[jira] [Assigned] (YARN-7721) TestContinuousScheduling fails sporadically with NPE
[ https://issues.apache.org/jira/browse/YARN-7721?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Wilfred Spiegelenburg reassigned YARN-7721: --- Assignee: Wilfred Spiegelenburg > TestContinuousScheduling fails sporadically with NPE > > > Key: YARN-7721 > URL: https://issues.apache.org/jira/browse/YARN-7721 > Project: Hadoop YARN > Issue Type: Bug > Components: fairscheduler >Affects Versions: 3.1.0 >Reporter: Jason Lowe >Assignee: Wilfred Spiegelenburg > > TestContinuousScheduling#testFairSchedulerContinuousSchedulingInitTime is > failing sporadically with an NPE in precommit builds, and I can usually > reproduce it locally after a few tries: > {noformat} > [ERROR] > testFairSchedulerContinuousSchedulingInitTime(org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.TestContinuousScheduling) > Time elapsed: 0.085 s <<< ERROR! > java.lang.NullPointerException > at > org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.TestContinuousScheduling.testFairSchedulerContinuousSchedulingInitTime(TestContinuousScheduling.java:383) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:497) > at > org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47) > [...] > {noformat} -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-3841) [Storage implementation] Adding retry semantics to HDFS backing storage
[ https://issues.apache.org/jira/browse/YARN-3841?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323624#comment-16323624 ] Abhishek Modi commented on YARN-3841: - Hi [~gtCarrera9] [~ozawa], At our company, we used HDFS as storage for trying out ATSv2. If it's fine for you, can I create a new patch on top of YARN-7055 branch. Thanks. > [Storage implementation] Adding retry semantics to HDFS backing storage > --- > > Key: YARN-3841 > URL: https://issues.apache.org/jira/browse/YARN-3841 > Project: Hadoop YARN > Issue Type: Sub-task > Components: timelineserver >Reporter: Tsuyoshi Ozawa >Assignee: Tsuyoshi Ozawa > Labels: YARN-5355 > Attachments: YARN-3841.001.patch > > > HDFS backing storage is useful for following scenarios. > 1. For Hadoop clusters which don't run HBase. > 2. For fallback from HBase when HBase cluster is temporary unavailable. > Quoting ATS design document of YARN-2928: > {quote} > In the case the HBase > storage is not available, the plugin should buffer the writes temporarily > (e.g. HDFS), and flush > them once the storage comes back online. Reading and writing to hdfs as the > the backup storage > could potentially use the HDFS writer plugin unless the complexity of > generalizing the HDFS > writer plugin for this purpose exceeds the benefits of reusing it here. > {quote} -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-7738) CapacityScheduler: Support refresh maximum allocation for multiple resource types
[ https://issues.apache.org/jira/browse/YARN-7738?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Wangda Tan updated YARN-7738: - Attachment: YARN-7738.002.patch Updated ver.2 patch, fixed use cases. > CapacityScheduler: Support refresh maximum allocation for multiple resource > types > - > > Key: YARN-7738 > URL: https://issues.apache.org/jira/browse/YARN-7738 > Project: Hadoop YARN > Issue Type: Bug >Reporter: Sumana Sathish >Assignee: Tan, Wangda >Priority: Blocker > Fix For: 3.1.0, 3.0.1 > > Attachments: YARN-7738.001.patch, YARN-7738.002.patch > > > Currently CapacityScheduler fails to refresh maximum allocation for multiple > resource types. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-7479) TestContainerManagerSecurity.testContainerManager[Simple] flaky in trunk
[ https://issues.apache.org/jira/browse/YARN-7479?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Akira Ajisaka updated YARN-7479: Attachment: YARN-7479.003.patch 003 patch: Fixed checkstyle warnings. > TestContainerManagerSecurity.testContainerManager[Simple] flaky in trunk > > > Key: YARN-7479 > URL: https://issues.apache.org/jira/browse/YARN-7479 > Project: Hadoop YARN > Issue Type: Bug > Components: test >Reporter: Botong Huang >Assignee: Akira Ajisaka > Attachments: YARN-7479.001.patch, YARN-7479.002.patch, > YARN-7479.003.patch > > > Was waiting for container_1_0001_01_00 to get to state COMPLETE but was > in state RUNNING after the timeout > java.lang.AssertionError: Was waiting for container_1_0001_01_00 to get > to state COMPLETE but was in state RUNNING after the timeout > at org.junit.Assert.fail(Assert.java:88) > at > org.apache.hadoop.yarn.server.TestContainerManagerSecurity.waitForContainerToFinishOnNM(TestContainerManagerSecurity.java:431) > at > org.apache.hadoop.yarn.server.TestContainerManagerSecurity.testNMTokens(TestContainerManagerSecurity.java:360) > at > org.apache.hadoop.yarn.server.TestContainerManagerSecurity.testContainerManager(TestContainerManagerSecurity.java:171) > Pasting some exception message during test run here: > org.apache.hadoop.security.AccessControlException: SIMPLE authentication is > not enabled. Available:[TOKEN] > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > at > org.apache.hadoop.yarn.ipc.RPCUtil.instantiateException(RPCUtil.java:53) > at > org.apache.hadoop.yarn.ipc.RPCUtil.instantiateIOException(RPCUtil.java:80) > at > org.apache.hadoop.yarn.ipc.RPCUtil.unwrapAndThrowException(RPCUtil.java:119) > org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.token.SecretManager$InvalidToken): > Given NMToken for application : appattempt_1_0001_01 seems to have been > generated illegally. > at org.apache.hadoop.ipc.Client.getRpcResponse(Client.java:1491) > at org.apache.hadoop.ipc.Client.call(Client.java:1437) > at org.apache.hadoop.ipc.Client.call(Client.java:1347) > at > org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:228) > at > org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:116) > org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.token.SecretManager$InvalidToken): > Given NMToken for application : appattempt_1_0001_01 is not valid for > current node manager.expected : localhost:46649 found : InvalidHost:1234 > at org.apache.hadoop.ipc.Client.getRpcResponse(Client.java:1491) > at org.apache.hadoop.ipc.Client.call(Client.java:1437) > at org.apache.hadoop.ipc.Client.call(Client.java:1347) > at > org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:228) -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7064) Use cgroup to get container resource utilization
[ https://issues.apache.org/jira/browse/YARN-7064?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323526#comment-16323526 ] genericqa commented on YARN-7064: - | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 16s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 5 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 1m 18s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 17m 59s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 14m 16s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 2m 32s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 3m 28s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 16m 33s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:red}-1{color} | {color:red} findbugs {color} | {color:red} 1m 21s{color} | {color:red} hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api in trunk has 1 extant Findbugs warnings. {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 2m 56s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 18s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 2m 30s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 12m 58s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 12m 58s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 2m 11s{color} | {color:green} root: The patch generated 0 new + 266 unchanged - 3 fixed = 266 total (was 269) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 3m 9s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} xml {color} | {color:green} 0m 1s{color} | {color:green} The patch has no ill-formed XML file. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 10m 9s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 5m 25s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 2m 36s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 8m 10s{color} | {color:green} hadoop-common in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 0m 41s{color} | {color:green} hadoop-yarn-api in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 3m 4s{color} | {color:green} hadoop-yarn-common in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red} 17m 15s{color} | {color:red} hadoop-yarn-server-nodemanager in the patch failed. {color} | | {color:red}-1{color} | {color:red} asflicense {color} | {color:red} 0m 34s{color} | {color:red} The patch generated 1 ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}130m 23s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.yarn.server.nodemanager.webapp.TestContainerLogsPage | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hadoop:5b98639 | | JIRA Issue | YARN-7064 | | JIRA Patch URL |
[jira] [Commented] (YARN-7516) Security check for untrusted docker image
[ https://issues.apache.org/jira/browse/YARN-7516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323497#comment-16323497 ] genericqa commented on YARN-7516: - | (/) *{color:green}+1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 17s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 1 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 11s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 17m 29s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 8m 40s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 10s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 37m 53s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 11s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m 45s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 7m 43s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} cc {color} | {color:green} 7m 43s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 7m 43s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 7s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 1s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 11m 16s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 18m 11s{color} | {color:green} hadoop-yarn-server-nodemanager in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 0m 18s{color} | {color:green} hadoop-yarn-site in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 31s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black} 78m 50s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hadoop:5b98639 | | JIRA Issue | YARN-7516 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12905787/YARN-7516.008.patch | | Optional Tests | asflicense compile cc mvnsite javac unit | | uname | Linux ccbfa1005c7d 3.13.0-129-generic #178-Ubuntu SMP Fri Aug 11 12:48:20 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/patchprocess/precommit/personality/provided.sh | | git revision | trunk / addbcd8 | | maven | version: Apache Maven 3.3.9 | | Default Java | 1.8.0_151 | | Test Results | https://builds.apache.org/job/PreCommit-YARN-Build/19213/testReport/ | | Max. process+thread count | 290 (vs. ulimit of 5000) | | modules | C: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site U: hadoop-yarn-project/hadoop-yarn | | Console output | https://builds.apache.org/job/PreCommit-YARN-Build/19213/console | | Powered by | Apache Yetus 0.7.0-SNAPSHOT http://yetus.apache.org | This message was automatically generated. > Security check for untrusted docker image > - > > Key: YARN-7516 > URL: https://issues.apache.org/jira/browse/YARN-7516 > Project: Hadoop YARN > Issue Type: Sub-task >Reporter: Eric Yang >Assignee: Eric Yang > Attachments:
[jira] [Commented] (YARN-7705) Create the container log directory with correct sticky bit in C code
[ https://issues.apache.org/jira/browse/YARN-7705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323449#comment-16323449 ] genericqa commented on YARN-7705: - | (/) *{color:green}+1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 18s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 2 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 15m 12s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 47s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 21s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 32s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 10m 16s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 0m 45s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 22s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m 31s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 44s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} cc {color} | {color:green} 0m 44s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 0m 44s{color} | {color:green} the patch passed {color} | | {color:orange}-0{color} | {color:orange} checkstyle {color} | {color:orange} 0m 16s{color} | {color:orange} hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager: The patch generated 5 new + 31 unchanged - 18 fixed = 36 total (was 49) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 28s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 10m 35s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 0m 50s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 20s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 17m 52s{color} | {color:green} hadoop-yarn-server-nodemanager in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 20s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black} 60m 37s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hadoop:5b98639 | | JIRA Issue | YARN-7705 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12905776/YARN-7705.005.patch | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle cc | | uname | Linux 409bd36de2e4 4.4.0-64-generic #85-Ubuntu SMP Mon Feb 20 11:50:30 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/patchprocess/precommit/personality/provided.sh | | git revision | trunk / addbcd8 | | maven | version: Apache Maven 3.3.9 | | Default Java | 1.8.0_151 | | findbugs | v3.1.0-RC1 | | checkstyle | https://builds.apache.org/job/PreCommit-YARN-Build/19211/artifact/out/diff-checkstyle-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-nodemanager.txt | | Test Results | https://builds.apache.org/job/PreCommit-YARN-Build/19211/testReport/ | | Max. process+thread count | 441 (vs. ulimit of
[jira] [Commented] (YARN-7731) RegistryDNS should handle upstream DNS returning CNAME
[ https://issues.apache.org/jira/browse/YARN-7731?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323438#comment-16323438 ] genericqa commented on YARN-7731: - | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 17s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 1 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 16m 48s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 20s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 14s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 22s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 10m 31s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 0m 30s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 18s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m 20s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 18s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 0m 18s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 10s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 19s{color} | {color:green} the patch passed {color} | | {color:red}-1{color} | {color:red} whitespace {color} | {color:red} 0m 0s{color} | {color:red} The patch has 1 line(s) that end in whitespace. Use git apply --whitespace=fix <>. Refer https://git-scm.com/docs/git-apply {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 15m 0s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 0m 42s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 18s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 0m 53s{color} | {color:green} hadoop-yarn-registry in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 20s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black} 48m 0s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hadoop:5b98639 | | JIRA Issue | YARN-7731 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12905778/YARN-7731.003.patch | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle | | uname | Linux 77f61d6f7ec4 3.13.0-129-generic #178-Ubuntu SMP Fri Aug 11 12:48:20 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/patchprocess/precommit/personality/provided.sh | | git revision | trunk / addbcd8 | | maven | version: Apache Maven 3.3.9 | | Default Java | 1.8.0_151 | | findbugs | v3.1.0-RC1 | | whitespace | https://builds.apache.org/job/PreCommit-YARN-Build/19210/artifact/out/whitespace-eol.txt | | Test Results | https://builds.apache.org/job/PreCommit-YARN-Build/19210/testReport/ | | Max. process+thread count | 342 (vs. ulimit of 5000) | | modules | C: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry U: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry | | Console output | https://builds.apache.org/job/PreCommit-YARN-Build/19210/console | | Powered by | Apache Yetus 0.7.0-SNAPSHOT
[jira] [Updated] (YARN-7064) Use cgroup to get container resource utilization
[ https://issues.apache.org/jira/browse/YARN-7064?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Miklos Szegedi updated YARN-7064: - Attachment: YARN-7064.011.patch > Use cgroup to get container resource utilization > > > Key: YARN-7064 > URL: https://issues.apache.org/jira/browse/YARN-7064 > Project: Hadoop YARN > Issue Type: Improvement >Reporter: Miklos Szegedi >Assignee: Miklos Szegedi > Attachments: YARN-7064.000.patch, YARN-7064.001.patch, > YARN-7064.002.patch, YARN-7064.003.patch, YARN-7064.004.patch, > YARN-7064.005.patch, YARN-7064.007.patch, YARN-7064.008.patch, > YARN-7064.009.patch, YARN-7064.010.patch, YARN-7064.011.patch > > > This is an addendum to YARN-6668. What happens is that that jira always wants > to rebase patches against YARN-1011 instead of trunk. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7064) Use cgroup to get container resource utilization
[ https://issues.apache.org/jira/browse/YARN-7064?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323408#comment-16323408 ] Miklos Szegedi commented on YARN-7064: -- Thank you for the review [~haibochen]. bq. In CgroupsResourceCalculator, how about we give more information in initialize() when CGroupsResourceCalculator is not available to tells user what is required, like `CGroupsResourceCalculator is only available on Linux when cgroup memory and cpu is turned on`? I think the logging inside isAvailable should be enough. I am not in favor of logging the same thing duplicated. {code} public static boolean isAvailable() { try { if (!Shell.LINUX) { LOG.info("CGroupsResourceCalculator currently is supported only on " + "Linux."); return false; } if (ResourceHandlerModule.getCGroupsHandler() == null || ResourceHandlerModule.getCpuResourceHandler() == null || ResourceHandlerModule.getMemoryResourceHandler() == null) { LOG.info("CGroupsResourceCalculator requires enabling CGroups" + "cpu and memory"); return false; } } catch (SecurityException se) { LOG.warn("Failed to get Operating System name. " + se); return false; } return true; } {code} bq. The exception, if not caught in updateProcessTree() and getMemorySize(), will be eventually caught and logged in COntainersMonitorImpl which makes the error message easier to understand. Swallowing the exception in updateProcessTree() and getMemorySize() will lead old (for cpu usage) or wrong (for memory) number to be reported to ContainersMonitor, which is harder to debug. I am not in favor of adding too many design changes to working code (i.e. ContainersMonitor), it may lead to regressions. I removed my throttle code, that I added based on my testing per your request. Now we will send out the same error message on every tick of ContainersMonitor as you requested. That might cause disk overflows though, are you sure you want this? > Use cgroup to get container resource utilization > > > Key: YARN-7064 > URL: https://issues.apache.org/jira/browse/YARN-7064 > Project: Hadoop YARN > Issue Type: Improvement >Reporter: Miklos Szegedi >Assignee: Miklos Szegedi > Attachments: YARN-7064.000.patch, YARN-7064.001.patch, > YARN-7064.002.patch, YARN-7064.003.patch, YARN-7064.004.patch, > YARN-7064.005.patch, YARN-7064.007.patch, YARN-7064.008.patch, > YARN-7064.009.patch, YARN-7064.010.patch > > > This is an addendum to YARN-6668. What happens is that that jira always wants > to rebase patches against YARN-1011 instead of trunk. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-6486) FairScheduler: Deprecate continuous scheduling
[ https://issues.apache.org/jira/browse/YARN-6486?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323397#comment-16323397 ] Wilfred Spiegelenburg commented on YARN-6486: - I followed the way the deprecation was handled for the RM_SCHEDULER_INCREMENT_ALLOCATION_* and the defaults. In those two cases we only deprecated the configs and not the defaults. I can add them but if we do we should really also add them to the DEFAULTS_* for those two settings. Let me know if you want me to update the patch with all those DEFAULTS* deprecated or just the ones that I did here and follow up with a new jira to add the missed ones. > FairScheduler: Deprecate continuous scheduling > -- > > Key: YARN-6486 > URL: https://issues.apache.org/jira/browse/YARN-6486 > Project: Hadoop YARN > Issue Type: Task > Components: fairscheduler >Affects Versions: 2.9.0 >Reporter: Wilfred Spiegelenburg >Assignee: Wilfred Spiegelenburg > Attachments: YARN-6486.001.patch, YARN-6486.002.patch, > YARN-6486.003.patch, YARN-6486.004.patch, YARN-6486.005.patch > > > Mark continuous scheduling as deprecated in 2.9 and remove the code in 3.0. > Removing continuous scheduling from the code will be logged as a separate jira -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7671) Improve Diagonstic message for stop yarn native service
[ https://issues.apache.org/jira/browse/YARN-7671?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323389#comment-16323389 ] Chandni Singh commented on YARN-7671: - [~jianhe] The {{AbstractService}} has {{failureCause}} and {{failureState}} fields that are set via {{noteFailure}} method when exception happens during init, start, stop. Seems to me that we can use {{failureCause}} in {{ServiceScheduler}} to set the appropriate diagnostics message. Please let me know if that sounds good to you. > Improve Diagonstic message for stop yarn native service > > > Key: YARN-7671 > URL: https://issues.apache.org/jira/browse/YARN-7671 > Project: Hadoop YARN > Issue Type: Bug >Affects Versions: 3.0.0 >Reporter: Yesha Vora >Assignee: Chandni Singh > > Steps: > 1) Install Hadoop 3.0 cluster > 2) Run Yarn service application > {code:title=sleeper.json}{ > "name": "sleeper-service", > "components" : > [ > { > "name": "sleeper", > "number_of_containers": 1, > "launch_command": "sleep 90", > "resource": { > "cpus": 1, > "memory": "256" >} > } > ] > }{code} > {code:title=cmd} > yarn app -launch my-sleeper1 sleeper.json{code} > 3) stop yarn service app > {code:title=cmd} > yarn app -stop my-sleeper1{code} > On stopping yarn service, appId finishes with YarnApplicationState: FINISHED > , FinalStatus Reported by AM: ENDED and Diagnostics: Navigate to the > failed component for more details. > Here, Diagnostics message should be improved. When an application is > explicitly stopped by user, the diagnostics message should say " Application > stopped by user" -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7605) Implement doAs for Api Service REST API
