hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shane Kumpf (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (YARN-7729) Add support for setting the PID namespace mode
Date Wed, 17 Jan 2018 16:58:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-7729?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16329001#comment-16329001
] 

Shane Kumpf edited comment on YARN-7729 at 1/17/18 4:57 PM:
------------------------------------------------------------

Thanks for the patch, [~billie.rinaldi]! I tested this out and it works as expected. A couple
of minor items to address.
1) The javadoc in DockerLinuxContainerRuntime is missing the new environment variable YARN_CONTAINER_RUNTIME_DOCKER_CONTAINER_PID_NAMESPACE

2) The yarn-site and container-executor.cfg settings aren't consistent; yarn-site uses host-pid-namespace,
while container-executor uses pid-host. Perhaps it would be good to make them consistent.

3) Currently the value for docker.pid-host.enabled is 1/0. To align with YARN-7717 this should
be a case insensitive true/false. Given this is a new option, I would eliminate support for
1/0 completely on this config.

4) Formatting was changed within {{TestDockerContainerRuntime#testLaunchPrivilegedContainersInvalidEnvVar}},
but I don't think that is necessary.

{code:java}
List<String> dockerCommands = Files.readAllLines(
    Paths.get(dockerCommandFile), Charset.forName("UTF-8"));{code}


5) Minor copy/paste comment error in {{TestDockerContainerRuntime#testLaunchPidNamespaceContainersInvalidEnvVar}}

{code:java}
//ensure --privileged isn't in the invocation
Assert.assertTrue("Unexpected --privileged in docker run args : " + command,
    !command.contains("--privileged"));{code}


was (Author: shanekumpf@gmail.com):
Thanks for the patch, [~billie.rinaldi]! I tested this out and it works as expected. A couple
of minor items to address.
 # The javadoc in DockerLinuxContainerRuntime is missing the new environment variable YARN_CONTAINER_RUNTIME_DOCKER_CONTAINER_PID_NAMESPACE 
 # The yarn-site and container-executor.cfg settings aren't consistent; yarn-site uses host-pid-namespace,
while container-executor uses pid-host. Perhaps it would be good to make them consistent.
 # Currently the value for docker.pid-host.enabled is 1/0. To align with YARN-7717 this should
be a case insensitive true/false. Given this is a new option, I would eliminate support for
1/0 completely on this config.
 # Formatting was changed within {{TestDockerContainerRuntime#testLaunchPrivilegedContainersInvalidEnvVar}},
but I don't think that is necessary.

{code:java}
List<String> dockerCommands = Files.readAllLines(
    Paths.get(dockerCommandFile), Charset.forName("UTF-8"));{code}

 # Minor copy/paste comment error in {{TestDockerContainerRuntime#testLaunchPidNamespaceContainersInvalidEnvVar}}

{code:java}
//ensure --privileged isn't in the invocation
Assert.assertTrue("Unexpected --privileged in docker run args : " + command,
    !command.contains("--privileged"));{code}

> Add support for setting the PID namespace mode
> ----------------------------------------------
>
>                 Key: YARN-7729
>                 URL: https://issues.apache.org/jira/browse/YARN-7729
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: nodemanager
>            Reporter: Shane Kumpf
>            Assignee: Billie Rinaldi
>            Priority: Major
>         Attachments: YARN-7729.001.patch, YARN-7729.002.patch
>
>
> Docker has support for allowing containers to share the PID namespace with the host or
other containers via the {{docker run --pid}} flag.
> There are a number of use cases where this is desirable:
> * Monitoring tools running in containers that need access to the host level PIDs.
> * Debug containers that can attach to another container to run strace, gdb, etc.
> * Testing Docker on YARN in a container, where the docker socket is bind mounted.
> Enabling this feature should be considered privileged as it exposes host details inside
the container.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message