[
https://issues.apache.org/jira/browse/YARN-5280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15666292#comment-15666292
]
Varun Vasudev commented on YARN-5280:
-------------------------------------
Thanks for the explanation [~sidharta-s]. [~gphillips] - do you think you can
move all the functionality of prepareContainer into launchContainer and then
call super.launchContainer in JavaSandboxLinuxContainerRuntime? The benefits
are -
1) You won't be affected if/when we do get round to figuring out where to call
prepareContainer.
2) The environment will also be available to you as part of the
ContainerStartContext.
3) Modifying the launch command is more natural in launchContainer than
prepareContainer
A question about the policy file - do you think this is something that end
users should be able to view to help debug applications?
My suggestion is to not use the hadoop tmp dir for the policy file but instead
use the container private directory. You can add the container private
directory to the ContainerStartContext in ContainerLaunch#call and
ContainerRelaunch#call. That way -
1) You don't need to worry about the hadoop tmp dir running out of space(which
we've seen in a few cases)
2) The policy file will be cleaned up for you by YARN and you can get rid of
the reapContainer functionality you have.
3) You can also potentially re-use the same policy file across container
restarts instead of creating a temporary file every time, since container
private directories are only for the container.
With regards to the patch you have which resolves the testing errors and
removes the use of YARN queues - please include those changes in the next
patch. Once we have the runtime support in, we can add support in MR and
distributed shell for the feature.
> Allow YARN containers to run with Java Security Manager
> -------------------------------------------------------
>
> Key: YARN-5280
> URL: https://issues.apache.org/jira/browse/YARN-5280
> Project: Hadoop YARN
> Issue Type: New Feature
> Components: nodemanager, yarn
> Affects Versions: 2.6.4
> Reporter: Greg Phillips
> Assignee: Greg Phillips
> Priority: Minor
> Labels: oct16-medium
> Attachments: YARN-5280.001.patch, YARN-5280.002.patch,
> YARN-5280.003.patch, YARN-5280.004.patch, YARN-5280.patch,
> YARNContainerSandbox.pdf
>
>
> YARN applications have the ability to perform privileged actions which have
> the potential to add instability into the cluster. The Java Security Manager
> can be used to prevent users from running privileged actions while still
> allowing their core data processing use cases.
> Introduce a YARN flag which will allow a Hadoop administrator to enable the
> Java Security Manager for user code, while still providing complete
> permissions to core Hadoop libraries.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