[ https://issues.apache.org/jira/browse/YARN-7605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323382#comment-16323382 ] genericqa commented on YARN-7605: - | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 0s{color} | {color:blue} Docker mode activated. {color} | | {color:red}-1{color} | {color:red} patch {color} | {color:red} 0m 6s{color} | {color:red} YARN-7605 does not apply to trunk. Rebase required? Wrong Branch? See https://wiki.apache.org/hadoop/HowToContribute for help. {color} | \\ \\ || Subsystem || Report/Notes || | JIRA Issue | YARN-7605 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12905777/YARN-7605.016.patch | | Console output | https://builds.apache.org/job/PreCommit-YARN-Build/19209/console | | Powered by | Apache Yetus 0.7.0-SNAPSHOT http://yetus.apache.org | This message was automatically generated. > Implement doAs for Api Service REST API > --- > > Key: YARN-7605 > URL: https://issues.apache.org/jira/browse/YARN-7605 > Project: Hadoop YARN > Issue Type: Sub-task >Reporter: Eric Yang >Assignee: Eric Yang > Fix For: yarn-native-services > > Attachments: YARN-7605.001.patch, YARN-7605.004.patch, > YARN-7605.005.patch, YARN-7605.006.patch, YARN-7605.007.patch, > YARN-7605.008.patch, YARN-7605.009.patch, YARN-7605.010.patch, > YARN-7605.011.patch, YARN-7605.012.patch, YARN-7605.013.patch, > YARN-7605.014.patch, YARN-7605.015.patch, YARN-7605.016.patch > > > In YARN-7540, all client entry points for API service is centralized to use > REST API instead of having direct file system and resource manager rpc calls. > This change helped to centralize yarn metadata to be owned by yarn user > instead of crawling through every user's home directory to find metadata. > The next step is to make sure "doAs" calls work properly for API Service. > The metadata is stored by YARN user, but the actual workload still need to be > performed as end users, hence API service must authenticate end user kerberos > credential, and perform doAs call when requesting containers via > ServiceClient. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Assigned] (YARN-7671) Improve Diagonstic message for stop yarn native service
[ https://issues.apache.org/jira/browse/YARN-7671?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Chandni Singh reassigned YARN-7671: --- Assignee: Chandni Singh > Improve Diagonstic message for stop yarn native service > > > Key: YARN-7671 > URL: https://issues.apache.org/jira/browse/YARN-7671 > Project: Hadoop YARN > Issue Type: Bug >Affects Versions: 3.0.0 >Reporter: Yesha Vora >Assignee: Chandni Singh > > Steps: > 1) Install Hadoop 3.0 cluster > 2) Run Yarn service application > {code:title=sleeper.json}{ > "name": "sleeper-service", > "components" : > [ > { > "name": "sleeper", > "number_of_containers": 1, > "launch_command": "sleep 90", > "resource": { > "cpus": 1, > "memory": "256" >} > } > ] > }{code} > {code:title=cmd} > yarn app -launch my-sleeper1 sleeper.json{code} > 3) stop yarn service app > {code:title=cmd} > yarn app -stop my-sleeper1{code} > On stopping yarn service, appId finishes with YarnApplicationState: FINISHED > , FinalStatus Reported by AM: ENDED and Diagnostics: Navigate to the > failed component for more details. > Here, Diagnostics message should be improved. When an application is > explicitly stopped by user, the diagnostics message should say " Application > stopped by user" -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-7731) RegistryDNS should handle upstream DNS returning CNAME
[ https://issues.apache.org/jira/browse/YARN-7731?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Eric Yang updated YARN-7731: Attachment: YARN-7731.003.patch - Added detection to prevent infinite recursive lookup for cname records. > RegistryDNS should handle upstream DNS returning CNAME > -- > > Key: YARN-7731 > URL: https://issues.apache.org/jira/browse/YARN-7731 > Project: Hadoop YARN > Issue Type: Bug >Reporter: Billie Rinaldi >Assignee: Eric Yang > Attachments: YARN-7731.001.patch, YARN-7731.002.patch, > YARN-7731.003.patch > > > When RegistryDNS performs a lookup in an upstream DNS server and a CNAME > record is retrieved, it returns a response with only the CNAME record (there > is no A record, meaning no IP address is resolved). RegistryDNS should > perform a lookup on the new name from the CNAME record in an attempt to find > an A record, which would provide an IP address. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7738) CapacityScheduler: Support refresh maximum allocation for multiple resource types
[ https://issues.apache.org/jira/browse/YARN-7738?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323366#comment-16323366 ] genericqa commented on YARN-7738: - | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 9m 41s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 1 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 59s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 18m 1s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 8m 7s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 6s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 26s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 12m 42s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:red}-1{color} | {color:red} findbugs {color} | {color:red} 1m 17s{color} | {color:red} hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api in trunk has 1 extant Findbugs warnings. {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 58s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 10s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 1m 9s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 6m 31s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 6m 31s{color} | {color:green} the patch passed {color} | | {color:orange}-0{color} | {color:orange} checkstyle {color} | {color:orange} 1m 16s{color} | {color:orange} hadoop-yarn-project/hadoop-yarn: The patch generated 2 new + 367 unchanged - 0 fixed = 369 total (was 367) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 25s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 10m 56s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 37s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 0s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 0m 39s{color} | {color:green} hadoop-yarn-api in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red} 59m 50s{color} | {color:red} hadoop-yarn-server-resourcemanager in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 32s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}140m 50s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.yarn.server.resourcemanager.scheduler.capacity.TestIncreaseAllocationExpirer | | | hadoop.yarn.server.resourcemanager.scheduler.capacity.TestCapacityScheduler | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hadoop:5b98639 | | JIRA Issue | YARN-7738 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12905765/YARN-7738.001.patch | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle | | uname | Linux 9106d45b396a 3.13.0-129-generic #178-Ubuntu SMP Fri Aug 11 12:48:20 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux | | Build
[jira] [Created] (YARN-7741) Eliminate extra log statement from yarn app -destroy cli
Yesha Vora created YARN-7741: Summary: Eliminate extra log statement from yarn app -destroy cli Key: YARN-7741 URL: https://issues.apache.org/jira/browse/YARN-7741 Project: Hadoop YARN Issue Type: Bug Components: yarn-native-services Reporter: Yesha Vora "Yarn destroy -app " cli prints very long stacktrace from zookeeper client which is not required. This cli prints 44009 characters (38 lines and 358 words) This api should only print the message whether app was destroyed successfully or not. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Created] (YARN-7740) Fix logging for destroy yarn service cli when app does not exist
Yesha Vora created YARN-7740: Summary: Fix logging for destroy yarn service cli when app does not exist Key: YARN-7740 URL: https://issues.apache.org/jira/browse/YARN-7740 Project: Hadoop YARN Issue Type: Bug Components: yarn-native-services Reporter: Yesha Vora Scenario: Run "yarn app -destroy" cli with a application name which does not exist. Here, The cli should return a message " Application does not exists" instead it is returning a message "Destroyed cluster httpd-xxx" -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-7605) Implement doAs for Api Service REST API
[ https://issues.apache.org/jira/browse/YARN-7605?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Eric Yang updated YARN-7605: Attachment: YARN-7605.016.patch - Revert changes to ServiceClient. > Implement doAs for Api Service REST API > --- > > Key: YARN-7605 > URL: https://issues.apache.org/jira/browse/YARN-7605 > Project: Hadoop YARN > Issue Type: Sub-task >Reporter: Eric Yang >Assignee: Eric Yang > Fix For: yarn-native-services > > Attachments: YARN-7605.001.patch, YARN-7605.004.patch, > YARN-7605.005.patch, YARN-7605.006.patch, YARN-7605.007.patch, > YARN-7605.008.patch, YARN-7605.009.patch, YARN-7605.010.patch, > YARN-7605.011.patch, YARN-7605.012.patch, YARN-7605.013.patch, > YARN-7605.014.patch, YARN-7605.015.patch, YARN-7605.016.patch > > > In YARN-7540, all client entry points for API service is centralized to use > REST API instead of having direct file system and resource manager rpc calls. > This change helped to centralize yarn metadata to be owned by yarn user > instead of crawling through every user's home directory to find metadata. > The next step is to make sure "doAs" calls work properly for API Service. > The metadata is stored by YARN user, but the actual workload still need to be > performed as end users, hence API service must authenticate end user kerberos > credential, and perform doAs call when requesting containers via > ServiceClient. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7717) Add configuration consistency for module.enabled and docker.privileged-containers.enabled
[ https://issues.apache.org/jira/browse/YARN-7717?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323341#comment-16323341 ] genericqa commented on YARN-7717: - | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 18s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 2 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 12s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 17m 42s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 8m 29s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 4m 27s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 40m 55s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 11s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 4m 35s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 7m 12s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} cc {color} | {color:green} 7m 12s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 7m 12s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 4m 5s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 10m 57s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | || || || || {color:brown} Other Tests {color} || | {color:red}-1{color} | {color:red} unit {color} | {color:red}111m 14s{color} | {color:red} hadoop-yarn in the patch failed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 17m 33s{color} | {color:green} hadoop-yarn-server-nodemanager in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 0m 18s{color} | {color:green} hadoop-yarn-site in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 35s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}198m 23s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.yarn.server.resourcemanager.reservation.TestCapacityOverTimePolicy | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hadoop:5b98639 | | JIRA Issue | YARN-7717 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12905747/YARN-7717.004.patch | | Optional Tests | asflicense compile cc mvnsite javac unit | | uname | Linux 4cf2cd8430ee 3.13.0-129-generic #178-Ubuntu SMP Fri Aug 11 12:48:20 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/patchprocess/precommit/personality/provided.sh | | git revision | trunk / bc285da | | maven | version: Apache Maven 3.3.9 | | Default Java | 1.8.0_151 | | unit | https://builds.apache.org/job/PreCommit-YARN-Build/19204/artifact/out/patch-unit-hadoop-yarn-project_hadoop-yarn.txt | | Test Results | https://builds.apache.org/job/PreCommit-YARN-Build/19204/testReport/ | | Max. process+thread count | 837 (vs. ulimit of 5000) | | modules | C: hadoop-yarn-project/hadoop-yarn hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site U: hadoop-yarn-project/hadoop-yarn | | Console output | https://builds.apache.org/job/PreCommit-YARN-Build/19204/console | | Powered by | Apache Yetus 0.7.0-SNAPSHOT
[jira] [Updated] (YARN-7705) Create the container log directory with correct sticky bit in C code
[ https://issues.apache.org/jira/browse/YARN-7705?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Yufei Gu updated YARN-7705: --- Attachment: YARN-7705.005.patch > Create the container log directory with correct sticky bit in C code > > > Key: YARN-7705 > URL: https://issues.apache.org/jira/browse/YARN-7705 > Project: Hadoop YARN > Issue Type: Bug > Components: nodemanager >Affects Versions: 3.0.0, 3.1.0 >Reporter: Yufei Gu >Assignee: Yufei Gu > Attachments: YARN-7705.001.patch, YARN-7705.002.patch, > YARN-7705.003.patch, YARN-7705.004.patch, YARN-7705.005.patch > > > YARN-7363 created the container log directory in Java, which isn't able to > set the correct sticky bit because of Java language limitation. Wrong sticky > bit of log directory causes failure of reading log files inside the > directory. To solve that, we need to do it in C code. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7739) Revisit scheduler resource normalization behavior for max allocation
[ https://issues.apache.org/jira/browse/YARN-7739?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323332#comment-16323332 ] Wangda Tan commented on YARN-7739: -- I personally prefer to not update global's maximum allocation by node's availabilities by default and reject requests if it exceeds maximum allocation. Thoughts? [~jlowe] / [~asuresh] / [~sunilg]. > Revisit scheduler resource normalization behavior for max allocation > > > Key: YARN-7739 > URL: https://issues.apache.org/jira/browse/YARN-7739 > Project: Hadoop YARN > Issue Type: Bug >Reporter: Wangda Tan >Priority: Critical > > Currently, YARN Scheduler normalizes requested resource based on the maximum > allocation derived from configured maximum allocation and maximum registered > node resources. Basically, the scheduler will silently cap asked resource by > maximum allocation. > This could cause issues for applications, for example, a Spark job which > needs 12 GB memory to run, however in the cluster, registered NMs have at > most 8 GB mem on each node. So scheduler allocates 8GB memory container to > the requested application. > Once app receives containers from RM, if it doesn't double check allocated > resources, it will lead to OOM and hard to debug because scheduler silently > caps maximum allocation. > When non-mandatory resources introduced, this becomes worse. For resources > like GPU, we typically set minimum allocation to 0 since not all nodes have > GPU devices. So it is possible that application asks 4 GPUs but get 0 GPU, it > gonna be a big problem. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Comment Edited] (YARN-7739) Revisit scheduler resource normalization behavior for max allocation
[ https://issues.apache.org/jira/browse/YARN-7739?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323332#comment-16323332 ] Wangda Tan edited comment on YARN-7739 at 1/12/18 1:05 AM: --- I personally prefer to not update global's maximum allocation by node's availabilities by default and reject requests if it exceeds maximum allocation. Thoughts? [~jlowe] / [~asuresh] / [~sunilg] / [~templedf] / [~yufeigu]. was (Author: leftnoteasy): I personally prefer to not update global's maximum allocation by node's availabilities by default and reject requests if it exceeds maximum allocation. Thoughts? [~jlowe] / [~asuresh] / [~sunilg]. > Revisit scheduler resource normalization behavior for max allocation > > > Key: YARN-7739 > URL: https://issues.apache.org/jira/browse/YARN-7739 > Project: Hadoop YARN > Issue Type: Bug >Reporter: Wangda Tan >Priority: Critical > > Currently, YARN Scheduler normalizes requested resource based on the maximum > allocation derived from configured maximum allocation and maximum registered > node resources. Basically, the scheduler will silently cap asked resource by > maximum allocation. > This could cause issues for applications, for example, a Spark job which > needs 12 GB memory to run, however in the cluster, registered NMs have at > most 8 GB mem on each node. So scheduler allocates 8GB memory container to > the requested application. > Once app receives containers from RM, if it doesn't double check allocated > resources, it will lead to OOM and hard to debug because scheduler silently > caps maximum allocation. > When non-mandatory resources introduced, this becomes worse. For resources > like GPU, we typically set minimum allocation to 0 since not all nodes have > GPU devices. So it is possible that application asks 4 GPUs but get 0 GPU, it > gonna be a big problem. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-7739) Revisit scheduler resource normalization behavior for max allocation
[ https://issues.apache.org/jira/browse/YARN-7739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Wangda Tan updated YARN-7739: - Description: Currently, YARN Scheduler normalizes requested resource based on the maximum allocation derived from configured maximum allocation and maximum registered node resources. Basically, the scheduler will silently cap asked resource by maximum allocation. This could cause issues for applications, for example, a Spark job which needs 12 GB memory to run, however in the cluster, registered NMs have at most 8 GB mem on each node. So scheduler allocates 8GB memory container to the requested application. Once app receives containers from RM, if it doesn't double check allocated resources, it will lead to OOM and hard to debug because scheduler silently caps maximum allocation. When non-mandatory resources introduced, this becomes worse. For resources like GPU, we typically set minimum allocation to 0 since not all nodes have GPU devices. So it is possible that application asks 4 GPUs but get 0 GPU, it gonna be a big problem. was: Currently, YARN Scheduler normalizes requested resource based on the maximum allocation derived from configured maximum allocation and maximum registered node resources. Basically, the scheduler will silently cap asked resource by maximum allocation. This could cause issues for applications, for example, a Spark job which needs 12 GB memory to run, however in the cluster, registered NMs have at most 8 GB mem on each node. So scheduler allocates 8GB memory container to the requested application. Once app receives containers from RM, if it doesn't double check allocated resources, it will lead to OOM and hard to debug because scheduler silently caps maximum allocation. > Revisit scheduler resource normalization behavior for max allocation > > > Key: YARN-7739 > URL: https://issues.apache.org/jira/browse/YARN-7739 > Project: Hadoop YARN > Issue Type: Bug >Reporter: Wangda Tan >Priority: Critical > > Currently, YARN Scheduler normalizes requested resource based on the maximum > allocation derived from configured maximum allocation and maximum registered > node resources. Basically, the scheduler will silently cap asked resource by > maximum allocation. > This could cause issues for applications, for example, a Spark job which > needs 12 GB memory to run, however in the cluster, registered NMs have at > most 8 GB mem on each node. So scheduler allocates 8GB memory container to > the requested application. > Once app receives containers from RM, if it doesn't double check allocated > resources, it will lead to OOM and hard to debug because scheduler silently > caps maximum allocation. > When non-mandatory resources introduced, this becomes worse. For resources > like GPU, we typically set minimum allocation to 0 since not all nodes have > GPU devices. So it is possible that application asks 4 GPUs but get 0 GPU, it > gonna be a big problem. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-3895) Support ACLs in ATSv2
[ https://issues.apache.org/jira/browse/YARN-3895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323324#comment-16323324 ] Vrushali C commented on YARN-3895: -- We had a discussion today and wanted to summarize some points (most might be repeated from conversations above): - we will use Application ACLs for getting the user & group information while writing the entities. - this will be stored in hbase within each cell as part of it's cell tags - each time a query for reading this data comes in, we will use the user ACLs at the hbase region server in a coprocessor to determine if the user is allowed to read this data or not. - admin users are always allowed to read all data - this would imply coprocessors on each table [~jlowe] what do you think about this approach for read side authorization? This does not make use of any domain concept (as in v1.5). This is along the lines of security in yarn via ACLs. This should also work in the case of AM running as one user but executing DAGs as other users. The callerUGI during the write entity in such situations will have both users (AM user and doAs user) and we will store both. So, at ready time, query by AM user as well as the doAs user will be allowed for this data. Also any other user who is part of that group should be able read it. At the backend side, there is the thing about storing this info per cell in hbase. It is a lot of repeated information. IIUC, hbase security and visibility labels work with the same logic but in that case, hbase admin commands are used to grant permissions to specific hbase users/labels. I will think over if we can optimize how many times this is stored per Column Family. > Support ACLs in ATSv2 > - > > Key: YARN-3895 > URL: https://issues.apache.org/jira/browse/YARN-3895 > Project: Hadoop YARN > Issue Type: Sub-task > Components: timelineserver >Affects Versions: YARN-2928 >Reporter: Varun Saxena >Assignee: Varun Saxena > Labels: YARN-5355 > > This JIRA is to keep track of authorization support design discussions for > both readers and collectors. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Created] (YARN-7739) Revisit scheduler resource normalization behavior for max allocation
Wangda Tan created YARN-7739: Summary: Revisit scheduler resource normalization behavior for max allocation Key: YARN-7739 URL: https://issues.apache.org/jira/browse/YARN-7739 Project: Hadoop YARN Issue Type: Bug Reporter: Wangda Tan Priority: Critical Currently, YARN Scheduler normalizes requested resource based on the maximum allocation derived from configured maximum allocation and maximum registered node resources. Basically, the scheduler will silently cap asked resource by maximum allocation. This could cause issues for applications, for example, a Spark job which needs 12 GB memory to run, however in the cluster, registered NMs have at most 8 GB mem on each node. So scheduler allocates 8GB memory container to the requested application. Once app receives containers from RM, if it doesn't double check allocated resources, it will lead to OOM and hard to debug because scheduler silently caps maximum allocation. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-3660) [GPG] Federation Global Policy Generator (load balancing)
