hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig Condit (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-6456) Allow administrators to set a single ContainerRuntime for all containers
Date Wed, 12 Sep 2018 14:12:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-6456?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16612192#comment-16612192

Craig Condit commented on YARN-6456:

[~jlowe] wrote:
{quote}Should the docker runtime validate the allowed images against the docker name pattern
when initializing? That would let it fail fast if one or more of the image names isn't going
to be allowed by the docker image name pattern.
My initial thought was that we already validate this at runtime, but I can update the code
to do the regex check here as well.

> Allow administrators to set a single ContainerRuntime for all containers
> ------------------------------------------------------------------------
>                 Key: YARN-6456
>                 URL: https://issues.apache.org/jira/browse/YARN-6456
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: nodemanager
>            Reporter: Miklos Szegedi
>            Assignee: Craig Condit
>            Priority: Major
>              Labels: Docker
>         Attachments: YARN-6456-ForceDockerRuntimeIfSupported.patch, YARN-6456.001.patch,
> With LCE, there are multiple ContainerRuntimes available for handling different types
of containers; default, docker, java sandbox. Admins should have the ability to override the
user decision and set a single global ContainerRuntime to be used for all containers.
> Original Description:
> {quote}One reason to use Docker containers is to be able to isolate different workloads,
even, if they run as the same user.
> I have noticed some issues in the current design:
>  1. DockerLinuxContainerRuntime mounts containerLocalDirs {{nm-local-dir/usercache/user/appcache/application_1491598755372_0011/}}
and userLocalDirs {{nm-local-dir/usercache/user/}}, so that a container can see and modify
the files of another container. I think the application file cache directory should be enough
for the container to run in most of the cases.
>  2. The whole cgroups directory is mounted. Would the container directory be enough?
>  3. There is no way to enforce exclusive use of Docker for all containers. There should
be an option that it is not the user but the admin that requires to use Docker.
> {quote}

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message