hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Varun Vasudev (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (YARN-6623) Add support to turn off launching privileged containers in the container-executor
Date Mon, 04 Sep 2017 19:18:00 GMT

     [ https://issues.apache.org/jira/browse/YARN-6623?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Varun Vasudev updated YARN-6623:
--------------------------------
    Attachment: YARN-6623.008.patch

{noformat}
 int is_docker_support_enabled() {
-    return is_feature_enabled(DOCKER_SUPPORT_ENABLED_KEY,
-    DEFAULT_DOCKER_SUPPORT_ENABLED, &executor_cfg);
+  return is_feature_enabled(DOCKER_SUPPORT_ENABLED_KEY,
+                            DEFAULT_DOCKER_SUPPORT_ENABLED, &executor_cfg)
+         || docker_module_enabled(&CFG);

The indentation here should be fixed.
{noformat}

Fixed.

{noformat}
+# The configs below deal with settings for Docker
+#[docker]
+#  module.enabled=## enable/disable the module. set to "true" to enable, disabled by default
+#  docker.binary=/usr/bin/docker
+#  allowed.capabilities=## comma seperated capabilities that can be granted, e.g CHOWN,DAC_OVERRIDE,FSETID,FOWNER,MKNOD,NET_RAW,SETGID,SETUID,SETFCAP,SETPCAP,NET_BIND_SERVICE,SYS_CHROOT,KILL,AUDIT_WRITE
+#  allowed.devices=## comma seperated list of devices that can be mounted into a container
+#  allowed.networks=## comma seperated networks that can be used. e.g bridge,host,none
+#  allowed.ro-mounts=## comma seperated volumes that can be mounted as read-only
+#  allowed.rw-mounts=## comma seperate volumes that can be mounted as read-write, add the
yarn local and log dirs to this list to run Hadoop jobs

For the Docker configs, I think it'd be more clear if they were prefixed with docker.
{noformat}

Fixed.

{noformat}
+   <!-- /proc/mounts,/sys/fs/cgroup are always in the same place -->
   <Match>
     <Class name="org.apache.hadoop.yarn.server.nodemanager.util.CgroupsLCEResourcesHandler"
/>
     <Method name="parseMtab" />
     <Bug pattern="DMI_HARDCODED_ABSOLUTE_FILENAME" />
   </Match>
+  <Match>
+    <Class name="org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.DockerLinuxContainerRuntime"
/>
+    <Method name="launchContainer" />
+    <Bug pattern="DMI_HARDCODED_ABSOLUTE_FILENAME" />
+  </Match>

Since we're going to remove the hard-coded string in YARN-6968, should we leave the findbugs
warning and take care of it there?
{noformat}

Makes sense, removed.

{noformat}
+  protected final void addCommandArguments(String key, String value) {
+    if (commandArguments.containsKey(key)) {
+      commandArguments.get(key).add(value);
+      return;
+    }

No need to call contains() and then call get(). We can just call get and then add the value
if the return value isn't null.
{noformat}

Fixed.

{noformat}
+  @Override
+  public String toString() {
+    StringBuffer ret = new StringBuffer("");
+    ret.append(this.command);

Any reason not to create the string with the command in the constructor? Something like
StringBuffer ret = new StringBuffer(this.command);
{noformat}

Fixed.


> Add support to turn off launching privileged containers in the container-executor
> ---------------------------------------------------------------------------------
>
>                 Key: YARN-6623
>                 URL: https://issues.apache.org/jira/browse/YARN-6623
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: nodemanager
>            Reporter: Varun Vasudev
>            Assignee: Varun Vasudev
>            Priority: Blocker
>         Attachments: YARN-6623.001.patch, YARN-6623.002.patch, YARN-6623.003.patch, YARN-6623.004.patch,
YARN-6623.005.patch, YARN-6623.006.patch, YARN-6623.007.patch, YARN-6623.008.patch
>
>
> Currently, launching privileged containers is controlled by the NM. We should add a flag
to the container-executor.cfg allowing admins to disable launching privileged containers at
the container-executor level.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message