[ https://issues.apache.org/jira/browse/YARN-3660?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323282#comment-16323282 ] genericqa commented on YARN-3660: - | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 18s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 1 new or modified test files. {color} | || || || || {color:brown} YARN-7402 Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 5m 23s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 15m 11s{color} | {color:green} YARN-7402 passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 12m 56s{color} | {color:green} YARN-7402 passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 55s{color} | {color:green} YARN-7402 passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 5m 39s{color} | {color:green} YARN-7402 passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 17m 24s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 0m 0s{color} | {color:blue} Skipped patched modules with no Java source: hadoop-project hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server hadoop-yarn-project {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 0m 0s{color} | {color:green} YARN-7402 passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 2m 53s{color} | {color:green} YARN-7402 passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 16s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 6m 32s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 11m 26s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 11m 26s{color} | {color:green} the patch passed {color} | | {color:orange}-0{color} | {color:orange} checkstyle {color} | {color:orange} 1m 55s{color} | {color:orange} root: The patch generated 5 new + 0 unchanged - 0 fixed = 5 total (was 0) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 6m 8s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} xml {color} | {color:green} 0m 5s{color} | {color:green} The patch has no ill-formed XML file. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 9m 11s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 0m 0s{color} | {color:blue} Skipped patched modules with no Java source: hadoop-project hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server hadoop-yarn-project {color} | | {color:red}-1{color} | {color:red} findbugs {color} | {color:red} 0m 21s{color} | {color:red} hadoop-yarn-server-globalpolicygenerator in the patch failed. {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 3m 10s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 0m 14s{color} | {color:green} hadoop-project in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red} 96m 39s{color} | {color:red} hadoop-yarn-server in the patch failed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 0m 20s{color} | {color:green} hadoop-yarn-server-globalpolicygenerator in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red}102m 5s{color} | {color:red} hadoop-yarn-project in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 37s{color} |
[jira] [Commented] (YARN-7728) Expose and expand container preemptions in Capacity Scheduler queue metrics
[ https://issues.apache.org/jira/browse/YARN-7728?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323234#comment-16323234 ] genericqa commented on YARN-7728: - | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 10s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 1 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 17m 23s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 40s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 29s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 42s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 11m 2s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 1m 7s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 24s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m 43s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 36s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 0m 36s{color} | {color:green} the patch passed {color} | | {color:orange}-0{color} | {color:orange} checkstyle {color} | {color:orange} 0m 26s{color} | {color:orange} hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager: The patch generated 2 new + 144 unchanged - 0 fixed = 146 total (was 144) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 39s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 1s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 11m 12s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 1m 14s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 23s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:red}-1{color} | {color:red} unit {color} | {color:red} 60m 4s{color} | {color:red} hadoop-yarn-server-resourcemanager in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 21s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}107m 19s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.yarn.server.resourcemanager.reservation.TestCapacityOverTimePolicy | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hadoop:5b98639 | | JIRA Issue | YARN-7728 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12905721/YARN-7728.001.patch | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle | | uname | Linux db74d9cd4dbe 3.13.0-135-generic #184-Ubuntu SMP Wed Oct 18 11:55:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/patchprocess/precommit/personality/provided.sh | | git revision | trunk / bc285da | | maven | version: Apache Maven 3.3.9 | | Default Java | 1.8.0_151 | | findbugs | v3.1.0-RC1 | | checkstyle | https://builds.apache.org/job/PreCommit-YARN-Build/19206/artifact/out/diff-checkstyle-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-resourcemanager.txt | | unit |
[jira] [Commented] (YARN-7516) Security check for untrusted docker image
[ https://issues.apache.org/jira/browse/YARN-7516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323230#comment-16323230 ] Eric Badger commented on YARN-7516: --- bq. Eric Badger We can go with remove --prilvileged, and allow the container to run like you recommended. We won't be able to run systemd or supervisor from untrusted source for now. This is better than open up too much. That sounds good to me. We can always open it up a little bit more later. But I'd rather the user not accidentally open up docker without understanding what they did. Especially with an image from an untrusted registry. > Security check for untrusted docker image > - > > Key: YARN-7516 > URL: https://issues.apache.org/jira/browse/YARN-7516 > Project: Hadoop YARN > Issue Type: Sub-task >Reporter: Eric Yang >Assignee: Eric Yang > Attachments: YARN-7516.001.patch, YARN-7516.002.patch, > YARN-7516.003.patch, YARN-7516.004.patch, YARN-7516.005.patch, > YARN-7516.006.patch, YARN-7516.007.patch > > > Hadoop YARN Services can support using private docker registry image or > docker image from docker hub. In current implementation, Hadoop security is > enforced through username and group membership, and enforce uid:gid > consistency in docker container and distributed file system. There is cloud > use case for having ability to run untrusted docker image on the same cluster > for testing. > The basic requirement for untrusted container is to ensure all kernel and > root privileges are dropped, and there is no interaction with distributed > file system to avoid contamination. We can probably enforce detection of > untrusted docker image by checking the following: > # If docker image is from public docker hub repository, the container is > automatically flagged as insecure, and disk volume mount are disabled > automatically, and drop all kernel capabilities. > # If docker image is from private repository in docker hub, and there is a > white list to allow the private repository, disk volume mount is allowed, > kernel capabilities follows the allowed list. > # If docker image is from private trusted registry with image name like > "private.registry.local:5000/centos", and white list allows this private > trusted repository. Disk volume mount is allowed, kernel capabilities > follows the allowed list. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7451) Resources Types should be visible in the Cluster Apps API "resourceRequests" section
[ https://issues.apache.org/jira/browse/YARN-7451?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323216#comment-16323216 ] genericqa commented on YARN-7451: - | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 18s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 33 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 16s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 20m 7s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 16m 34s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 2m 8s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 58s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 14m 41s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 0m 0s{color} | {color:blue} Skipped patched modules with no Java source: hadoop-project hadoop-client-modules/hadoop-client-minicluster hadoop-client-modules/hadoop-client-check-test-invariants {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 1m 10s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 34s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 17s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 5m 5s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 13m 0s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 13m 0s{color} | {color:green} the patch passed {color} | | {color:orange}-0{color} | {color:orange} checkstyle {color} | {color:orange} 2m 15s{color} | {color:orange} root: The patch generated 154 new + 166 unchanged - 12 fixed = 320 total (was 178) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 2m 2s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} xml {color} | {color:green} 0m 5s{color} | {color:green} The patch has no ill-formed XML file. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 11m 25s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 0m 0s{color} | {color:blue} Skipped patched modules with no Java source: hadoop-project hadoop-client-modules/hadoop-client-minicluster hadoop-client-modules/hadoop-client-check-test-invariants {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 1m 28s{color} | {color:green} the patch passed {color} | | {color:red}-1{color} | {color:red} javadoc {color} | {color:red} 0m 33s{color} | {color:red} hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-resourcemanager generated 1 new + 4 unchanged - 0 fixed = 5 total (was 4) {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 0m 19s{color} | {color:green} hadoop-project in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 65m 35s{color} | {color:green} hadoop-yarn-server-resourcemanager in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 0m 24s{color} | {color:green} hadoop-client-minicluster in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 0m 21s{color} |
[jira] [Commented] (YARN-7724) yarn application status should support application name
[ https://issues.apache.org/jira/browse/YARN-7724?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323215#comment-16323215 ] genericqa commented on YARN-7724: - | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 31s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:red}-1{color} | {color:red} test4tests {color} | {color:red} 0m 0s{color} | {color:red} The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 11s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 15m 34s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 9m 58s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 55s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 5s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 11m 11s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 1m 19s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 42s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 10s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m 55s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 9m 5s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 9m 5s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 52s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 57s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 9m 50s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 1m 32s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 40s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 25m 24s{color} | {color:green} hadoop-yarn-client in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 3m 55s{color} | {color:green} hadoop-yarn-services-core in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 25s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black} 94m 50s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hadoop:5b98639 | | JIRA Issue | YARN-7724 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12905752/YARN-7724.03.patch | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle | | uname | Linux b1d09a256a29 4.4.0-89-generic #112-Ubuntu SMP Mon Jul 31 19:38:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/patchprocess/precommit/personality/provided.sh | | git revision | trunk / bc285da | | maven | version: Apache Maven 3.3.9 | | Default Java | 1.8.0_151 | | findbugs | v3.1.0-RC1 | | Test Results |
[jira] [Commented] (YARN-7516) Security check for untrusted docker image
[ https://issues.apache.org/jira/browse/YARN-7516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323213#comment-16323213 ] Eric Yang commented on YARN-7516: - [~ebadger] We can go with remove --prilvileged, and allow the container to run like you recommended. We won't be able to run systemd or supervisor from untrusted source for now. This is better than open up too much. > Security check for untrusted docker image > - > > Key: YARN-7516 > URL: https://issues.apache.org/jira/browse/YARN-7516 > Project: Hadoop YARN > Issue Type: Sub-task >Reporter: Eric Yang >Assignee: Eric Yang > Attachments: YARN-7516.001.patch, YARN-7516.002.patch, > YARN-7516.003.patch, YARN-7516.004.patch, YARN-7516.005.patch, > YARN-7516.006.patch, YARN-7516.007.patch > > > Hadoop YARN Services can support using private docker registry image or > docker image from docker hub. In current implementation, Hadoop security is > enforced through username and group membership, and enforce uid:gid > consistency in docker container and distributed file system. There is cloud > use case for having ability to run untrusted docker image on the same cluster > for testing. > The basic requirement for untrusted container is to ensure all kernel and > root privileges are dropped, and there is no interaction with distributed > file system to avoid contamination. We can probably enforce detection of > untrusted docker image by checking the following: > # If docker image is from public docker hub repository, the container is > automatically flagged as insecure, and disk volume mount are disabled > automatically, and drop all kernel capabilities. > # If docker image is from private repository in docker hub, and there is a > white list to allow the private repository, disk volume mount is allowed, > kernel capabilities follows the allowed list. > # If docker image is from private trusted registry with image name like > "private.registry.local:5000/centos", and white list allows this private > trusted repository. Disk volume mount is allowed, kernel capabilities > follows the allowed list. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Assigned] (YARN-7667) Docker Stop grace period should be configurable
[ https://issues.apache.org/jira/browse/YARN-7667?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Eric Badger reassigned YARN-7667: - Assignee: Eric Badger > Docker Stop grace period should be configurable > --- > > Key: YARN-7667 > URL: https://issues.apache.org/jira/browse/YARN-7667 > Project: Hadoop YARN > Issue Type: Sub-task > Components: yarn >Reporter: Eric Badger >Assignee: Eric Badger > > {{DockerStopCommand}} has a {{setGracePeriod}} method, but it is never > called. So, the stop uses the 10 second default grace period from docker -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7516) Security check for untrusted docker image
[ https://issues.apache.org/jira/browse/YARN-7516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323175#comment-16323175 ] Eric Yang commented on YARN-7516: - This is quite concerning. I also verified that {{privileged}} flag and {{cap-drop}} are not additive in docker. Does this mean that we start with --privileged=false --cap-add=SYS_ADMIN for systemd type of image. SYS_ADMIN is still quite liberal. Is there a more fine grind approach that we allow systemd and supervisor to run without getting root power to the host? > Security check for untrusted docker image > - > > Key: YARN-7516 > URL: https://issues.apache.org/jira/browse/YARN-7516 > Project: Hadoop YARN > Issue Type: Sub-task >Reporter: Eric Yang >Assignee: Eric Yang > Attachments: YARN-7516.001.patch, YARN-7516.002.patch, > YARN-7516.003.patch, YARN-7516.004.patch, YARN-7516.005.patch, > YARN-7516.006.patch, YARN-7516.007.patch > > > Hadoop YARN Services can support using private docker registry image or > docker image from docker hub. In current implementation, Hadoop security is > enforced through username and group membership, and enforce uid:gid > consistency in docker container and distributed file system. There is cloud > use case for having ability to run untrusted docker image on the same cluster > for testing. > The basic requirement for untrusted container is to ensure all kernel and > root privileges are dropped, and there is no interaction with distributed > file system to avoid contamination. We can probably enforce detection of > untrusted docker image by checking the following: > # If docker image is from public docker hub repository, the container is > automatically flagged as insecure, and disk volume mount are disabled > automatically, and drop all kernel capabilities. > # If docker image is from private repository in docker hub, and there is a > white list to allow the private repository, disk volume mount is allowed, > kernel capabilities follows the allowed list. > # If docker image is from private trusted registry with image name like > "private.registry.local:5000/centos", and white list allows this private > trusted repository. Disk volume mount is allowed, kernel capabilities > follows the allowed list. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7705) Create the container log directory with correct sticky bit in C code
[ https://issues.apache.org/jira/browse/YARN-7705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323170#comment-16323170 ] genericqa commented on YARN-7705: - | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 10s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 2 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 17m 21s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 50s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 20s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 33s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 10m 43s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 0m 49s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 24s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m 31s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 47s{color} | {color:green} the patch passed {color} | | {color:red}-1{color} | {color:red} cc {color} | {color:red} 0m 47s{color} | {color:red} hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-nodemanager generated 2 new + 0 unchanged - 0 fixed = 2 total (was 0) {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 0m 47s{color} | {color:green} the patch passed {color} | | {color:orange}-0{color} | {color:orange} checkstyle {color} | {color:orange} 0m 17s{color} | {color:orange} hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager: The patch generated 18 new + 33 unchanged - 16 fixed = 51 total (was 49) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 31s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 11m 11s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 0m 56s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 20s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 16m 33s{color} | {color:green} hadoop-yarn-server-nodemanager in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 19s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black} 62m 38s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hadoop:5b98639 | | JIRA Issue | YARN-7705 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12905755/YARN-7705.004.patch | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle cc | | uname | Linux bd835d573ee9 3.13.0-135-generic #184-Ubuntu SMP Wed Oct 18 11:55:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/patchprocess/precommit/personality/provided.sh | | git revision | trunk / bc285da | | maven | version: Apache Maven 3.3.9 | | Default Java | 1.8.0_151 | | findbugs | v3.1.0-RC1 | | cc | https://builds.apache.org/job/PreCommit-YARN-Build/19207/artifact/out/diff-compile-cc-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-nodemanager.txt | | checkstyle |
[jira] [Commented] (YARN-7655) avoid AM preemption caused by RRs for specific nodes or racks
[ https://issues.apache.org/jira/browse/YARN-7655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323164#comment-16323164 ] Yufei Gu commented on YARN-7655: Thanks [~Steven Rand] for filing this. It makes sense to me to lose some locality to avoid massive AM container preemption. The likelihood of preemption AM containers to get locality should be fairly low, but it is obviously high in your cluster ("double-digit occurrences"). Could you provide any insight for that? What are the cluster size and available resources for each node? > avoid AM preemption caused by RRs for specific nodes or racks > - > > Key: YARN-7655 > URL: https://issues.apache.org/jira/browse/YARN-7655 > Project: Hadoop YARN > Issue Type: Improvement > Components: fairscheduler >Affects Versions: 3.0.0 >Reporter: Steven Rand >Assignee: Steven Rand > Attachments: YARN-7655-001.patch > > > We frequently see AM preemptions when > {{starvedApp.getStarvedResourceRequests()}} in > {{FSPreemptionThread#identifyContainersToPreempt}} includes one or more RRs > that request containers on a specific node. Since this causes us to only > consider one node to preempt containers on, the really good work that was > done in YARN-5830 doesn't save us from AM preemption. Even though there might > be multiple nodes on which we could preempt enough non-AM containers to > satisfy the app's starvation, we often wind up preempting one or more AM > containers on the single node that we're considering. > A proposed solution is that if we're going to preempt one or more AM > containers for an RR that specifies a node or rack, then we should instead > expand the search space to consider all nodes. That way we take advantage of > YARN-5830, and only preempt AMs if there's no alternative. I've attached a > patch with an initial implementation of this. We've been running it on a few > clusters, and have seen AM preemptions drop from double-digit occurrences on > many days to zero. > Of course, the tradeoff is some loss of locality, since the starved app is > less likely to be allocated resources at the most specific locality level > that it asked for. My opinion is that this tradeoff is worth it, but > interested to hear what others think as well. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-7738) CapacityScheduler: Support refresh maximum allocation for multiple resource types
