most of the cases.
> 2. The whole cgroups directory is mounted. Would the container directory be enough?
> 3. There is no way to enforce exclusive use of Docker for all containers. There should
be an option that it is not the user but the admin that requires to use Docker.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message