Hi all, Please tell me if this is the wrong place to ask!
I'm trying to understand the isolation properties of LinuxContainerExecutor in YARN. I've looked through the documentation and traced through the code down to the C helper tool and as far as I've been able to determine, it's only apply cgroups to the subprocess. Is that right? I was trying to figure out if it's also unsharing any namespaces (filesystem, pid, network, etc.) from the parent process or otherwise isolating itself in other ways. If I'm correct and it doesn't do namespaces, does that mean I should use the DockerContainerExecutor instead to get namespace isolation? That one has a big scary security warning saying that using it might allow privilege escalation so I'm hesitant. I've also been trying to understand during a normal hadoop/YARN (or e.g., Spark) execution, whether any parts of the application run outside of the container. Is there a good place to read up on the container architecture in general? Thanks, Dan Peebles