[ https://issues.apache.org/jira/browse/YARN-7738?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Wangda Tan updated YARN-7738: - Attachment: YARN-7738.001.patch Attached ver.1 patch and verified it works on a cluster with GPU enabled. Will add test cases in the next update. > CapacityScheduler: Support refresh maximum allocation for multiple resource > types > - > > Key: YARN-7738 > URL: https://issues.apache.org/jira/browse/YARN-7738 > Project: Hadoop YARN > Issue Type: Bug >Reporter: Sumana Sathish >Assignee: Tan, Wangda >Priority: Blocker > Fix For: 3.1.0, 3.0.1 > > Attachments: YARN-7738.001.patch > > > Currently CapacityScheduler fails to refresh maximum allocation for multiple > resource types. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7516) Security check for untrusted docker image
[ https://issues.apache.org/jira/browse/YARN-7516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323140#comment-16323140 ] Eric Badger commented on YARN-7516: --- {noformat} -bash-4.2$ sudo docker run -it --rm --privileged --cap-drop='ALL' image_name /bin/bash WARNING: IPv4 forwarding is disabled. Networking will not work. [root@8484525a958b /]# mkdir /tmp/foobar [root@8484525a958b /]# ls /tmp/foobar/ [root@8484525a958b /]# mount /dev/sdf2 /tmp/foobar/ [root@8484525a958b /]# ls /tmp/foobar/ hadoop lost+found tmp {noformat} [~eyang], here is an example > Security check for untrusted docker image > - > > Key: YARN-7516 > URL: https://issues.apache.org/jira/browse/YARN-7516 > Project: Hadoop YARN > Issue Type: Sub-task >Reporter: Eric Yang >Assignee: Eric Yang > Attachments: YARN-7516.001.patch, YARN-7516.002.patch, > YARN-7516.003.patch, YARN-7516.004.patch, YARN-7516.005.patch, > YARN-7516.006.patch, YARN-7516.007.patch > > > Hadoop YARN Services can support using private docker registry image or > docker image from docker hub. In current implementation, Hadoop security is > enforced through username and group membership, and enforce uid:gid > consistency in docker container and distributed file system. There is cloud > use case for having ability to run untrusted docker image on the same cluster > for testing. > The basic requirement for untrusted container is to ensure all kernel and > root privileges are dropped, and there is no interaction with distributed > file system to avoid contamination. We can probably enforce detection of > untrusted docker image by checking the following: > # If docker image is from public docker hub repository, the container is > automatically flagged as insecure, and disk volume mount are disabled > automatically, and drop all kernel capabilities. > # If docker image is from private repository in docker hub, and there is a > white list to allow the private repository, disk volume mount is allowed, > kernel capabilities follows the allowed list. > # If docker image is from private trusted registry with image name like > "private.registry.local:5000/centos", and white list allows this private > trusted repository. Disk volume mount is allowed, kernel capabilities > follows the allowed list. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7064) Use cgroup to get container resource utilization
[ https://issues.apache.org/jira/browse/YARN-7064?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323135#comment-16323135 ] Haibo Chen commented on YARN-7064: -- Thanks [~miklos.szeg...@cloudera.com] for the update! A few more comments on the new patch: 1) cgroupsLogged and cgroupsErrorLogged in ContainersMonitorImpl are no longer used, thus can be removed. 2) CombinedResourceCalculator.initialize() should probably just call `cgroup.initialize() and procfs.initialize()` for easy maintenance. Can we call cgroup.getProcessTreeDump() in CombinedResourceCalculator.getProcessTreeDump() instead of returning null? 3) In CgroupsResourceCalculator, how about we give more information in initialize() when CGroupsResourceCalculator is not available to tells user what is required, like `CGroupsResourceCalculator is only available on Linux when cgroup memory and cpu is turned on`? In updateProcessTree() and getMemorySize(), I think not catching the YarnException would be more appropriate. The exception, if not caught in updateProcessTree() and getMemorySize(), will be eventually caught and logged in COntainersMonitorImpl which makes the error message easier to understand. Swallowing the exception in updateProcessTree() and getMemorySize() will lead old (for cpu usage) or wrong (for memory) number to be reported to ContainersMonitor, which is harder to debug. I will try the patch in a cluster in the meantime. > Use cgroup to get container resource utilization > > > Key: YARN-7064 > URL: https://issues.apache.org/jira/browse/YARN-7064 > Project: Hadoop YARN > Issue Type: Improvement >Reporter: Miklos Szegedi >Assignee: Miklos Szegedi > Attachments: YARN-7064.000.patch, YARN-7064.001.patch, > YARN-7064.002.patch, YARN-7064.003.patch, YARN-7064.004.patch, > YARN-7064.005.patch, YARN-7064.007.patch, YARN-7064.008.patch, > YARN-7064.009.patch, YARN-7064.010.patch > > > This is an addendum to YARN-6668. What happens is that that jira always wants > to rebase patches against YARN-1011 instead of trunk. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7516) Security check for untrusted docker image
[ https://issues.apache.org/jira/browse/YARN-7516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323121#comment-16323121 ] Eric Badger commented on YARN-7516: --- {noformat:title=host} -bash-4.2$ ls /dev | column -c 160 autofs md3 sdc1tty10 tty4ttyS2 block md4 sdc2tty11 tty40 ttyS3 bsg mem sdd tty12 tty41 uhid btrfs-control mqueue sdd1tty13 tty42 uinput bus net sdd2tty14 tty43 urandom charnetwork_latency sde tty15 tty44 usbmon0 console network_throughput sde1tty16 tty45 usbmon1 corenullsde2tty17 tty46 usbmon2 cpu nvram sdf tty18 tty47 usbmon3 cpu_dma_latency oldmem sdf1tty19 tty48 usbmon4 crash portsdf2tty2 tty49 vcs diskppp sdg tty20 tty5vcs1 dri ptmxsdg1tty21 tty50 vcs2 fb0 ptp0sdh tty22 tty51 vcs3 fd pts sdh1tty23 tty52 vcs4 fullrandom sg0 tty24 tty53 vcs5 fuseraw sg1 tty25 tty54 vcs6 hpetrtc sg2 tty26 tty55 vcsa hugepages rtc0sg3 tty27 tty56 vcsa1 hwrng sda sg4 tty28 tty57 vcsa2 initctl sda1sg5 tty29 tty58 vcsa3 input sda2sg6 tty3 tty59 vcsa4 ipmi0 sda3sg7 tty30 tty6vcsa5 kmsgsda4shm tty31 tty60 vcsa6 kvm sda5snapshottty32 tty61 vfio log sdb snd tty33 tty62 vga_arbiter loop-controlsdb1stderr tty34 tty63 vhci mapper sdb2stdin tty35 tty7vhost-net mcelog sdb3stdout tty36 tty8zero md0 sdb4tty tty37 tty9 md1 sdb5tty0tty38 ttyS0 md2 sdc tty1tty39 ttyS1 {noformat} bq. Are you able to run mount command to attach your host disk partition to the container image? Yes, I am able to mount disks on the host inside of the container and access their contents > Security check for untrusted docker image > - > > Key: YARN-7516 > URL: https://issues.apache.org/jira/browse/YARN-7516 > Project: Hadoop YARN > Issue Type: Sub-task >Reporter: Eric Yang >Assignee: Eric Yang > Attachments: YARN-7516.001.patch, YARN-7516.002.patch, > YARN-7516.003.patch, YARN-7516.004.patch, YARN-7516.005.patch, > YARN-7516.006.patch, YARN-7516.007.patch > >
[jira] [Commented] (YARN-7516) Security check for untrusted docker image
[ https://issues.apache.org/jira/browse/YARN-7516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323102#comment-16323102 ] Eric Yang commented on YARN-7516: - The output looks weird showing all disk devices from host when I assumed that they wouldn't be shown. How is the output comparing to host devices? Are you able to run mount command to attach your host disk partition to the container image? > Security check for untrusted docker image > - > > Key: YARN-7516 > URL: https://issues.apache.org/jira/browse/YARN-7516 > Project: Hadoop YARN > Issue Type: Sub-task >Reporter: Eric Yang >Assignee: Eric Yang > Attachments: YARN-7516.001.patch, YARN-7516.002.patch, > YARN-7516.003.patch, YARN-7516.004.patch, YARN-7516.005.patch, > YARN-7516.006.patch, YARN-7516.007.patch > > > Hadoop YARN Services can support using private docker registry image or > docker image from docker hub. In current implementation, Hadoop security is > enforced through username and group membership, and enforce uid:gid > consistency in docker container and distributed file system. There is cloud > use case for having ability to run untrusted docker image on the same cluster > for testing. > The basic requirement for untrusted container is to ensure all kernel and > root privileges are dropped, and there is no interaction with distributed > file system to avoid contamination. We can probably enforce detection of > untrusted docker image by checking the following: > # If docker image is from public docker hub repository, the container is > automatically flagged as insecure, and disk volume mount are disabled > automatically, and drop all kernel capabilities. > # If docker image is from private repository in docker hub, and there is a > white list to allow the private repository, disk volume mount is allowed, > kernel capabilities follows the allowed list. > # If docker image is from private trusted registry with image name like > "private.registry.local:5000/centos", and white list allows this private > trusted repository. Disk volume mount is allowed, kernel capabilities > follows the allowed list. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7468) Provide means for container network policy control
[ https://issues.apache.org/jira/browse/YARN-7468?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323093#comment-16323093 ] Wangda Tan commented on YARN-7468: -- Patch looks good, +1, thanks [~xgong]. Will commit tomorrow if no objections. > Provide means for container network policy control > -- > > Key: YARN-7468 > URL: https://issues.apache.org/jira/browse/YARN-7468 > Project: Hadoop YARN > Issue Type: Task > Components: nodemanager >Reporter: Clay B. >Assignee: Xuan Gong > Attachments: YARN-7468.trunk.1.patch, YARN-7468.trunk.1.patch, > YARN-7468.trunk.2.patch, YARN-7468.trunk.2.patch, YARN-7468.trunk.3.patch, > YARN-7468.trunk.4.patch, YARN-7468.trunk.5.patch, [YARN-7468] [Design] > Provide means for container network policy control.pdf > > > To prevent data exfiltration from a YARN cluster, it would be very helpful to > have "firewall" rules able to map to a user/queue's containers. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-7738) CapacityScheduler: Support refresh maximum allocation for multiple resource types
[ https://issues.apache.org/jira/browse/YARN-7738?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Wangda Tan updated YARN-7738: - Summary: CapacityScheduler: Support refresh maximum allocation for multiple resource types (was: DShell requesting gpu resources fails to run) > CapacityScheduler: Support refresh maximum allocation for multiple resource > types > - > > Key: YARN-7738 > URL: https://issues.apache.org/jira/browse/YARN-7738 > Project: Hadoop YARN > Issue Type: Bug >Reporter: Sumana Sathish >Assignee: Tan, Wangda >Priority: Critical > > Run an DShell app requesting for 1 GPU on the node which has 2 GPUs, the > application finishes with FAILED state -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-7738) CapacityScheduler: Support refresh maximum allocation for multiple resource types
[ https://issues.apache.org/jira/browse/YARN-7738?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Wangda Tan updated YARN-7738: - Fix Version/s: 3.0.1 3.1.0 > CapacityScheduler: Support refresh maximum allocation for multiple resource > types > - > > Key: YARN-7738 > URL: https://issues.apache.org/jira/browse/YARN-7738 > Project: Hadoop YARN > Issue Type: Bug >Reporter: Sumana Sathish >Assignee: Tan, Wangda >Priority: Blocker > Fix For: 3.1.0, 3.0.1 > > > Currently CapacityScheduler fails to refresh maximum allocation for multiple > resource types. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Created] (YARN-7738) DShell requesting gpu resources fails to run
Sumana Sathish created YARN-7738: Summary: DShell requesting gpu resources fails to run Key: YARN-7738 URL: https://issues.apache.org/jira/browse/YARN-7738 Project: Hadoop YARN Issue Type: Bug Reporter: Sumana Sathish Assignee: Tan, Wangda Priority: Critical Run an DShell app requesting for 1 GPU on the node which has 2 GPUs, the application finishes with FAILED state -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7738) CapacityScheduler: Support refresh maximum allocation for multiple resource types
[ https://issues.apache.org/jira/browse/YARN-7738?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323061#comment-16323061 ] Wangda Tan commented on YARN-7738: -- cc: [~dan...@cloudera.com], I'm not sure if FS supports refresh maximum allocation while RM is running, if yes, FS needs this fix as well. > CapacityScheduler: Support refresh maximum allocation for multiple resource > types > - > > Key: YARN-7738 > URL: https://issues.apache.org/jira/browse/YARN-7738 > Project: Hadoop YARN > Issue Type: Bug >Reporter: Sumana Sathish >Assignee: Tan, Wangda >Priority: Blocker > Fix For: 3.1.0, 3.0.1 > > > Currently CapacityScheduler fails to refresh maximum allocation for multiple > resource types. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7738) CapacityScheduler: Support refresh maximum allocation for multiple resource types
[ https://issues.apache.org/jira/browse/YARN-7738?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323059#comment-16323059 ] Wangda Tan commented on YARN-7738: -- Thanks [~ssath...@hortonworks.com] for reporting this issue, updated title/desc and will put a patch soon. > CapacityScheduler: Support refresh maximum allocation for multiple resource > types > - > > Key: YARN-7738 > URL: https://issues.apache.org/jira/browse/YARN-7738 > Project: Hadoop YARN > Issue Type: Bug >Reporter: Sumana Sathish >Assignee: Tan, Wangda >Priority: Critical > Fix For: 3.1.0, 3.0.1 > > > Currently CapacityScheduler fails to refresh maximum allocation for multiple > resource types. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-7738) CapacityScheduler: Support refresh maximum allocation for multiple resource types
[ https://issues.apache.org/jira/browse/YARN-7738?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Wangda Tan updated YARN-7738: - Priority: Blocker (was: Critical) > CapacityScheduler: Support refresh maximum allocation for multiple resource > types > - > > Key: YARN-7738 > URL: https://issues.apache.org/jira/browse/YARN-7738 > Project: Hadoop YARN > Issue Type: Bug >Reporter: Sumana Sathish >Assignee: Tan, Wangda >Priority: Blocker > Fix For: 3.1.0, 3.0.1 > > > Currently CapacityScheduler fails to refresh maximum allocation for multiple > resource types. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-7738) CapacityScheduler: Support refresh maximum allocation for multiple resource types
[ https://issues.apache.org/jira/browse/YARN-7738?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Wangda Tan updated YARN-7738: - Description: Currently CapacityScheduler fails to refresh maximum allocation for multiple resource types. (was: Run an DShell app requesting for 1 GPU on the node which has 2 GPUs, the application finishes with FAILED state ) > CapacityScheduler: Support refresh maximum allocation for multiple resource > types > - > > Key: YARN-7738 > URL: https://issues.apache.org/jira/browse/YARN-7738 > Project: Hadoop YARN > Issue Type: Bug >Reporter: Sumana Sathish >Assignee: Tan, Wangda >Priority: Critical > > Currently CapacityScheduler fails to refresh maximum allocation for multiple > resource types. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-7705) Create the container log directory with correct sticky bit in C code
[ https://issues.apache.org/jira/browse/YARN-7705?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Yufei Gu updated YARN-7705: --- Attachment: YARN-7705.004.patch Patch v4 added checking introduced in YARN-7590, and fixed the unit test failure. > Create the container log directory with correct sticky bit in C code > > > Key: YARN-7705 > URL: https://issues.apache.org/jira/browse/YARN-7705 > Project: Hadoop YARN > Issue Type: Bug > Components: nodemanager >Affects Versions: 3.0.0, 3.1.0 >Reporter: Yufei Gu >Assignee: Yufei Gu > Attachments: YARN-7705.001.patch, YARN-7705.002.patch, > YARN-7705.003.patch, YARN-7705.004.patch > > > YARN-7363 created the container log directory in Java, which isn't able to > set the correct sticky bit because of Java language limitation. Wrong sticky > bit of log directory causes failure of reading log files inside the > directory. To solve that, we need to do it in C code. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7516) Security check for untrusted docker image
[ https://issues.apache.org/jira/browse/YARN-7516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323037#comment-16323037 ] Eric Badger commented on YARN-7516: --- {noformat:title=Both privileges and capabilities} -bash-4.2$ sudo docker run --privileged image_name ls /dev | column -c 160 WARNING: IPv4 forwarding is disabled. Networking will not work. autofs network_throughput sde1tty15 tty43 uinput bsg nullsde2tty16 tty44 urandom btrfs-control nvram sdf tty17 tty45 usbmon0 bus oldmem sdf1tty18 tty46 usbmon1 coreportsdf2tty19 tty47 usbmon2 cpu ppp sdg tty2 tty48 usbmon3 cpu_dma_latency ptmxsdg1tty20 tty49 usbmon4 crash ptp0sdh tty21 tty5vcs dri pts sdh1tty22 tty50 vcs1 fb0 random sg0 tty23 tty51 vcs2 fd raw sg1 tty24 tty52 vcs3 fullrtc0sg2 tty25 tty53 vcs4 fusesda sg3 tty26 tty54 vcs5 hpetsda1sg4 tty27 tty55 vcs6 hwrng sda2sg5 tty28 tty56 vcsa input sda3sg6 tty29 tty57 vcsa1 ipmi0 sda4sg7 tty3 tty58 vcsa2 kmsgsda5shm tty30 tty59 vcsa3 kvm sdb snapshottty31 tty6vcsa4 loop-controlsdb1snd tty32 tty60 vcsa5 mapper sdb2stderr tty33 tty61 vcsa6 mcelog sdb3stdin tty34 tty62 vfio md0 sdb4stdout tty35 tty63 vga_arbiter md1 sdb5tty tty36 tty7vhci md2 sdc tty0tty37 tty8vhost-net md3 sdc1tty1tty38 tty9zero md4 sdc2tty10 tty39 ttyS0 mem sdd tty11 tty4 ttyS1 mqueue sdd1tty12 tty40 ttyS2 net sdd2tty13 tty41 ttyS3 network_latency sde tty14 tty42 uhid {noformat} {noformat:title=Just privileges, no capabilities} -bash-4.2$ sudo docker run --rm --privileged --cap-drop='ALL' image_name ls /dev | column -c 160 WARNING: IPv4 forwarding is disabled. Networking will not work. autofs network_throughput sde1tty15 tty43 uinput bsg nullsde2tty16 tty44 urandom btrfs-control nvram sdf tty17 tty45 usbmon0 bus oldmem sdf1tty18 tty46 usbmon1 core
[jira] [Commented] (YARN-7724) yarn application status should support application name
[ https://issues.apache.org/jira/browse/YARN-7724?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323033#comment-16323033 ] Gour Saha commented on YARN-7724: - patch 03 looks good. > yarn application status should support application name > --- > > Key: YARN-7724 > URL: https://issues.apache.org/jira/browse/YARN-7724 > Project: Hadoop YARN > Issue Type: Sub-task > Components: yarn-native-services >Reporter: Yesha Vora >Assignee: Jian He > Attachments: YARN-7724.01.patch, YARN-7724.02.patch, > YARN-7724.03.patch > > > Yarn Service application are tied with app name. Thus, yarn application > -status should be able to take yarn service name as argument such as > yarn application -status -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7724) yarn application status should support application name
[ https://issues.apache.org/jira/browse/YARN-7724?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323030#comment-16323030 ] Jian He commented on YARN-7724: --- patch 03 improved the error msg is app name is not found in RM > yarn application status should support application name > --- > > Key: YARN-7724 > URL: https://issues.apache.org/jira/browse/YARN-7724 > Project: Hadoop YARN > Issue Type: Sub-task > Components: yarn-native-services >Reporter: Yesha Vora >Assignee: Jian He > Attachments: YARN-7724.01.patch, YARN-7724.02.patch, > YARN-7724.03.patch > > > Yarn Service application are tied with app name. Thus, yarn application > -status should be able to take yarn service name as argument such as > yarn application -status -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-7724) yarn application status should support application name
[ https://issues.apache.org/jira/browse/YARN-7724?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jian He updated YARN-7724: -- Attachment: YARN-7724.03.patch > yarn application status should support application name > --- > > Key: YARN-7724 > URL: https://issues.apache.org/jira/browse/YARN-7724 > Project: Hadoop YARN > Issue Type: Sub-task > Components: yarn-native-services >Reporter: Yesha Vora >Assignee: Jian He > Attachments: YARN-7724.01.patch, YARN-7724.02.patch, > YARN-7724.03.patch > > > Yarn Service application are tied with app name. Thus, yarn application > -status should be able to take yarn service name as argument such as > yarn application -status -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-5366) Improve handling of the Docker container life cycle
[ https://issues.apache.org/jira/browse/YARN-5366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323002#comment-16323002 ] Shane Kumpf commented on YARN-5366: --- Thanks for the review [~eyang]! {quote} Would it be possible to change the environment variable construction for docker run command to use -e k=v instructions? {quote} I do see the benefit in reducing or eliminating the need for the launch container script, but I'd like to address that as a follow on, perhaps as part of YARN-7654 if that would be ok. I'm hesitant to make this patch even larger since it doesn't make changes to launching, only recovery and clean up. {quote} I did not find retry/sleep mechanism to repeat the signal as suggested in 5) {quote} That is correct. I briefly mentioned it above. The patch is a bit large as is, so I'd like to address those in a follow up. I'll clean up the description, title, and open follow up tasks now if we are good with the current scope. > Improve handling of the Docker container life cycle > --- > > Key: YARN-5366 > URL: https://issues.apache.org/jira/browse/YARN-5366 > Project: Hadoop YARN > Issue Type: Sub-task > Components: yarn >Reporter: Shane Kumpf >Assignee: Shane Kumpf > Labels: oct16-medium > Attachments: YARN-5366.001.patch, YARN-5366.002.patch, > YARN-5366.003.patch, YARN-5366.004.patch, YARN-5366.005.patch, > YARN-5366.006.patch, YARN-5366.007.patch, YARN-5366.008.patch, > YARN-5366.009.patch, YARN-5366.010.patch > > > There are several paths that need to be improved with regard to the Docker > container lifecycle when running Docker containers on YARN. > 1) Provide the ability to keep a container on the NodeManager for a set > period of time for debugging purposes. > 2) Support sending signals to the process in the container to allow for > triggering stack traces, heap dumps, etc. > 3) Support for Docker's live restore, which means moving away from the use of > {{docker wait}}. (YARN-5818) > 4) Improve the resiliency of liveliness checks (kill -0) by adding retries. > 5) Improve the resiliency of container removal by adding retries. > 6) Only attempt to stop, kill, and remove containers if the current container > state allows for it. > 7) Better handling of short lived containers when the container is stopped > before the PID can be retrieved. (YARN-6305) -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-7717) Add configuration consistency for module.enabled and docker.privileged-containers.enabled
