hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allen Wittenauer (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-7468) Provide means for container network policy control
Date Thu, 09 Nov 2017 23:43:01 GMT

    [ https://issues.apache.org/jira/browse/YARN-7468?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16246778#comment-16246778

Allen Wittenauer commented on YARN-7468:

bq. Ideally, I'd have all the external endpoints secured to disallow this cluster from talking
back except for very fine-grained allowances – it's a big world and I can't.

It also won't prevent DDoS attacks anyway.  Plus, while most of the Hadoop ecosystem has ACL
support, in most cases it's not particularly well implemented, and that is before the dynamic
reconfiguration use case you've effectively presented here.

bq.  In all fairness, I could use tcpspy and have it record the PID of processes today too

In the short term, it's probably easier to just force the use of LCE but with a wrapper around
container-executor to set up the control information you want.  Since the NM and c-e talk
pretty much exclusively through a CLI (with all the security concerns that brings with it...),
this setup should be pretty trivial to do and give you all the information you need to setup
extra cgroups or whatever. 

That said, c-e probably should be more pluggable to allow people to run their own bits.  [I've
been a proponent of c-e getting switched over to do dlopen()'s vs. the current static compiling
for features.  This is a great example where it'd be extremely useful.] 

> Provide means for container network policy control
> --------------------------------------------------
>                 Key: YARN-7468
>                 URL: https://issues.apache.org/jira/browse/YARN-7468
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: nodemanager
>            Reporter: Clay B.
>            Priority: Minor
> To prevent data exfiltration from a YARN cluster, it would be very helpful to have "firewall"
rules able to map to a user/queue's containers.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message