hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-8569) Create an interface to provide cluster information to application
Date Wed, 10 Oct 2018 00:15:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-8569?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16644277#comment-16644277
] 

Eric Yang commented on YARN-8569:
---------------------------------

{quote}
1) We use use set_user before the method to drop privileges.
{quote}

Good catch, check_user will be applied in the next patch.

{quote}
2) Root privilege should be only used by open_file_as_nm.
{quote}

In sync_yarn_sysfs, check_nm_local_dir make sure the nm_local_dir is owned by yarn user. 
This ensure the copy file operation is safe guarded against possible path exploits.  This
is equivalent to next point to ensure nm local dirs are indeed owned by yarn.

{quote}
3) We should check all in/out file paths under local dirs defined by container_executor.cfg.
{quote}

Initialize container, launch container, launch docker container, they are all using nm-local-dirs
path passed from node manager to container executor.  There is no definition of yarn.nodemanager.local-dirs
in container-executor.cfg file.  For containing the scope of this JIRA, I opened YARN-8863
to track the proposed global pattern change.

{quote}
4) Regarding to API, I think we should allow filename specified.
{quote}

I am concerned that tokens are localized in the same nmPrivate directory.  If filename can
be specified, it may increase vulnerable surface for attack to use the REST API to copy hdfs
token into sysfs directory.  I don't unsure this appear to be innocent action is safe.

{quote}5) For the mounted dir for container, for app-level information, I would prefer to
put under ...sys/fs/app/<file> instead of ...sys/fs/<file> since we want to support
per-container information in the future.{quote}

Point 4 is a bit concerning to me.  I am error on side of caution.  Therefore, I do not plan
to make arbitrary filename change in this JIRA.  Please open a separate one, if you feel strongly
about supporting custom filename in the rest API.

> Create an interface to provide cluster information to application
> -----------------------------------------------------------------
>
>                 Key: YARN-8569
>                 URL: https://issues.apache.org/jira/browse/YARN-8569
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Major
>              Labels: Docker
>         Attachments: YARN-8569 YARN sysfs interface to provide cluster information to
application.pdf, YARN-8569.001.patch, YARN-8569.002.patch, YARN-8569.003.patch, YARN-8569.004.patch,
YARN-8569.005.patch, YARN-8569.006.patch, YARN-8569.007.patch, YARN-8569.008.patch, YARN-8569.009.patch,
YARN-8569.010.patch, YARN-8569.011.patch
>
>
> Some program requires container hostnames to be known for application to run.  For example,
distributed tensorflow requires launch_command that looks like:
> {code}
> # On ps0.example.com:
> $ python trainer.py \
>      --ps_hosts=ps0.example.com:2222,ps1.example.com:2222 \
>      --worker_hosts=worker0.example.com:2222,worker1.example.com:2222 \
>      --job_name=ps --task_index=0
> # On ps1.example.com:
> $ python trainer.py \
>      --ps_hosts=ps0.example.com:2222,ps1.example.com:2222 \
>      --worker_hosts=worker0.example.com:2222,worker1.example.com:2222 \
>      --job_name=ps --task_index=1
> # On worker0.example.com:
> $ python trainer.py \
>      --ps_hosts=ps0.example.com:2222,ps1.example.com:2222 \
>      --worker_hosts=worker0.example.com:2222,worker1.example.com:2222 \
>      --job_name=worker --task_index=0
> # On worker1.example.com:
> $ python trainer.py \
>      --ps_hosts=ps0.example.com:2222,ps1.example.com:2222 \
>      --worker_hosts=worker0.example.com:2222,worker1.example.com:2222 \
>      --job_name=worker --task_index=1
> {code}
> This is a bit cumbersome to orchestrate via Distributed Shell, or YARN services launch_command.
 In addition, the dynamic parameters do not work with YARN flex command.  This is the classic
pain point for application developer attempt to automate system environment settings as parameter
to end user application.
> It would be great if YARN Docker integration can provide a simple option to expose hostnames
of the yarn service via a mounted file.  The file content gets updated when flex command is
performed.  This allows application developer to consume system environment settings via a
standard interface.  It is like /proc/devices for Linux, but for Hadoop.  This may involve
updating a file in distributed cache, and allow mounting of the file via container-executor.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message