[ https://issues.apache.org/jira/browse/YARN-7717?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Eric Badger updated YARN-7717: -- Attachment: YARN-7717.004.patch bq. Should not we check for false as well and not fall back to a number in that case? Yea, it's probably cleaner that way. I think it works right now because of how {{strtol}} interprets "false", but this makes it clear. Uploading a new patch with this fix > Add configuration consistency for module.enabled and > docker.privileged-containers.enabled > - > > Key: YARN-7717 > URL: https://issues.apache.org/jira/browse/YARN-7717 > Project: Hadoop YARN > Issue Type: Bug >Affects Versions: 3.0.0 >Reporter: Yesha Vora >Assignee: Eric Badger > Attachments: YARN-7717.001.patch, YARN-7717.002.patch, > YARN-7717.003.patch, YARN-7717.004.patch > > > container-executor.cfg has two properties related to dockerization. > 1) module.enabled = true/false > 2) docker.privileged-containers.enabled = 1/0 > Here, both property takes different value to enable / disable feature. Module > enabled take true/false string while docker.privileged-containers.enabled > takes 1/0 integer value. > This properties behavior should be consistent. Both properties should have > true or false string as value to enable or disable feature/ -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Comment Edited] (YARN-7516) Security check for untrusted docker image
[ https://issues.apache.org/jira/browse/YARN-7516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16322956#comment-16322956 ] Eric Yang edited comment on YARN-7516 at 1/11/18 9:18 PM: -- [~ebadger] In hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc test case, we have example around line 935. This shows the syntax that we used to accomplish this. Quote from [Docker documentation|https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities]: {quote} In addition to --privileged, the operator can have fine grain control over the capabilities using --cap-add and --cap-drop. By default, Docker has a default list of capabilities that are kept. The following table lists the Linux capability options which are allowed by default and can be dropped. {quote} I'd participated in testing for those flags several years ago, hence I am confident they work as designed. {{--cap-drop}} flag can be used to accompany {{--privileged}} flag for fine grain control. was (Author: eyang): [~ebadger] In hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc test case, we have example around line 935. This shows the syntax that we used to accomplish this. Quote from [Docker documentation|https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities]: {quote} In addition to --privileged, the operator can have fine grain control over the capabilities using --cap-add and --cap-drop. By default, Docker has a default list of capabilities that are kept. The following table lists the Linux capability options which are allowed by default and can be dropped. {quote} I'd participated in testing for those flags several years ago, hence I am confident they work as designed. {cap-drop} flag can be used to accompany {{--privileged}} flag for fine grain control. > Security check for untrusted docker image > - > > Key: YARN-7516 > URL: https://issues.apache.org/jira/browse/YARN-7516 > Project: Hadoop YARN > Issue Type: Sub-task >Reporter: Eric Yang >Assignee: Eric Yang > Attachments: YARN-7516.001.patch, YARN-7516.002.patch, > YARN-7516.003.patch, YARN-7516.004.patch, YARN-7516.005.patch, > YARN-7516.006.patch, YARN-7516.007.patch > > > Hadoop YARN Services can support using private docker registry image or > docker image from docker hub. In current implementation, Hadoop security is > enforced through username and group membership, and enforce uid:gid > consistency in docker container and distributed file system. There is cloud > use case for having ability to run untrusted docker image on the same cluster > for testing. > The basic requirement for untrusted container is to ensure all kernel and > root privileges are dropped, and there is no interaction with distributed > file system to avoid contamination. We can probably enforce detection of > untrusted docker image by checking the following: > # If docker image is from public docker hub repository, the container is > automatically flagged as insecure, and disk volume mount are disabled > automatically, and drop all kernel capabilities. > # If docker image is from private repository in docker hub, and there is a > white list to allow the private repository, disk volume mount is allowed, > kernel capabilities follows the allowed list. > # If docker image is from private trusted registry with image name like > "private.registry.local:5000/centos", and white list allows this private > trusted repository. Disk volume mount is allowed, kernel capabilities > follows the allowed list. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7516) Security check for untrusted docker image
[ https://issues.apache.org/jira/browse/YARN-7516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16322956#comment-16322956 ] Eric Yang commented on YARN-7516: - [~ebadger] In hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/utils/test_docker_util.cc test case, we have example around line 935. This shows the syntax that we used to accomplish this. Quote from [Docker documentation|https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities]: {quote} In addition to --privileged, the operator can have fine grain control over the capabilities using --cap-add and --cap-drop. By default, Docker has a default list of capabilities that are kept. The following table lists the Linux capability options which are allowed by default and can be dropped. {quote} I'd participated in testing for those flags several years ago, hence I am confident they work as designed. {cap-drop} flag can be used to accompany {{--privileged}} flag for fine grain control. > Security check for untrusted docker image > - > > Key: YARN-7516 > URL: https://issues.apache.org/jira/browse/YARN-7516 > Project: Hadoop YARN > Issue Type: Sub-task >Reporter: Eric Yang >Assignee: Eric Yang > Attachments: YARN-7516.001.patch, YARN-7516.002.patch, > YARN-7516.003.patch, YARN-7516.004.patch, YARN-7516.005.patch, > YARN-7516.006.patch, YARN-7516.007.patch > > > Hadoop YARN Services can support using private docker registry image or > docker image from docker hub. In current implementation, Hadoop security is > enforced through username and group membership, and enforce uid:gid > consistency in docker container and distributed file system. There is cloud > use case for having ability to run untrusted docker image on the same cluster > for testing. > The basic requirement for untrusted container is to ensure all kernel and > root privileges are dropped, and there is no interaction with distributed > file system to avoid contamination. We can probably enforce detection of > untrusted docker image by checking the following: > # If docker image is from public docker hub repository, the container is > automatically flagged as insecure, and disk volume mount are disabled > automatically, and drop all kernel capabilities. > # If docker image is from private repository in docker hub, and there is a > white list to allow the private repository, disk volume mount is allowed, > kernel capabilities follows the allowed list. > # If docker image is from private trusted registry with image name like > "private.registry.local:5000/centos", and white list allows this private > trusted repository. Disk volume mount is allowed, kernel capabilities > follows the allowed list. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Assigned] (YARN-7729) Add support for setting the PID namespace mode
[ https://issues.apache.org/jira/browse/YARN-7729?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Billie Rinaldi reassigned YARN-7729: Assignee: Billie Rinaldi > Add support for setting the PID namespace mode > -- > > Key: YARN-7729 > URL: https://issues.apache.org/jira/browse/YARN-7729 > Project: Hadoop YARN > Issue Type: Sub-task > Components: nodemanager >Reporter: Shane Kumpf >Assignee: Billie Rinaldi > > Docker has support for allowing containers to share the PID namespace with > the host or other containers via the {{docker run --pid}} flag. > There are a number of use cases where this is desirable: > * Monitoring tools running in containers that need access to the host level > PIDs. > * Debug containers that can attach to another container to run strace, gdb, > etc. > * Testing Docker on YARN in a container, where the docker socket is bind > mounted. > Enabling this feature should be considered privileged as it exposes host > details inside the container. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7468) Provide means for container network policy control
[ https://issues.apache.org/jira/browse/YARN-7468?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16322925#comment-16322925 ] genericqa commented on YARN-7468: - | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 21s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 3 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 10s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 15m 10s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 7m 29s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 51s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 5s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 10m 34s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:red}-1{color} | {color:red} findbugs {color} | {color:red} 1m 5s{color} | {color:red} hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api in trunk has 1 extant Findbugs warnings. {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 46s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 8s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m 57s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 6m 28s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 6m 28s{color} | {color:green} the patch passed {color} | | {color:orange}-0{color} | {color:orange} checkstyle {color} | {color:orange} 0m 49s{color} | {color:orange} hadoop-yarn-project/hadoop-yarn: The patch generated 3 new + 221 unchanged - 0 fixed = 224 total (was 221) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 0s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 9m 13s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 6s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 43s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 0m 35s{color} | {color:green} hadoop-yarn-api in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 17m 31s{color} | {color:green} hadoop-yarn-server-nodemanager in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 28s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black} 77m 50s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hadoop:5b98639 | | JIRA Issue | YARN-7468 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12905727/YARN-7468.trunk.5.patch | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle | | uname | Linux a21adc54d2c0 4.4.0-89-generic #112-Ubuntu SMP Mon Jul 31 19:38:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/patchprocess/precommit/personality/provided.sh | | git revision | trunk / bc285da | | maven | version: Apache Maven 3.3.9 | | Default Java | 1.8.0_151 | | findbugs | v3.1.0-RC1 |
[jira] [Updated] (YARN-7451) Resources Types should be visible in the Cluster Apps API "resourceRequests" section
[ https://issues.apache.org/jira/browse/YARN-7451?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Szilard Nemeth updated YARN-7451: - Attachment: YARN-7451.005.patch added custom MessageWriter resource file to maven rat plugin exceptions > Resources Types should be visible in the Cluster Apps API "resourceRequests" > section > > > Key: YARN-7451 > URL: https://issues.apache.org/jira/browse/YARN-7451 > Project: Hadoop YARN > Issue Type: Bug > Components: resourcemanager, restapi >Affects Versions: 3.0.0 >Reporter: Grant Sohn >Assignee: Szilard Nemeth > Attachments: YARN-7451.001.patch, YARN-7451.002.patch, > YARN-7451.003.patch, YARN-7451.004.patch, YARN-7451.005.patch, > YARN-7451__Expose_custom_resource_types_on_RM_scheduler_API_as_flattened_map01_02.patch > > > When running jobs that request resource types the RM Cluster Apps API should > include this in the "resourceRequests" object. > Additionally, when calling the RM scheduler API it returns: > {noformat} > "childQueues": { > "queue": [ > { > "allocatedContainers": 101, > "amMaxResources": { > "memory": 320390, > "vCores": 192 > }, > "amUsedResources": { > "memory": 1024, > "vCores": 1 > }, > "clusterResources": { > "memory": 640779, > "vCores": 384 > }, > "demandResources": { > "memory": 103424, > "vCores": 101 > }, > "fairResources": { > "memory": 640779, > "vCores": 384 > }, > "maxApps": 2147483647, > "maxResources": { > "memory": 640779, > "vCores": 384 > }, > "minResources": { > "memory": 0, > "vCores": 0 > }, > "numActiveApps": 1, > "numPendingApps": 0, > "preemptable": true, > "queueName": "root.users.systest", > "reservedContainers": 0, > "reservedResources": { > "memory": 0, > "vCores": 0 > }, > "schedulingPolicy": "fair", > "steadyFairResources": { > "memory": 320390, > "vCores": 192 > }, > "type": "fairSchedulerLeafQueueInfo", > "usedResources": { > "memory": 103424, > "vCores": 101 > } > } > ] > {noformat} > However, the web UI shows resource types usage. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7731) RegistryDNS should handle upstream DNS returning CNAME
[ https://issues.apache.org/jira/browse/YARN-7731?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16322900#comment-16322900 ] Billie Rinaldi commented on YARN-7731: -- Thanks for the patch, [~eyang]! I tried patch 002 and this fixes the issue I was seeing with CNAME records. One question, do we need to guard against an infinite loop in the case where a lookup for the CNAME alias returns another CNAME record, and the aliases form a loop? > RegistryDNS should handle upstream DNS returning CNAME > -- > > Key: YARN-7731 > URL: https://issues.apache.org/jira/browse/YARN-7731 > Project: Hadoop YARN > Issue Type: Bug >Reporter: Billie Rinaldi >Assignee: Eric Yang > Attachments: YARN-7731.001.patch, YARN-7731.002.patch > > > When RegistryDNS performs a lookup in an upstream DNS server and a CNAME > record is retrieved, it returns a response with only the CNAME record (there > is no A record, meaning no IP address is resolved). RegistryDNS should > perform a lookup on the new name from the CNAME record in an attempt to find > an A record, which would provide an IP address. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7516) Security check for untrusted docker image
[ https://issues.apache.org/jira/browse/YARN-7516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16322899#comment-16322899 ] Eric Badger commented on YARN-7516: --- Hey [~eyang], thanks for the update. bq. --privileged --cap-drop='ALL' will not have disk devices other than container root file system are hidden unless explicitly specified. Can you show me where this is specified in Docker? I can't replicate this. I may be doing something wrong, but I don't see it in the Docker documentation either. bq. Here are the output of /dev for comparison: This may be true, but running with and without {{--privileged}} also shows quite a difference. Running without privileged gives you access to basically no devices, while running with {{--privileged}} gives you access to basically every device. bq. The goal is have ability to try multi-process containers which uses systemd or supervisor to start without endangering host system. I understand, but the side effect is opening up containers from untrusted registries that can potentially do nefarious things. > Security check for untrusted docker image > - > > Key: YARN-7516 > URL: https://issues.apache.org/jira/browse/YARN-7516 > Project: Hadoop YARN > Issue Type: Sub-task >Reporter: Eric Yang >Assignee: Eric Yang > Attachments: YARN-7516.001.patch, YARN-7516.002.patch, > YARN-7516.003.patch, YARN-7516.004.patch, YARN-7516.005.patch, > YARN-7516.006.patch, YARN-7516.007.patch > > > Hadoop YARN Services can support using private docker registry image or > docker image from docker hub. In current implementation, Hadoop security is > enforced through username and group membership, and enforce uid:gid > consistency in docker container and distributed file system. There is cloud > use case for having ability to run untrusted docker image on the same cluster > for testing. > The basic requirement for untrusted container is to ensure all kernel and > root privileges are dropped, and there is no interaction with distributed > file system to avoid contamination. We can probably enforce detection of > untrusted docker image by checking the following: > # If docker image is from public docker hub repository, the container is > automatically flagged as insecure, and disk volume mount are disabled > automatically, and drop all kernel capabilities. > # If docker image is from private repository in docker hub, and there is a > white list to allow the private repository, disk volume mount is allowed, > kernel capabilities follows the allowed list. > # If docker image is from private trusted registry with image name like > "private.registry.local:5000/centos", and white list allows this private > trusted repository. Disk volume mount is allowed, kernel capabilities > follows the allowed list. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Comment Edited] (YARN-7516) Security check for untrusted docker image
[ https://issues.apache.org/jira/browse/YARN-7516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16322876#comment-16322876 ] Eric Yang edited comment on YARN-7516 at 1/11/18 8:15 PM: -- [~ebadger] {{--privileged --cap-drop='ALL'}} will not have disk devices other than container root file system are hidden unless explicitly specified. Since we removed the device specification from docker run command. It will essentially create enough read only device for systemd or supervisor like program to run without harming the host OS. Here are the output of /dev for comparison: Host: {code} autofs crash hpet loop-controlnvram rtc0 tty1 tty18 tty26 tty34 tty42 tty50 tty59 ttyS0vcsvga_arbiter blockdisk hugepages mapper oldmem shm tty10 tty19 tty27 tty35 tty43 tty51 tty6 ttyS1vcs1 vhost-net btrfs-controldm-0 initctlmcelog portsnapshot tty11 tty2 tty28 tty36 tty44 tty52 tty60 ttyS2vcs6 virtio-ports bus dm-2 input mem ppp snd tty12 tty20 tty29 tty37 tty45 tty53 tty61 ttyS3vcsa vport1p1 char drikmsg mqueue ptmxstderrtty13 tty21 tty3 tty38 tty46 tty54 tty62 uhid vcsa1 zero console fb0kvmnet pts stdin tty14 tty22 tty30 tty39 tty47 tty55 tty63 uinput vcsa6 core fd lognetwork_latency random stdouttty15 tty23 tty31 tty4 tty48 tty56 tty7 urandom vda cpu full loop0 network_throughput raw tty tty16 tty24 tty32 tty40 tty49 tty57 tty8 usbmon0 vda1 cpu_dma_latency fuse loop1 nullrtc tty0 tty17 tty25 tty33 tty41 tty5 tty58 tty9 usbmon1 vfio {code} {{--privileged}} {code} autofs dm-0 hpet mcelog oldmem shm tty1 tty17 tty24 tty31 tty39 tty46 tty53 tty60 ttyS1vcsvfio btrfs-controldm-1 input mem portsnapshot tty10 tty18 tty25 tty32 tty4 tty47 tty54 tty61 ttyS2vcs1 vga_arbiter bus dm-2 kmsg mqueue ppp snd tty11 tty19 tty26 tty33 tty40 tty48 tty55 tty62 ttyS3vcs6 vhost-net console dri kvm net ptmxstderr tty12 tty2 tty27 tty34 tty41 tty49 tty56 tty63 uhid vcsa vport1p1 core fb0 loop-control network_latency pts stdin tty13 tty20 tty28 tty35 tty42 tty5 tty57 tty7 uinput vcsa1 zero cpu fdloop0 network_throughput random stdout tty14 tty21 tty29 tty36 tty43 tty50 tty58 tty8 urandom vcsa6 cpu_dma_latency full loop1 nullraw tty tty15 tty22 tty3 tty37 tty44 tty51 tty59 tty9 usbmon0 vda crashfuse mappernvram rtc0tty0 tty16 tty23 tty30 tty38 tty45 tty52 tty6 ttyS0 usbmon1 vda1 {code} {{--privileged --cap-drop='ALL'}} {code} autofs dm-0 input mem portsnapshot tty10 tty18 tty25 tty32 tty4 tty47 tty54 tty61 ttyS2vcs1 vga_arbiter btrfs-controldm-1 kmsg mqueue ppp snd tty11 tty19 tty26 tty33 tty40 tty48 tty55 tty62 ttyS3vcs6 vhost-net bus dri kvm net ptmxstderr tty12 tty2 tty27 tty34 tty41 tty49 tty56 tty63 uhid vcsa vport1p1 console fb0 loop-control network_latency pts stdin tty13 tty20 tty28 tty35 tty42 tty5 tty57 tty7 uinput vcsa1 zero core fdloop0 network_throughput random stdout tty14 tty21 tty29 tty36 tty43 tty50 tty58 tty8 urandom vcsa6 cpu full loop1 nullraw tty tty15 tty22 tty3 tty37 tty44 tty51 tty59 tty9 usbmon0 vda cpu_dma_latency fuse mappernvram rtc0tty0 tty16 tty23 tty30 tty38 tty45 tty52 tty6 ttyS0 usbmon1 vda1 crashhpet mcelogoldmem shm tty1 tty17 tty24 tty31 tty39 tty46 tty53 tty60 ttyS1 vcs vfio {code} Notice that I have a dm-2 disk device, but it is not showing with all capabilities are dropped. The goal is have ability to try multi-process containers which uses systemd or supervisor to start without endangering host system. was (Author: eyang): [~ebadger] {{--privileged --cap-drop='ALL'}} will not have /dev/shm, and disk devices other than container root file system are hidden unless explicitly specified. Since we removed the device specification from docker run command. It will
[jira] [Commented] (YARN-7516) Security check for untrusted docker image
[ https://issues.apache.org/jira/browse/YARN-7516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16322876#comment-16322876 ] Eric Yang commented on YARN-7516: - [~ebadger] {{--privileged --cap-drop='ALL'}} will not have /dev/shm, and disk devices other than container root file system are hidden unless explicitly specified. Since we removed the device specification from docker run command. It will essentially create enough read only device for systemd or supervisor like program to run without harming the host OS. Here are the output of /dev for comparison: Host: {code} autofs crash hpet loop-controlnvram rtc0 tty1 tty18 tty26 tty34 tty42 tty50 tty59 ttyS0vcsvga_arbiter blockdisk hugepages mapper oldmem shm tty10 tty19 tty27 tty35 tty43 tty51 tty6 ttyS1vcs1 vhost-net btrfs-controldm-0 initctlmcelog portsnapshot tty11 tty2 tty28 tty36 tty44 tty52 tty60 ttyS2vcs6 virtio-ports bus dm-2 input mem ppp snd tty12 tty20 tty29 tty37 tty45 tty53 tty61 ttyS3vcsa vport1p1 char drikmsg mqueue ptmxstderrtty13 tty21 tty3 tty38 tty46 tty54 tty62 uhid vcsa1 zero console fb0kvmnet pts stdin tty14 tty22 tty30 tty39 tty47 tty55 tty63 uinput vcsa6 core fd lognetwork_latency random stdouttty15 tty23 tty31 tty4 tty48 tty56 tty7 urandom vda cpu full loop0 network_throughput raw tty tty16 tty24 tty32 tty40 tty49 tty57 tty8 usbmon0 vda1 cpu_dma_latency fuse loop1 nullrtc tty0 tty17 tty25 tty33 tty41 tty5 tty58 tty9 usbmon1 vfio {code} {{--privileged}} {code} autofs dm-0 hpet mcelog oldmem shm tty1 tty17 tty24 tty31 tty39 tty46 tty53 tty60 ttyS1vcsvfio btrfs-controldm-1 input mem portsnapshot tty10 tty18 tty25 tty32 tty4 tty47 tty54 tty61 ttyS2vcs1 vga_arbiter bus dm-2 kmsg mqueue ppp snd tty11 tty19 tty26 tty33 tty40 tty48 tty55 tty62 ttyS3vcs6 vhost-net console dri kvm net ptmxstderr tty12 tty2 tty27 tty34 tty41 tty49 tty56 tty63 uhid vcsa vport1p1 core fb0 loop-control network_latency pts stdin tty13 tty20 tty28 tty35 tty42 tty5 tty57 tty7 uinput vcsa1 zero cpu fdloop0 network_throughput random stdout tty14 tty21 tty29 tty36 tty43 tty50 tty58 tty8 urandom vcsa6 cpu_dma_latency full loop1 nullraw tty tty15 tty22 tty3 tty37 tty44 tty51 tty59 tty9 usbmon0 vda crashfuse mappernvram rtc0tty0 tty16 tty23 tty30 tty38 tty45 tty52 tty6 ttyS0 usbmon1 vda1 {code} {{--privileged --cap-drop='ALL'}} {code} autofs dm-0 input mem portsnapshot tty10 tty18 tty25 tty32 tty4 tty47 tty54 tty61 ttyS2vcs1 vga_arbiter btrfs-controldm-1 kmsg mqueue ppp snd tty11 tty19 tty26 tty33 tty40 tty48 tty55 tty62 ttyS3vcs6 vhost-net bus dri kvm net ptmxstderr tty12 tty2 tty27 tty34 tty41 tty49 tty56 tty63 uhid vcsa vport1p1 console fb0 loop-control network_latency pts stdin tty13 tty20 tty28 tty35 tty42 tty5 tty57 tty7 uinput vcsa1 zero core fdloop0 network_throughput random stdout tty14 tty21 tty29 tty36 tty43 tty50 tty58 tty8 urandom vcsa6 cpu full loop1 nullraw tty tty15 tty22 tty3 tty37 tty44 tty51 tty59 tty9 usbmon0 vda cpu_dma_latency fuse mappernvram rtc0tty0 tty16 tty23 tty30 tty38 tty45 tty52 tty6 ttyS0 usbmon1 vda1 crashhpet mcelogoldmem shm tty1 tty17 tty24 tty31 tty39 tty46 tty53 tty60 ttyS1 vcs vfio {code} Notice that I have a dm-2 disk device, but it is not showing with all capabilities are dropped. The goal is have ability to try multi-process containers which uses systemd or supervisor to start without endangering host system. > Security check for untrusted docker image > - > > Key: YARN-7516 > URL: https://issues.apache.org/jira/browse/YARN-7516 > Project: Hadoop YARN > Issue Type: Sub-task >Reporter: Eric Yang >
