hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Miklos Szegedi (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-7815) Mount the filecache as read-only in Docker containers
Date Sat, 27 Jan 2018 05:08:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-7815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16341966#comment-16341966

Miklos Szegedi commented on YARN-7815:

{quote}The appcache mount needs to be read-write since that's where the container work directory
is along with the application scratch area where shuffle outputs are deposited.
Would it make sense to detach the appcache and mount a separate appcache dir for each container?
AFAIK it is not for sharing between containers, since they might get scheduled to other nodes
anyways. Currently it is legitimate that a container gets different security tokens from the
application in the container launch context. If the container can look out into the application
cache, it can see the results of other containers on the same node of the same application.

> Mount the filecache as read-only in Docker containers
> -----------------------------------------------------
>                 Key: YARN-7815
>                 URL: https://issues.apache.org/jira/browse/YARN-7815
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Shane Kumpf
>            Assignee: Shane Kumpf
>            Priority: Major
> Currently, when using the Docker runtime, the filecache directories are mounted read-write
into the Docker containers. Read write access is not necessary. We should make this more restrictive
by changing that mount to read-only.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message