hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wangda Tan (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-7468) Provide means for container network policy control
Date Fri, 05 Jan 2018 23:30:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-7468?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16314127#comment-16314127

Wangda Tan commented on YARN-7468:

Thanks [~xgong],

1) Instead of reusing OutboundBandwidthResourceHandler, suggest to directly implement tagging
class from ResourceHandler since OutboundBandwidthResourceHandler is an empty class.

2) In the configuration, suggest to add new configs to yarn.nodemanager.network-tagging.*,
and not touch existing configs. 

3) Similarly, inside ResourceHandlerModule, add a new method (like getNetworkTaggingHandler).

4) Inside NetworkPacketTaggingHandlerImpl, it looks like the containerIdClassIdMap is not
read by anyone, I think we can simplify the impl a bit by removing containerIdClassIdMap,
we may not need to do anything inside reacquireContainer as well.

5) Suggestion to NetworkTagMappingParser: I think what we really need is not a parser, instead
we need an abstract to get classid from Container. So I recommend to:
- initial -> initialize
- getNetworkTagID, changing parameter from username to {{org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container}}

> Provide means for container network policy control
> --------------------------------------------------
>                 Key: YARN-7468
>                 URL: https://issues.apache.org/jira/browse/YARN-7468
>             Project: Hadoop YARN
>          Issue Type: Task
>          Components: nodemanager
>            Reporter: Clay B.
>            Assignee: Xuan Gong
>            Priority: Minor
>         Attachments: YARN-7468.trunk.1.patch, YARN-7468.trunk.1.patch, YARN-7468.trunk.2.patch,
YARN-7468.trunk.2.patch, [YARN-7468] [Design] Provide means for container network policy control.pdf
> To prevent data exfiltration from a YARN cluster, it would be very helpful to have "firewall"
rules able to map to a user/queue's containers.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message