[jira] [Commented] (YARN-7731) RegistryDNS should handle upstream DNS returning CNAME
[ https://issues.apache.org/jira/browse/YARN-7731?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16322851#comment-16322851 ] genericqa commented on YARN-7731: - | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 16m 54s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 1 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 17m 5s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 20s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 15s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 24s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 10m 24s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 0m 32s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 18s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m 21s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 18s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 0m 18s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 11s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 22s{color} | {color:green} the patch passed {color} | | {color:red}-1{color} | {color:red} whitespace {color} | {color:red} 0m 0s{color} | {color:red} The patch has 1 line(s) that end in whitespace. Use git apply --whitespace=fix <>. Refer https://git-scm.com/docs/git-apply {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 11m 28s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 0m 36s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 18s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 0m 51s{color} | {color:green} hadoop-yarn-registry in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 20s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black} 61m 13s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hadoop:5b98639 | | JIRA Issue | YARN-7731 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12905724/YARN-7731.002.patch | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle | | uname | Linux f03b21769d0f 3.13.0-129-generic #178-Ubuntu SMP Fri Aug 11 12:48:20 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/patchprocess/precommit/personality/provided.sh | | git revision | trunk / bc285da | | maven | version: Apache Maven 3.3.9 | | Default Java | 1.8.0_151 | | findbugs | v3.1.0-RC1 | | whitespace | https://builds.apache.org/job/PreCommit-YARN-Build/19200/artifact/out/whitespace-eol.txt | | Test Results | https://builds.apache.org/job/PreCommit-YARN-Build/19200/testReport/ | | Max. process+thread count | 334 (vs. ulimit of 5000) | | modules | C: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry U: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry | | Console output | https://builds.apache.org/job/PreCommit-YARN-Build/19200/console | | Powered by | Apache Yetus 0.7.0-SNAPSHOT
[jira] [Created] (YARN-7737) prelaunch.err file not found exception on container failure
Jonathan Hung created YARN-7737: --- Summary: prelaunch.err file not found exception on container failure Key: YARN-7737 URL: https://issues.apache.org/jira/browse/YARN-7737 Project: Hadoop YARN Issue Type: Bug Reporter: Jonathan Hung Assignee: Jonathan Hung Hit this exception when a container failed:{noformat}2018-01-11 19:04:08,036 ERROR org.apache.hadoop.yarn.server.nodemanager.containermanager.launcher.ContainerLaunch: Failed to get tail of the container's prelaunch error log file java.io.FileNotFoundException: File /grid/b/tmp/userlogs/application_1515190594800_1766/container_e39_1515190594800_1766_01_02/prelaunch.err does not exist at org.apache.hadoop.fs.RawLocalFileSystem.deprecatedGetFileStatus(RawLocalFileSystem.java:641) at org.apache.hadoop.fs.RawLocalFileSystem.getFileLinkStatusInternal(RawLocalFileSystem.java:930) at org.apache.hadoop.fs.RawLocalFileSystem.getFileStatus(RawLocalFileSystem.java:631) at org.apache.hadoop.yarn.server.nodemanager.containermanager.launcher.ContainerLaunch.handleContainerExitWithFailure(ContainerLaunch.java:545) at org.apache.hadoop.yarn.server.nodemanager.containermanager.launcher.ContainerLaunch.handleContainerExitCode(ContainerLaunch.java:511) at org.apache.hadoop.yarn.server.nodemanager.containermanager.launcher.ContainerLaunch.call(ContainerLaunch.java:319) at org.apache.hadoop.yarn.server.nodemanager.containermanager.launcher.ContainerLaunch.call(ContainerLaunch.java:93) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745){noformat} containerLogDir is picked on container launch via {{LocalDirAllocator#getLocalPathForWrite}}, which is where it looks for {{prelaunch.err}} when the container fails. But prelaunch.err (and prelaunch.out) are created in the first log dir (in {{ContainerLaunch#call}}: {noformat}exec.writeLaunchEnv(containerScriptOutStream, environment, localResources, launchContext.getCommands(), new Path(containerLogDirs.get(0)), user);{noformat} -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7159) Normalize unit of resource objects in RM and avoid to do unit conversion in critical path
[ https://issues.apache.org/jira/browse/YARN-7159?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16322809#comment-16322809 ] genericqa commented on YARN-7159: - | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 27s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 8 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 1m 5s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 17m 22s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 11m 23s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 2s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 59s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 12m 9s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:red}-1{color} | {color:red} findbugs {color} | {color:red} 1m 19s{color} | {color:red} hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api in trunk has 1 extant Findbugs warnings. {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 39s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 10s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 1m 39s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 8m 51s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 8m 51s{color} | {color:green} the patch passed {color} | | {color:orange}-0{color} | {color:orange} checkstyle {color} | {color:orange} 0m 54s{color} | {color:orange} hadoop-yarn-project/hadoop-yarn: The patch generated 1 new + 111 unchanged - 0 fixed = 112 total (was 111) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 58s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} xml {color} | {color:green} 0m 4s{color} | {color:green} The patch has no ill-formed XML file. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 9m 46s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 3m 50s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 24s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 0m 37s{color} | {color:green} hadoop-yarn-api in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 3m 5s{color} | {color:green} hadoop-yarn-common in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 64m 26s{color} | {color:green} hadoop-yarn-server-resourcemanager in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 35s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}146m 53s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hadoop:5b98639 | | JIRA Issue | YARN-7159 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12905710/YARN-7159.021.patch | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle xml | | uname | Linux 5e72ad9fceb8 4.4.0-89-generic
[jira] [Updated] (YARN-3660) [GPG] Federation Global Policy Generator (load balancing)
[ https://issues.apache.org/jira/browse/YARN-3660?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Botong Huang updated YARN-3660: --- Attachment: YARN-3660-YARN-7402.v1.patch > [GPG] Federation Global Policy Generator (load balancing) > - > > Key: YARN-3660 > URL: https://issues.apache.org/jira/browse/YARN-3660 > Project: Hadoop YARN > Issue Type: Sub-task > Components: nodemanager, resourcemanager >Reporter: Carlo Curino >Assignee: Botong Huang > Labels: federation, gpg > Attachments: YARN-3660-YARN-7402.v1.patch > > > In a federated environment, local impairments of one sub-cluster might > unfairly affect users/queues that are mapped to that sub-cluster. A > centralized component (GPG) runs out-of-band and edits the policies governing > how users/queues are allocated to sub-clusters. This allows us to enforce > global invariants (by dynamically updating locally-enforced invariants). -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7468) Provide means for container network policy control
[ https://issues.apache.org/jira/browse/YARN-7468?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16322796#comment-16322796 ] Xuan Gong commented on YARN-7468: - [~leftnoteasy] Updated. Thanks > Provide means for container network policy control > -- > > Key: YARN-7468 > URL: https://issues.apache.org/jira/browse/YARN-7468 > Project: Hadoop YARN > Issue Type: Task > Components: nodemanager >Reporter: Clay B. >Assignee: Xuan Gong > Attachments: YARN-7468.trunk.1.patch, YARN-7468.trunk.1.patch, > YARN-7468.trunk.2.patch, YARN-7468.trunk.2.patch, YARN-7468.trunk.3.patch, > YARN-7468.trunk.4.patch, YARN-7468.trunk.5.patch, [YARN-7468] [Design] > Provide means for container network policy control.pdf > > > To prevent data exfiltration from a YARN cluster, it would be very helpful to > have "firewall" rules able to map to a user/queue's containers. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-7468) Provide means for container network policy control
[ https://issues.apache.org/jira/browse/YARN-7468?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Xuan Gong updated YARN-7468: Attachment: YARN-7468.trunk.5.patch > Provide means for container network policy control > -- > > Key: YARN-7468 > URL: https://issues.apache.org/jira/browse/YARN-7468 > Project: Hadoop YARN > Issue Type: Task > Components: nodemanager >Reporter: Clay B. >Assignee: Xuan Gong > Attachments: YARN-7468.trunk.1.patch, YARN-7468.trunk.1.patch, > YARN-7468.trunk.2.patch, YARN-7468.trunk.2.patch, YARN-7468.trunk.3.patch, > YARN-7468.trunk.4.patch, YARN-7468.trunk.5.patch, [YARN-7468] [Design] > Provide means for container network policy control.pdf > > > To prevent data exfiltration from a YARN cluster, it would be very helpful to > have "firewall" rules able to map to a user/queue's containers. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7516) Security check for untrusted docker image
[ https://issues.apache.org/jira/browse/YARN-7516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16322785#comment-16322785 ] Eric Badger commented on YARN-7516: --- bq. The untrusted image will appear as privileged but all kernel privileges dropped and disconnected all devices to outside world. Therefore, it isn't really privileged, only appear as root in the docker container without real root privileges to outside world. I don't believe it disconnects all devices. According to the Docker documentation, running as privileged automatically gives it access to *all* devices. Removing --device in the case of a privileged container (as is done in this patch) is moot, since the point of --device is to give containers access to devices that they would normally only be able to access if they were privileged. https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities bq. If you are suggesting to disallow --privileged flag for untrusted image completely, then it will limit our ability to try out new images before verifying the untrusted image can be promoted to privileged registry. Does this help to explain the reason that we don't check registry is privileged in set_privileged flag? I still don't quite understand why you require a container to be privileged to try new images. > Security check for untrusted docker image > - > > Key: YARN-7516 > URL: https://issues.apache.org/jira/browse/YARN-7516 > Project: Hadoop YARN > Issue Type: Sub-task >Reporter: Eric Yang >Assignee: Eric Yang > Attachments: YARN-7516.001.patch, YARN-7516.002.patch, > YARN-7516.003.patch, YARN-7516.004.patch, YARN-7516.005.patch, > YARN-7516.006.patch, YARN-7516.007.patch > > > Hadoop YARN Services can support using private docker registry image or > docker image from docker hub. In current implementation, Hadoop security is > enforced through username and group membership, and enforce uid:gid > consistency in docker container and distributed file system. There is cloud > use case for having ability to run untrusted docker image on the same cluster > for testing. > The basic requirement for untrusted container is to ensure all kernel and > root privileges are dropped, and there is no interaction with distributed > file system to avoid contamination. We can probably enforce detection of > untrusted docker image by checking the following: > # If docker image is from public docker hub repository, the container is > automatically flagged as insecure, and disk volume mount are disabled > automatically, and drop all kernel capabilities. > # If docker image is from private repository in docker hub, and there is a > white list to allow the private repository, disk volume mount is allowed, > kernel capabilities follows the allowed list. > # If docker image is from private trusted registry with image name like > "private.registry.local:5000/centos", and white list allows this private > trusted repository. Disk volume mount is allowed, kernel capabilities > follows the allowed list. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7717) Add configuration consistency for module.enabled and docker.privileged-containers.enabled
[ https://issues.apache.org/jira/browse/YARN-7717?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16322781#comment-16322781 ] genericqa commented on YARN-7717: - | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 19m 50s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 2 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 11s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 15m 16s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 7m 36s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 3m 57s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 36m 18s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 11s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 4m 15s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 6m 45s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} cc {color} | {color:green} 6m 45s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 6m 45s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 3m 44s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 9m 14s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | || || || || {color:brown} Other Tests {color} || | {color:red}-1{color} | {color:red} unit {color} | {color:red}104m 5s{color} | {color:red} hadoop-yarn in the patch failed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 17m 38s{color} | {color:green} hadoop-yarn-server-nodemanager in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 0m 21s{color} | {color:green} hadoop-yarn-site in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 33s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}203m 25s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.yarn.server.TestContainerManagerSecurity | | | hadoop.yarn.server.TestDiskFailures | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hadoop:5b98639 | | JIRA Issue | YARN-7717 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12905695/YARN-7717.003.patch | | Optional Tests | asflicense compile cc mvnsite javac unit | | uname | Linux 56a5af897899 4.4.0-64-generic #85-Ubuntu SMP Mon Feb 20 11:50:30 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/patchprocess/precommit/personality/provided.sh | | git revision | trunk / 2e0a451 | | maven | version: Apache Maven 3.3.9 | | Default Java | 1.8.0_151 | | unit | https://builds.apache.org/job/PreCommit-YARN-Build/19196/artifact/out/patch-unit-hadoop-yarn-project_hadoop-yarn.txt | | Test Results | https://builds.apache.org/job/PreCommit-YARN-Build/19196/testReport/ | | Max. process+thread count | 895 (vs. ulimit of 5000) | | modules | C: hadoop-yarn-project/hadoop-yarn hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site U: hadoop-yarn-project/hadoop-yarn | | Console output | https://builds.apache.org/job/PreCommit-YARN-Build/19196/console | | Powered by | Apache Yetus 0.7.0-SNAPSHOT
[jira] [Commented] (YARN-7451) Resources Types should be visible in the Cluster Apps API "resourceRequests" section
[ https://issues.apache.org/jira/browse/YARN-7451?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16322779#comment-16322779 ] genericqa commented on YARN-7451: - | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 19s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 33 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 49s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 15m 51s{color} | {color:green} trunk passed {color} | | {color:red}-1{color} | {color:red} compile {color} | {color:red} 7m 43s{color} | {color:red} root in trunk failed. {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 44s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 27s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 12m 29s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 0m 0s{color} | {color:blue} Skipped patched modules with no Java source: hadoop-project hadoop-client-modules/hadoop-client-minicluster hadoop-client-modules/hadoop-client-check-test-invariants {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 1m 1s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 12s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 22s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 4m 33s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 11m 50s{color} | {color:green} the patch passed {color} | | {color:red}-1{color} | {color:red} javac {color} | {color:red} 11m 50s{color} | {color:red} root generated 181 new + 1059 unchanged - 0 fixed = 1240 total (was 1059) {color} | | {color:orange}-0{color} | {color:orange} checkstyle {color} | {color:orange} 1m 55s{color} | {color:orange} root: The patch generated 154 new + 166 unchanged - 12 fixed = 320 total (was 178) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 57s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} xml {color} | {color:green} 0m 5s{color} | {color:green} The patch has no ill-formed XML file. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 10m 29s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 0m 0s{color} | {color:blue} Skipped patched modules with no Java source: hadoop-project hadoop-client-modules/hadoop-client-minicluster hadoop-client-modules/hadoop-client-check-test-invariants {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 1m 8s{color} | {color:green} the patch passed {color} | | {color:red}-1{color} | {color:red} javadoc {color} | {color:red} 0m 31s{color} | {color:red} hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-resourcemanager generated 1 new + 4 unchanged - 0 fixed = 5 total (was 4) {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 0m 22s{color} | {color:green} hadoop-project in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 65m 17s{color} | {color:green} hadoop-yarn-server-resourcemanager in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 0m 23s{color} | {color:green} hadoop-client-minicluster in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit
[jira] [Commented] (YARN-7590) Improve container-executor validation check
[ https://issues.apache.org/jira/browse/YARN-7590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16322776#comment-16322776 ] Miklos Szegedi commented on YARN-7590: -- Thank you for the contribution [~eyang]! I am still working on the branch-2 backport. It is already committed to trunk & branch-3.0. > Improve container-executor validation check > --- > > Key: YARN-7590 > URL: https://issues.apache.org/jira/browse/YARN-7590 > Project: Hadoop YARN > Issue Type: Improvement > Components: security, yarn >Affects Versions: 2.0.1-alpha, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.7.0, > 2.8.0, 2.8.1, 3.0.0-beta1 >Reporter: Eric Yang >Assignee: Eric Yang > Attachments: YARN-7590.001.patch, YARN-7590.002.patch, > YARN-7590.003.patch, YARN-7590.004.patch, YARN-7590.005.patch, > YARN-7590.006.patch, YARN-7590.007.patch, YARN-7590.008.patch, > YARN-7590.009.patch, YARN-7590.010.patch > > > There is minimum check for prefix path for container-executor. If YARN is > compromised, attacker can use container-executor to change system files > ownership: > {code} > /usr/local/hadoop/bin/container-executor spark yarn 0 etc /home/yarn/tokens > /home/spark / ls > {code} > This will change /etc to be owned by spark user: > {code} > # ls -ld /etc > drwxr-s---. 110 spark hadoop 8192 Nov 21 20:00 /etc > {code} > Spark user can rewrite /etc files to gain more access. We can improve this > with additional check in container-executor: > # Make sure the prefix path is owned by the same user as the caller to > container-executor. > # Make sure the log directory prefix is owned by the same user as the caller. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7605) Implement doAs for Api Service REST API
[ https://issues.apache.org/jira/browse/YARN-7605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16322767#comment-16322767 ] Eric Yang commented on YARN-7605: - [~billie.rinaldi] Thank you for the input. I will revert the code to load spec from HDFS. > Implement doAs for Api Service REST API > --- > > Key: YARN-7605 > URL: https://issues.apache.org/jira/browse/YARN-7605 > Project: Hadoop YARN > Issue Type: Sub-task >Reporter: Eric Yang >Assignee: Eric Yang > Fix For: yarn-native-services > > Attachments: YARN-7605.001.patch, YARN-7605.004.patch, > YARN-7605.005.patch, YARN-7605.006.patch, YARN-7605.007.patch, > YARN-7605.008.patch, YARN-7605.009.patch, YARN-7605.010.patch, > YARN-7605.011.patch, YARN-7605.012.patch, YARN-7605.013.patch, > YARN-7605.014.patch, YARN-7605.015.patch > > > In YARN-7540, all client entry points for API service is centralized to use > REST API instead of having direct file system and resource manager rpc calls. > This change helped to centralize yarn metadata to be owned by yarn user > instead of crawling through every user's home directory to find metadata. > The next step is to make sure "doAs" calls work properly for API Service. > The metadata is stored by YARN user, but the actual workload still need to be > performed as end users, hence API service must authenticate end user kerberos > credential, and perform doAs call when requesting containers via > ServiceClient. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7717) Add configuration consistency for module.enabled and docker.privileged-containers.enabled
