Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id B8EDC200C53 for ; Tue, 11 Apr 2017 20:58:45 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id B79E6160B9E; Tue, 11 Apr 2017 18:58:45 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 12671160B7D for ; Tue, 11 Apr 2017 20:58:44 +0200 (CEST) Received: (qmail 2543 invoked by uid 500); 11 Apr 2017 18:58:44 -0000 Mailing-List: contact yarn-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list yarn-issues@hadoop.apache.org Received: (qmail 2532 invoked by uid 99); 11 Apr 2017 18:58:44 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 11 Apr 2017 18:58:44 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id A3C611AFB24 for ; Tue, 11 Apr 2017 18:58:43 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -100.002 X-Spam-Level: X-Spam-Status: No, score=-100.002 tagged_above=-999 required=6.31 tests=[RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id vKe6PDRAs0aM for ; Tue, 11 Apr 2017 18:58:42 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 9AC695FBA0 for ; Tue, 11 Apr 2017 18:58:42 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 24EA0E0D3C for ; Tue, 11 Apr 2017 18:58:42 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 9B3A624069 for ; Tue, 11 Apr 2017 18:58:41 +0000 (UTC) Date: Tue, 11 Apr 2017 18:58:41 +0000 (UTC) From: "Miklos Szegedi (JIRA)" To: yarn-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (YARN-6456) Isolation of Docker containers In LinuxContainerExecutor MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Tue, 11 Apr 2017 18:58:45 -0000 [ https://issues.apache.org/jira/browse/YARN-6456?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15964813#comment-15964813 ] Miklos Szegedi commented on YARN-6456: -------------------------------------- Thank you for the reply [~jlowe]. What I am thinking about is mounting only {{nm-local-dir/usercache/user/filecache}} and not the whole user folder. This would give the user some protection against malicious/faulty applications. Ideally {{nm-local-dir/usercache/user/appcache/application_1491598755372_0011/filecache}} is mounted only together with the current container dir, so that the container directories are not added but as you also said this might not be possible due to shuffle, other applications, etc. Maybe the container directories could be outside the application directory. That might be an overkill. > Isolation of Docker containers In LinuxContainerExecutor > -------------------------------------------------------- > > Key: YARN-6456 > URL: https://issues.apache.org/jira/browse/YARN-6456 > Project: Hadoop YARN > Issue Type: Bug > Components: nodemanager > Reporter: Miklos Szegedi > > One reason to use Docker containers is to be able to isolate different workloads, even, if they run as the same user. > I have noticed some issues in the current design: > 1. DockerLinuxContainerRuntime mounts containerLocalDirs {{nm-local-dir/usercache/user/appcache/application_1491598755372_0011/}} and userLocalDirs {{nm-local-dir/usercache/user/}}, so that a container can see and modify the files of another container. I think the application file cache directory should be enough for the container to run in most of the cases. > 2. The whole cgroups directory is mounted. Would the container directory be enough? > 3. There is no way to enforce exclusive use of Docker for all containers. There should be an option that it is not the user but the admin that requires to use Docker. -- This message was sent by Atlassian JIRA (v6.3.15#6346) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org For additional commands, e-mail: yarn-issues-help@hadoop.apache.org