[ https://issues.apache.org/jira/browse/YARN-7717?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16322758#comment-16322758 ] Miklos Szegedi commented on YARN-7717: -- Thank you, [~ebadger] for the updated patch. {code} 442 if (strcasecmp(enabled_str, "true") == 0) { 443 enabled = 1; 444 } else { {code} Should not we check for false as well and not fall back to a number in that case? > Add configuration consistency for module.enabled and > docker.privileged-containers.enabled > - > > Key: YARN-7717 > URL: https://issues.apache.org/jira/browse/YARN-7717 > Project: Hadoop YARN > Issue Type: Bug >Affects Versions: 3.0.0 >Reporter: Yesha Vora >Assignee: Eric Badger > Attachments: YARN-7717.001.patch, YARN-7717.002.patch, > YARN-7717.003.patch > > > container-executor.cfg has two properties related to dockerization. > 1) module.enabled = true/false > 2) docker.privileged-containers.enabled = 1/0 > Here, both property takes different value to enable / disable feature. Module > enabled take true/false string while docker.privileged-containers.enabled > takes 1/0 integer value. > This properties behavior should be consistent. Both properties should have > true or false string as value to enable or disable feature/ -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7590) Improve container-executor validation check
[ https://issues.apache.org/jira/browse/YARN-7590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16322755#comment-16322755 ] Eric Yang commented on YARN-7590: - [~miklos.szeg...@cloudera.com] Thank you for the review and commit. :) > Improve container-executor validation check > --- > > Key: YARN-7590 > URL: https://issues.apache.org/jira/browse/YARN-7590 > Project: Hadoop YARN > Issue Type: Improvement > Components: security, yarn >Affects Versions: 2.0.1-alpha, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.7.0, > 2.8.0, 2.8.1, 3.0.0-beta1 >Reporter: Eric Yang >Assignee: Eric Yang > Attachments: YARN-7590.001.patch, YARN-7590.002.patch, > YARN-7590.003.patch, YARN-7590.004.patch, YARN-7590.005.patch, > YARN-7590.006.patch, YARN-7590.007.patch, YARN-7590.008.patch, > YARN-7590.009.patch, YARN-7590.010.patch > > > There is minimum check for prefix path for container-executor. If YARN is > compromised, attacker can use container-executor to change system files > ownership: > {code} > /usr/local/hadoop/bin/container-executor spark yarn 0 etc /home/yarn/tokens > /home/spark / ls > {code} > This will change /etc to be owned by spark user: > {code} > # ls -ld /etc > drwxr-s---. 110 spark hadoop 8192 Nov 21 20:00 /etc > {code} > Spark user can rewrite /etc files to gain more access. We can improve this > with additional check in container-executor: > # Make sure the prefix path is owned by the same user as the caller to > container-executor. > # Make sure the log directory prefix is owned by the same user as the caller. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7605) Implement doAs for Api Service REST API
[ https://issues.apache.org/jira/browse/YARN-7605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16322749#comment-16322749 ] Billie Rinaldi commented on YARN-7605: -- bq. Back to the comment about getStatus structure, do you still want the returned value of stopped service to be partial information, or similar to running application? bq. If hdfs unstable can cause RM unstable, that sort of cluster downtime issue sounds more critical to me than this partial information. Because this endpoint can be very frequently called while app is accepted (client likes to poll every second or so to wait for app is running), that essentially means RM will hit HDFS for every app getStatus call before it gets running. Unless a concrete use case is asked for a complete information while app is accepted or completed, I prefer adding this later with a proper caching implementation built. Just my opinion, Gour Saha , Billie Rinaldi ? I've also seen the rest endpoint hit frequently to determine when the app has gone from accepted to running. I feel like the problem here is that the status call is returning a combined spec + status object. We've discussed moving towards status returning just a status object (I see this including service and component states and container information) and having a separate call that would retrieve the spec. This seems like it would solve both issues because the HDFS (or whatever storage) retrieval could be made for the spec retrieval only. I guess I would rather move towards removing unneeded information from the AM status retrieval, rather than adding unneeded information into the nonexistent-AM status retrieval. > Implement doAs for Api Service REST API > --- > > Key: YARN-7605 > URL: https://issues.apache.org/jira/browse/YARN-7605 > Project: Hadoop YARN > Issue Type: Sub-task >Reporter: Eric Yang >Assignee: Eric Yang > Fix For: yarn-native-services > > Attachments: YARN-7605.001.patch, YARN-7605.004.patch, > YARN-7605.005.patch, YARN-7605.006.patch, YARN-7605.007.patch, > YARN-7605.008.patch, YARN-7605.009.patch, YARN-7605.010.patch, > YARN-7605.011.patch, YARN-7605.012.patch, YARN-7605.013.patch, > YARN-7605.014.patch, YARN-7605.015.patch > > > In YARN-7540, all client entry points for API service is centralized to use > REST API instead of having direct file system and resource manager rpc calls. > This change helped to centralize yarn metadata to be owned by yarn user > instead of crawling through every user's home directory to find metadata. > The next step is to make sure "doAs" calls work properly for API Service. > The metadata is stored by YARN user, but the actual workload still need to be > performed as end users, hence API service must authenticate end user kerberos > credential, and perform doAs call when requesting containers via > ServiceClient. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-7731) RegistryDNS should handle upstream DNS returning CNAME
[ https://issues.apache.org/jira/browse/YARN-7731?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Eric Yang updated YARN-7731: Attachment: YARN-7731.002.patch - Fixed test case accuracy to verify existence of A record instead of depending on reply length. > RegistryDNS should handle upstream DNS returning CNAME > -- > > Key: YARN-7731 > URL: https://issues.apache.org/jira/browse/YARN-7731 > Project: Hadoop YARN > Issue Type: Bug >Reporter: Billie Rinaldi >Assignee: Eric Yang > Attachments: YARN-7731.001.patch, YARN-7731.002.patch > > > When RegistryDNS performs a lookup in an upstream DNS server and a CNAME > record is retrieved, it returns a response with only the CNAME record (there > is no A record, meaning no IP address is resolved). RegistryDNS should > perform a lookup on the new name from the CNAME record in an attempt to find > an A record, which would provide an IP address. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7590) Improve container-executor validation check
[ https://issues.apache.org/jira/browse/YARN-7590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16322726#comment-16322726 ] Hudson commented on YARN-7590: -- SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #13482 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/13482/]) YARN-7590. Improve container-executor validation check. Contributed by (szegedim: rev bc285da107bb84a3c60c5224369d7398a41db2d8) * (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c * (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/test-container-executor.c * (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.h > Improve container-executor validation check > --- > > Key: YARN-7590 > URL: https://issues.apache.org/jira/browse/YARN-7590 > Project: Hadoop YARN > Issue Type: Improvement > Components: security, yarn >Affects Versions: 2.0.1-alpha, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.7.0, > 2.8.0, 2.8.1, 3.0.0-beta1 >Reporter: Eric Yang >Assignee: Eric Yang > Attachments: YARN-7590.001.patch, YARN-7590.002.patch, > YARN-7590.003.patch, YARN-7590.004.patch, YARN-7590.005.patch, > YARN-7590.006.patch, YARN-7590.007.patch, YARN-7590.008.patch, > YARN-7590.009.patch, YARN-7590.010.patch > > > There is minimum check for prefix path for container-executor. If YARN is > compromised, attacker can use container-executor to change system files > ownership: > {code} > /usr/local/hadoop/bin/container-executor spark yarn 0 etc /home/yarn/tokens > /home/spark / ls > {code} > This will change /etc to be owned by spark user: > {code} > # ls -ld /etc > drwxr-s---. 110 spark hadoop 8192 Nov 21 20:00 /etc > {code} > Spark user can rewrite /etc files to gain more access. We can improve this > with additional check in container-executor: > # Make sure the prefix path is owned by the same user as the caller to > container-executor. > # Make sure the log directory prefix is owned by the same user as the caller. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-7728) Expose and expand container preemptions in Capacity Scheduler queue metrics
[ https://issues.apache.org/jira/browse/YARN-7728?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Eric Payne updated YARN-7728: - Attachment: YARN-7728.001.patch > Expose and expand container preemptions in Capacity Scheduler queue metrics > --- > > Key: YARN-7728 > URL: https://issues.apache.org/jira/browse/YARN-7728 > Project: Hadoop YARN > Issue Type: Improvement >Affects Versions: 2.9.0, 2.8.3, 3.0.0 >Reporter: Eric Payne >Assignee: Eric Payne > Attachments: YARN-7728.001.patch > > > YARN-1047 exposed queue metrics for the number of preempted containers to the > fair scheduler. I would like to also expose these to the capacity scheduler > and add metrics for the amount of lost memory seconds and vcore seconds. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7590) Improve container-executor validation check
[ https://issues.apache.org/jira/browse/YARN-7590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16322705#comment-16322705 ] Miklos Szegedi commented on YARN-7590: -- +1. I will commit this shortly. > Improve container-executor validation check > --- > > Key: YARN-7590 > URL: https://issues.apache.org/jira/browse/YARN-7590 > Project: Hadoop YARN > Issue Type: Improvement > Components: security, yarn >Affects Versions: 2.0.1-alpha, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.7.0, > 2.8.0, 2.8.1, 3.0.0-beta1 >Reporter: Eric Yang >Assignee: Eric Yang > Attachments: YARN-7590.001.patch, YARN-7590.002.patch, > YARN-7590.003.patch, YARN-7590.004.patch, YARN-7590.005.patch, > YARN-7590.006.patch, YARN-7590.007.patch, YARN-7590.008.patch, > YARN-7590.009.patch, YARN-7590.010.patch > > > There is minimum check for prefix path for container-executor. If YARN is > compromised, attacker can use container-executor to change system files > ownership: > {code} > /usr/local/hadoop/bin/container-executor spark yarn 0 etc /home/yarn/tokens > /home/spark / ls > {code} > This will change /etc to be owned by spark user: > {code} > # ls -ld /etc > drwxr-s---. 110 spark hadoop 8192 Nov 21 20:00 /etc > {code} > Spark user can rewrite /etc files to gain more access. We can improve this > with additional check in container-executor: > # Make sure the prefix path is owned by the same user as the caller to > container-executor. > # Make sure the log directory prefix is owned by the same user as the caller. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Comment Edited] (YARN-7516) Security check for untrusted docker image
[ https://issues.apache.org/jira/browse/YARN-7516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16322693#comment-16322693 ] Eric Yang edited comment on YARN-7516 at 1/11/18 6:22 PM: -- [~ebadger] Thanks for the review. The untrusted image will appear as privileged but all kernel privileges dropped and disconnected all devices to outside world. Therefore, it isn't really privileged, only appear as root in the docker container without real root privileges to outside world. This helps to run as a sandbox for simulation test. The generated docker command looks like: {code} docker run --privileged --cap-drop='ALL' ... centos:latest bash {code} If you are suggesting to disallow --privileged flag for untrusted image completely, then it will limit our ability to try out new images before verifying the untrusted image can be promoted to privileged registry. Does this help to explain the reason that we don't check registry is privileged in set_privileged flag? was (Author: eyang): [~ebadger] Thanks for the review. The untrusted image will appear as privileged but all kernel privileges dropped. Therefore, it isn't really privileged, only appear as root in the docker container without real root privileges to outside world. This helps to run as a sandbox for simulation test. The generated docker command looks like: {code} docker run --privileged --cap-drop='ALL' ... centos:latest bash {code} If you are suggesting to disallow --privileged flag for untrusted image completely, then it will limit our ability to try out new images before verifying the untrusted image can be promoted to privileged registry. Does this help to explain the reason that we don't check registry is privileged in set_privileged flag? > Security check for untrusted docker image > - > > Key: YARN-7516 > URL: https://issues.apache.org/jira/browse/YARN-7516 > Project: Hadoop YARN > Issue Type: Sub-task >Reporter: Eric Yang >Assignee: Eric Yang > Attachments: YARN-7516.001.patch, YARN-7516.002.patch, > YARN-7516.003.patch, YARN-7516.004.patch, YARN-7516.005.patch, > YARN-7516.006.patch, YARN-7516.007.patch > > > Hadoop YARN Services can support using private docker registry image or > docker image from docker hub. In current implementation, Hadoop security is > enforced through username and group membership, and enforce uid:gid > consistency in docker container and distributed file system. There is cloud > use case for having ability to run untrusted docker image on the same cluster > for testing. > The basic requirement for untrusted container is to ensure all kernel and > root privileges are dropped, and there is no interaction with distributed > file system to avoid contamination. We can probably enforce detection of > untrusted docker image by checking the following: > # If docker image is from public docker hub repository, the container is > automatically flagged as insecure, and disk volume mount are disabled > automatically, and drop all kernel capabilities. > # If docker image is from private repository in docker hub, and there is a > white list to allow the private repository, disk volume mount is allowed, > kernel capabilities follows the allowed list. > # If docker image is from private trusted registry with image name like > "private.registry.local:5000/centos", and white list allows this private > trusted repository. Disk volume mount is allowed, kernel capabilities > follows the allowed list. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7516) Security check for untrusted docker image
[ https://issues.apache.org/jira/browse/YARN-7516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16322693#comment-16322693 ] Eric Yang commented on YARN-7516: - [~ebadger] Thanks for the review. The untrusted image will appear as privileged but all kernel privileges dropped. Therefore, it isn't really privileged, only appear as root in the docker container without real root privileges to outside world. This helps to run as a sandbox for simulation test. The generated docker command looks like: {code} docker run --privileged --cap-drop='ALL' ... centos:latest bash {code} If you are suggesting to disallow --privileged flag for untrusted image completely, then it will limit our ability to try out new images before verifying the untrusted image can be promoted to privileged registry. Does this help to explain the reason that we don't check registry is privileged in set_privileged flag? > Security check for untrusted docker image > - > > Key: YARN-7516 > URL: https://issues.apache.org/jira/browse/YARN-7516 > Project: Hadoop YARN > Issue Type: Sub-task >Reporter: Eric Yang >Assignee: Eric Yang > Attachments: YARN-7516.001.patch, YARN-7516.002.patch, > YARN-7516.003.patch, YARN-7516.004.patch, YARN-7516.005.patch, > YARN-7516.006.patch, YARN-7516.007.patch > > > Hadoop YARN Services can support using private docker registry image or > docker image from docker hub. In current implementation, Hadoop security is > enforced through username and group membership, and enforce uid:gid > consistency in docker container and distributed file system. There is cloud > use case for having ability to run untrusted docker image on the same cluster > for testing. > The basic requirement for untrusted container is to ensure all kernel and > root privileges are dropped, and there is no interaction with distributed > file system to avoid contamination. We can probably enforce detection of > untrusted docker image by checking the following: > # If docker image is from public docker hub repository, the container is > automatically flagged as insecure, and disk volume mount are disabled > automatically, and drop all kernel capabilities. > # If docker image is from private repository in docker hub, and there is a > white list to allow the private repository, disk volume mount is allowed, > kernel capabilities follows the allowed list. > # If docker image is from private trusted registry with image name like > "private.registry.local:5000/centos", and white list allows this private > trusted repository. Disk volume mount is allowed, kernel capabilities > follows the allowed list. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7590) Improve container-executor validation check
[ https://issues.apache.org/jira/browse/YARN-7590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16322681#comment-16322681 ] genericqa commented on YARN-7590: - | (/) *{color:green}+1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 17s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 1 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 16m 33s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 49s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 33s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 27m 48s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m 31s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 45s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} cc {color} | {color:green} 0m 45s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 0m 45s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 28s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 11m 17s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 17m 22s{color} | {color:green} hadoop-yarn-server-nodemanager in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 20s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black} 59m 12s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hadoop:5b98639 | | JIRA Issue | YARN-7590 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12905712/YARN-7590.010.patch | | Optional Tests | asflicense compile cc mvnsite javac unit | | uname | Linux 595f4bd2b69f 3.13.0-135-generic #184-Ubuntu SMP Wed Oct 18 11:55:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/patchprocess/precommit/personality/provided.sh | | git revision | trunk / 2e0a451 | | maven | version: Apache Maven 3.3.9 | | Default Java | 1.8.0_151 | | Test Results | https://builds.apache.org/job/PreCommit-YARN-Build/19199/testReport/ | | Max. process+thread count | 339 (vs. ulimit of 5000) | | modules | C: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager U: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager | | Console output | https://builds.apache.org/job/PreCommit-YARN-Build/19199/console | | Powered by | Apache Yetus 0.7.0-SNAPSHOT http://yetus.apache.org | This message was automatically generated. > Improve container-executor validation check > --- > > Key: YARN-7590 > URL: https://issues.apache.org/jira/browse/YARN-7590 > Project: Hadoop YARN > Issue Type: Improvement > Components: security, yarn >Affects Versions: 2.0.1-alpha, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.7.0, > 2.8.0, 2.8.1, 3.0.0-beta1 >Reporter: Eric Yang >Assignee: Eric Yang > Attachments: YARN-7590.001.patch, YARN-7590.002.patch, > YARN-7590.003.patch, YARN-7590.004.patch, YARN-7590.005.patch, > YARN-7590.006.patch, YARN-7590.007.patch, YARN-7590.008.patch, > YARN-7590.009.patch, YARN-7590.010.patch > > > There is minimum check for prefix path for container-executor. If YARN is >
[jira] [Commented] (YARN-7516) Security check for untrusted docker image
[ https://issues.apache.org/jira/browse/YARN-7516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16322627#comment-16322627 ] Eric Badger commented on YARN-7516: --- {noformat} +The default behavior is disallow any privileged docker containers. When `docker.privileged-containers.enabled` is set to enabled, docker image can run with root privileges in the docker container, but access to host level devices are disabled. This allows developer and tester to run docker images from internet without causing harm to host operating system. + +When docker images have been certified by developers and testers to be trustworthy. The trusted image can be promoted to trusted docker registry. System administrator can define `docker.privileged-containers.registries`, and setup private docker registry server to promote trusted images. {noformat} So after this patch, if docker.privileged-containers.enabled is set to true, an image downloaded from a registry that isn't in docker.privileged-containers.registries could still run as privileged? This doesn't seem correct to me, if I'm reading this right. I think we should add a check to {{set_privileged}} to make sure that the registry is privileged. > Security check for untrusted docker image > - > > Key: YARN-7516 > URL: https://issues.apache.org/jira/browse/YARN-7516 > Project: Hadoop YARN > Issue Type: Sub-task >Reporter: Eric Yang >Assignee: Eric Yang > Attachments: YARN-7516.001.patch, YARN-7516.002.patch, > YARN-7516.003.patch, YARN-7516.004.patch, YARN-7516.005.patch, > YARN-7516.006.patch, YARN-7516.007.patch > > > Hadoop YARN Services can support using private docker registry image or > docker image from docker hub. In current implementation, Hadoop security is > enforced through username and group membership, and enforce uid:gid > consistency in docker container and distributed file system. There is cloud > use case for having ability to run untrusted docker image on the same cluster > for testing. > The basic requirement for untrusted container is to ensure all kernel and > root privileges are dropped, and there is no interaction with distributed > file system to avoid contamination. We can probably enforce detection of > untrusted docker image by checking the following: > # If docker image is from public docker hub repository, the container is > automatically flagged as insecure, and disk volume mount are disabled > automatically, and drop all kernel capabilities. > # If docker image is from private repository in docker hub, and there is a > white list to allow the private repository, disk volume mount is allowed, > kernel capabilities follows the allowed list. > # If docker image is from private trusted registry with image name like > "private.registry.local:5000/centos", and white list allows this private > trusted repository. Disk volume mount is allowed, kernel capabilities > follows the allowed list. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Comment Edited] (YARN-7159) Normalize unit of resource objects in RM and avoid to do unit conversion in critical path
[ https://issues.apache.org/jira/browse/YARN-7159?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16322572#comment-16322572 ] Manikandan R edited comment on YARN-7159 at 1/11/18 5:19 PM: - [~sunilg] Fixed those 2 junit failures. Though {{TestFairSchedulerConfiguration}} changes has fixed the junit issue, requires you to check in detail because of following flow: {code} assertEquals(customResourceInformation(2L, ""), - calculator.normalize(customResource(10001L, ""), min, max, increment) + calculator.normalize(customResource(1L, ""), min, max, increment) .getResourceInformation(A_CUSTOM_RESOURCE)); {code} In the above junit test case, {{increment}} has been derived from {{FairSchedulerConfiguration#getIncrementAllocation}} which returns 10k as o/p. {code} conf.set(YarnConfiguration.RESOURCE_TYPES + ".a-custom-resource" + FairSchedulerConfiguration.INCREMENT_ALLOCATION, "10");{code}. Here, value has been configured as 10 with "" units, but {{ResourceUtils#createResourceTypesArray}} triggered from {{FairSchedulerConfiguration#getIncrementAllocation}} returns array of RI's containing A_CUSTOM_RESOURCE with value as 10k, as it simply copies the object and modifies only the value. Is this correct behaviour? Based on our earlier discussion, conversion should happen if there is units difference and source unit is higher than the unit at RM/server side. Because of this, old code in {{DominantResourceCalculator#normalize}} was working properly for the above junit test case {{customResource(10001L, "")}} was (Author: maniraj...@gmail.com): [~sunilg] Fixed those 2 junit failures. Though {{TestFairSchedulerConfiguration}} changes has fixed the junit issue, requires you to check in detail because of following flow: {code} assertEquals(customResourceInformation(2L, ""), - calculator.normalize(customResource(10001L, ""), min, max, increment) + calculator.normalize(customResource(1L, ""), min, max, increment) .getResourceInformation(A_CUSTOM_RESOURCE)); {code} In the above junit test case, {{increment}} has been derived from {{FairSchedulerConfiguration#getIncrementAllocation}} which returns 10k as o/p. {code} conf.set(YarnConfiguration.RESOURCE_TYPES + ".a-custom-resource" + FairSchedulerConfiguration.INCREMENT_ALLOCATION, "10");{code}. Here, value has been configured as 10 with "" units, but {{ResourceUtils#createResourceTypesArray}} triggered from {{FairSchedulerConfiguration#getIncrementAllocation}} returns array of RI's containing A_CUSTOM_RESOURCE with value as 10k, as it simply copies the object and modifies only the value. Is this correct behaviour? Based on our earlier discussion, conversion should happen if there is units difference and source unit is higher than the unit at RM/server side. Because of this, old code in {{DominantResourceCalculator#normalize}} was working properly for the above junit test case. > Normalize unit of resource objects in RM and avoid to do unit conversion in > critical path > - > > Key: YARN-7159 > URL: https://issues.apache.org/jira/browse/YARN-7159 > Project: Hadoop YARN > Issue Type: Sub-task > Components: nodemanager, resourcemanager >Reporter: Wangda Tan >Assignee: Manikandan R >Priority: Critical > Attachments: YARN-7159.001.patch, YARN-7159.002.patch, > YARN-7159.003.patch, YARN-7159.004.patch, YARN-7159.005.patch, > YARN-7159.006.patch, YARN-7159.007.patch, YARN-7159.008.patch, > YARN-7159.009.patch, YARN-7159.010.patch, YARN-7159.011.patch, > YARN-7159.012.patch, YARN-7159.013.patch, YARN-7159.015.patch, > YARN-7159.016.patch, YARN-7159.017.patch, YARN-7159.018.patch, > YARN-7159.019.patch, YARN-7159.020.patch, YARN-7159.021.patch > > > Currently resource conversion could happen in critical code path when > different unit is specified by client. This could impact performance and > throughput of RM a lot. We should do unit normalization when resource passed > to RM and avoid expensive unit conversion every time. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Comment Edited] (YARN-7159) Normalize unit of resource objects in RM and avoid to do unit conversion in critical path
[ https://issues.apache.org/jira/browse/YARN-7159?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16322572#comment-16322572 ] Manikandan R edited comment on YARN-7159 at 1/11/18 5:18 PM: - [~sunilg] Fixed those 2 junit failures. Though {{TestFairSchedulerConfiguration}} changes has fixed the junit issue, requires you to check in detail because of following flow: {code} assertEquals(customResourceInformation(2L, ""), - calculator.normalize(customResource(10001L, ""), min, max, increment) + calculator.normalize(customResource(1L, ""), min, max, increment) .getResourceInformation(A_CUSTOM_RESOURCE)); {code} In the above junit test case, {{increment}} has been derived from {{FairSchedulerConfiguration#getIncrementAllocation}} which returns 10k as o/p. {code} conf.set(YarnConfiguration.RESOURCE_TYPES + ".a-custom-resource" + FairSchedulerConfiguration.INCREMENT_ALLOCATION, "10");{code}. Here, value has been configured as 10 with "" units, but {{ResourceUtils#createResourceTypesArray}} triggered from {{FairSchedulerConfiguration#getIncrementAllocation}} returns array of RI's containing A_CUSTOM_RESOURCE with value as 10k, as it simply copies the object and modifies only the value. Is this correct behaviour? Based on our earlier discussion, conversion should happen if there is units difference and source unit is higher than the unit at RM/server side. Because of this, old code in {{DominantResourceCalculator#normalize}} was working properly for the above junit test case. was (Author: maniraj...@gmail.com): [~sunilg] Fixed those 2 junit failures. Though {{TestFairSchedulerConfiguration}} changes has fixed the junit issue, requires you to check in detail because of following flow: {code} assertEquals(customResourceInformation(2L, ""), - calculator.normalize(customResource(10001L, ""), min, max, increment) + calculator.normalize(customResource(1L, ""), min, max, increment) .getResourceInformation(A_CUSTOM_RESOURCE)); {code} In the above junit test case, {{increment}} has been derived from {{FairSchedulerConfiguration#getIncrementAllocation}} which returns 10k as o/p. {code} conf.set(YarnConfiguration.RESOURCE_TYPES + ".a-custom-resource" + FairSchedulerConfiguration.INCREMENT_ALLOCATION, "10");{code}. Here, value has been configured as 10 with "" units, but {{ResourceUtils#createResourceTypesArray}} triggered from {{FairSchedulerConfiguration#getIncrementAllocation}} returns array of RI's containing A_CUSTOM_RESOURCE with value as 10k, as it simply copies the object and modifies only the value. Is this correct behaviour? Based on our earlier discussion, conversion should happen if there is units difference and source unit is higher than the unit at RM/server side. Because of this, old code DominantResourceCalculator#normalize was working properly for the above junit test case. > Normalize unit of resource objects in RM and avoid to do unit conversion in > critical path > - > > Key: YARN-7159 > URL: https://issues.apache.org/jira/browse/YARN-7159 > Project: Hadoop YARN > Issue Type: Sub-task > Components: nodemanager, resourcemanager >Reporter: Wangda Tan >Assignee: Manikandan R >Priority: Critical > Attachments: YARN-7159.001.patch, YARN-7159.002.patch, > YARN-7159.003.patch, YARN-7159.004.patch, YARN-7159.005.patch, > YARN-7159.006.patch, YARN-7159.007.patch, YARN-7159.008.patch, > YARN-7159.009.patch, YARN-7159.010.patch, YARN-7159.011.patch, > YARN-7159.012.patch, YARN-7159.013.patch, YARN-7159.015.patch, > YARN-7159.016.patch, YARN-7159.017.patch, YARN-7159.018.patch, > YARN-7159.019.patch, YARN-7159.020.patch, YARN-7159.021.patch > > > Currently resource conversion could happen in critical code path when > different unit is specified by client. This could impact performance and > throughput of RM a lot. We should do unit normalization when resource passed > to RM and avoid expensive unit conversion every time. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7159) Normalize unit of resource objects in RM and avoid to do unit conversion in critical path
[ https://issues.apache.org/jira/browse/YARN-7159?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16322572#comment-16322572 ] Manikandan R commented on YARN-7159: [~sunilg] Fixed those 2 junit failures. Though {{TestFairSchedulerConfiguration}} changes has fixed the junit issue, requires you to check in detail because of following flow: {code} assertEquals(customResourceInformation(2L, ""), - calculator.normalize(customResource(10001L, ""), min, max, increment) + calculator.normalize(customResource(1L, ""), min, max, increment) .getResourceInformation(A_CUSTOM_RESOURCE)); {code} In the above junit test case, {{increment}} has been derived from {{FairSchedulerConfiguration#getIncrementAllocation}} which returns 10k as o/p. {code} conf.set(YarnConfiguration.RESOURCE_TYPES + ".a-custom-resource" + FairSchedulerConfiguration.INCREMENT_ALLOCATION, "10");{code}. Here, value has been configured as 10 with "" units, but {{ResourceUtils#createResourceTypesArray}} triggered from {{FairSchedulerConfiguration#getIncrementAllocation}} returns array of RI's containing A_CUSTOM_RESOURCE with value as 10k, as it simply copies the object and modifies only the value. Is this correct behaviour? Based on our earlier discussion, conversion should happen if there is units difference and source unit is higher than the unit at RM/server side. Because of this, old code DominantResourceCalculator#normalize was working properly for the above junit test case. > Normalize unit of resource objects in RM and avoid to do unit conversion in > critical path > - > > Key: YARN-7159 > URL: https://issues.apache.org/jira/browse/YARN-7159 > Project: Hadoop YARN > Issue Type: Sub-task > Components: nodemanager, resourcemanager >Reporter: Wangda Tan >Assignee: Manikandan R >Priority: Critical > Attachments: YARN-7159.001.patch, YARN-7159.002.patch, > YARN-7159.003.patch, YARN-7159.004.patch, YARN-7159.005.patch, > YARN-7159.006.patch, YARN-7159.007.patch, YARN-7159.008.patch, > YARN-7159.009.patch, YARN-7159.010.patch, YARN-7159.011.patch, > YARN-7159.012.patch, YARN-7159.013.patch, YARN-7159.015.patch, > YARN-7159.016.patch, YARN-7159.017.patch, YARN-7159.018.patch, > YARN-7159.019.patch, YARN-7159.020.patch, YARN-7159.021.patch > > > Currently resource conversion could happen in critical code path when > different unit is specified by client. This could impact performance and > throughput of RM a lot. We should do unit normalization when resource passed > to RM and avoid expensive unit conversion every time. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Comment Edited] (YARN-7590) Improve container-executor validation check
[ https://issues.apache.org/jira/browse/YARN-7590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16322559#comment-16322559 ] Eric Yang edited comment on YARN-7590 at 1/11/18 5:04 PM: -- Fixed {{strerror(errno)}} problem in case, we decided to unblock YARN-7705 instead. was (Author: eyang): Fixed {{strerror(errno)}} problem in case, we decided to unblock YARN-7705 and make changes in YARN-7705. > Improve container-executor validation check > --- > > Key: YARN-7590 > URL: https://issues.apache.org/jira/browse/YARN-7590 > Project: Hadoop YARN > Issue Type: Improvement > Components: security, yarn >Affects Versions: 2.0.1-alpha, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.7.0, > 2.8.0, 2.8.1, 3.0.0-beta1 >Reporter: Eric Yang >Assignee: Eric Yang > Attachments: YARN-7590.001.patch, YARN-7590.002.patch, > YARN-7590.003.patch, YARN-7590.004.patch, YARN-7590.005.patch, > YARN-7590.006.patch, YARN-7590.007.patch, YARN-7590.008.patch, > YARN-7590.009.patch, YARN-7590.010.patch > > > There is minimum check for prefix path for container-executor. If YARN is > compromised, attacker can use container-executor to change system files > ownership: > {code} > /usr/local/hadoop/bin/container-executor spark yarn 0 etc /home/yarn/tokens > /home/spark / ls > {code} > This will change /etc to be owned by spark user: > {code} > # ls -ld /etc > drwxr-s---. 110 spark hadoop 8192 Nov 21 20:00 /etc > {code} > Spark user can rewrite /etc files to gain more access. We can improve this > with additional check in container-executor: > # Make sure the prefix path is owned by the same user as the caller to > container-executor. > # Make sure the log directory prefix is owned by the same user as the caller. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-7590) Improve container-executor validation check
[ https://issues.apache.org/jira/browse/YARN-7590?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Eric Yang updated YARN-7590: Attachment: YARN-7590.010.patch Fixed {{strerror(errno)}} problem in case, we decided to unblock YARN-7705 and make changes in YARN-7705. > Improve container-executor validation check > --- > > Key: YARN-7590 > URL: https://issues.apache.org/jira/browse/YARN-7590 > Project: Hadoop YARN > Issue Type: Improvement > Components: security, yarn >Affects Versions: 2.0.1-alpha, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.7.0, > 2.8.0, 2.8.1, 3.0.0-beta1 >Reporter: Eric Yang >Assignee: Eric Yang > Attachments: YARN-7590.001.patch, YARN-7590.002.patch, > YARN-7590.003.patch, YARN-7590.004.patch, YARN-7590.005.patch, > YARN-7590.006.patch, YARN-7590.007.patch, YARN-7590.008.patch, > YARN-7590.009.patch, YARN-7590.010.patch > > > There is minimum check for prefix path for container-executor. If YARN is > compromised, attacker can use container-executor to change system files > ownership: > {code} > /usr/local/hadoop/bin/container-executor spark yarn 0 etc /home/yarn/tokens > /home/spark / ls > {code} > This will change /etc to be owned by spark user: > {code} > # ls -ld /etc > drwxr-s---. 110 spark hadoop 8192 Nov 21 20:00 /etc > {code} > Spark user can rewrite /etc files to gain more access. We can improve this > with additional check in container-executor: > # Make sure the prefix path is owned by the same user as the caller to > container-executor. > # Make sure the log directory prefix is owned by the same user as the caller. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-7159) Normalize unit of resource objects in RM and avoid to do unit conversion in critical path
[ https://issues.apache.org/jira/browse/YARN-7159?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Manikandan R updated YARN-7159: --- Attachment: YARN-7159.021.patch > Normalize unit of resource objects in RM and avoid to do unit conversion in > critical path > - > > Key: YARN-7159 > URL: https://issues.apache.org/jira/browse/YARN-7159 > Project: Hadoop YARN > Issue Type: Sub-task > Components: nodemanager, resourcemanager >Reporter: Wangda Tan >Assignee: Manikandan R >Priority: Critical > Attachments: YARN-7159.001.patch, YARN-7159.002.patch, > YARN-7159.003.patch, YARN-7159.004.patch, YARN-7159.005.patch, > YARN-7159.006.patch, YARN-7159.007.patch, YARN-7159.008.patch, > YARN-7159.009.patch, YARN-7159.010.patch, YARN-7159.011.patch, > YARN-7159.012.patch, YARN-7159.013.patch, YARN-7159.015.patch, > YARN-7159.016.patch, YARN-7159.017.patch, YARN-7159.018.patch, > YARN-7159.019.patch, YARN-7159.020.patch, YARN-7159.021.patch > > > Currently resource conversion could happen in critical code path when > different unit is specified by client. This could impact performance and > throughput of RM a lot. We should do unit normalization when resource passed > to RM and avoid expensive unit conversion every time. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7590) Improve container-executor validation check
[ https://issues.apache.org/jira/browse/YARN-7590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16322538#comment-16322538 ] Eric Yang commented on YARN-7590: - [~miklos.szeg...@cloudera.com] Sure, I can wait for YARN-7705 and do the update. Thanks for the heads up. > Improve container-executor validation check > --- > > Key: YARN-7590 > URL: https://issues.apache.org/jira/browse/YARN-7590 > Project: Hadoop YARN > Issue Type: Improvement > Components: security, yarn >Affects Versions: 2.0.1-alpha, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.7.0, > 2.8.0, 2.8.1, 3.0.0-beta1 >Reporter: Eric Yang >Assignee: Eric Yang > Attachments: YARN-7590.001.patch, YARN-7590.002.patch, > YARN-7590.003.patch, YARN-7590.004.patch, YARN-7590.005.patch, > YARN-7590.006.patch, YARN-7590.007.patch, YARN-7590.008.patch, > YARN-7590.009.patch > > > There is minimum check for prefix path for container-executor. If YARN is > compromised, attacker can use container-executor to change system files > ownership: > {code} > /usr/local/hadoop/bin/container-executor spark yarn 0 etc /home/yarn/tokens > /home/spark / ls > {code} > This will change /etc to be owned by spark user: > {code} > # ls -ld /etc > drwxr-s---. 110 spark hadoop 8192 Nov 21 20:00 /etc > {code} > Spark user can rewrite /etc files to gain more access. We can improve this > with additional check in container-executor: > # Make sure the prefix path is owned by the same user as the caller to > container-executor. > # Make sure the log directory prefix is owned by the same user as the caller. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-7451) Resources Types should be visible in the Cluster Apps API "resourceRequests" section
[ https://issues.apache.org/jira/browse/YARN-7451?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Szilard Nemeth updated YARN-7451: - Attachment: YARN-7451.004.patch Fix license and findbugs issues > Resources Types should be visible in the Cluster Apps API "resourceRequests" > section > > > Key: YARN-7451 > URL: https://issues.apache.org/jira/browse/YARN-7451 > Project: Hadoop YARN > Issue Type: Bug > Components: resourcemanager, restapi >Affects Versions: 3.0.0 >Reporter: Grant Sohn >Assignee: Szilard Nemeth > Attachments: YARN-7451.001.patch, YARN-7451.002.patch, > YARN-7451.003.patch, YARN-7451.004.patch, > YARN-7451__Expose_custom_resource_types_on_RM_scheduler_API_as_flattened_map01_02.patch > > > When running jobs that request resource types the RM Cluster Apps API should > include this in the "resourceRequests" object. > Additionally, when calling the RM scheduler API it returns: > {noformat} > "childQueues": { > "queue": [ > { > "allocatedContainers": 101, > "amMaxResources": { > "memory": 320390, > "vCores": 192 > }, > "amUsedResources": { > "memory": 1024, > "vCores": 1 > }, > "clusterResources": { > "memory": 640779, > "vCores": 384 > }, > "demandResources": { > "memory": 103424, > "vCores": 101 > }, > "fairResources": { > "memory": 640779, > "vCores": 384 > }, > "maxApps": 2147483647, > "maxResources": { > "memory": 640779, > "vCores": 384 > }, > "minResources": { > "memory": 0, > "vCores": 0 > }, > "numActiveApps": 1, > "numPendingApps": 0, > "preemptable": true, > "queueName": "root.users.systest", > "reservedContainers": 0, > "reservedResources": { > "memory": 0, > "vCores": 0 > }, > "schedulingPolicy": "fair", > "steadyFairResources": { > "memory": 320390, > "vCores": 192 > }, > "type": "fairSchedulerLeafQueueInfo", > "usedResources": { > "memory": 103424, > "vCores": 101 > } > } > ] > {noformat} > However, the web UI shows resource types usage. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-7717) Add configuration consistency for module.enabled and docker.privileged-containers.enabled
[ https://issues.apache.org/jira/browse/YARN-7717?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Eric Badger updated YARN-7717: -- Attachment: YARN-7717.003.patch bq. The default for tc should still be false. Wow, that's a pretty bad mistake. Thanks for the catch bq. There is and indentation issue on the last line. Fixed. I'm pretty confused on indentation rules in C code for hadoop. It appears that the code doesn't follow the same rules as Java hadoop code. In container-executor.c, a bunch of if statements have the following lines indented 4 spaces, while it's only 2 in docker-util.c. Looks like the culprit might just be inconsistency in container-executor.c not always following the same rules as Java hadoop code. > Add configuration consistency for module.enabled and > docker.privileged-containers.enabled > - > > Key: YARN-7717 > URL: https://issues.apache.org/jira/browse/YARN-7717 > Project: Hadoop YARN > Issue Type: Bug >Affects Versions: 3.0.0 >Reporter: Yesha Vora >Assignee: Eric Badger > Attachments: YARN-7717.001.patch, YARN-7717.002.patch, > YARN-7717.003.patch > > > container-executor.cfg has two properties related to dockerization. > 1) module.enabled = true/false > 2) docker.privileged-containers.enabled = 1/0 > Here, both property takes different value to enable / disable feature. Module > enabled take true/false string while docker.privileged-containers.enabled > takes 1/0 integer value. > This properties behavior should be consistent. Both properties should have > true or false string as value to enable or disable feature/ -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-7736) Fix itemization in YARN federation document
[ https://issues.apache.org/jira/browse/YARN-7736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16321860#comment-16321860 ] Akira Ajisaka commented on YARN-7736: - {noformat} *Role of AMRMProxy* 1. Protect the sub-cluster YARN RMs from misbehaving AMs. The AMRMProxy can prevent DDOS attacks by throttling/killing AMs that are asking too many resources. 2. Mask the multiple YARN RMs in the cluster, and can transparently allow the AM to span across sub-clusters. All container allocations are done by the YARN RM framework that consists of the AMRMProxy fronting the home and other sub-cluster RMs. 3. Intercepts all the requests, thus it can enforce application quotas, which would not be enforceable by sub-cluster RM (as each only see a fraction of the AM requests). 4. The AMRMProxy can enforce load-balancing / overflow policies. {noformat} Blank line should be inserted as well. > Fix itemization in YARN federation document > --- > > Key: YARN-7736 > URL: https://issues.apache.org/jira/browse/YARN-7736 > Project: Hadoop YARN > Issue Type: Bug > Components: documentation >Reporter: Akira Ajisaka >Priority: Minor > Labels: newbie > > https://hadoop.apache.org/docs/r3.0.0/hadoop-yarn/hadoop-yarn-site/Federation.html > {noformat} > Assumptions: > * We assume reasonably good connectivity across sub-clusters (e.g., we are > not looking to federate across DC yet, though future investigations of this > are not excluded). > * We rely on HDFS federation (or equivalently scalable DFS solutions) to take > care of scalability of the store side. > {noformat} > Blank line should be inserted before itemization to render correctly. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Created] (YARN-7736) Fix itemization in YARN federation document
Akira Ajisaka created YARN-7736: --- Summary: Fix itemization in YARN federation document Key: YARN-7736 URL: https://issues.apache.org/jira/browse/YARN-7736 Project: Hadoop YARN Issue Type: Bug Components: documentation Reporter: Akira Ajisaka Priority: Minor https://hadoop.apache.org/docs/r3.0.0/hadoop-yarn/hadoop-yarn-site/Federation.html {noformat} Assumptions: * We assume reasonably good connectivity across sub-clusters (e.g., we are not looking to federate across DC yet, though future investigations of this are not excluded). * We rely on HDFS federation (or equivalently scalable DFS solutions) to take care of scalability of the store side. {noformat} Blank line should be inserted before itemization to render correctly. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org