[ https://issues.apache.org/jira/browse/YARN-5280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15666292#comment-15666292 ]
Varun Vasudev commented on YARN-5280: ------------------------------------- Thanks for the explanation [~sidharta-s]. [~gphillips] - do you think you can move all the functionality of prepareContainer into launchContainer and then call super.launchContainer in JavaSandboxLinuxContainerRuntime? The benefits are - 1) You won't be affected if/when we do get round to figuring out where to call prepareContainer. 2) The environment will also be available to you as part of the ContainerStartContext. 3) Modifying the launch command is more natural in launchContainer than prepareContainer A question about the policy file - do you think this is something that end users should be able to view to help debug applications? My suggestion is to not use the hadoop tmp dir for the policy file but instead use the container private directory. You can add the container private directory to the ContainerStartContext in ContainerLaunch#call and ContainerRelaunch#call. That way - 1) You don't need to worry about the hadoop tmp dir running out of space(which we've seen in a few cases) 2) The policy file will be cleaned up for you by YARN and you can get rid of the reapContainer functionality you have. 3) You can also potentially re-use the same policy file across container restarts instead of creating a temporary file every time, since container private directories are only for the container. With regards to the patch you have which resolves the testing errors and removes the use of YARN queues - please include those changes in the next patch. Once we have the runtime support in, we can add support in MR and distributed shell for the feature. > Allow YARN containers to run with Java Security Manager > ------------------------------------------------------- > > Key: YARN-5280 > URL: https://issues.apache.org/jira/browse/YARN-5280 > Project: Hadoop YARN > Issue Type: New Feature > Components: nodemanager, yarn > Affects Versions: 2.6.4 > Reporter: Greg Phillips > Assignee: Greg Phillips > Priority: Minor > Labels: oct16-medium > Attachments: YARN-5280.001.patch, YARN-5280.002.patch, > YARN-5280.003.patch, YARN-5280.004.patch, YARN-5280.patch, > YARNContainerSandbox.pdf > > > YARN applications have the ability to perform privileged actions which have > the potential to add instability into the cluster. The Java Security Manager > can be used to prevent users from running privileged actions while still > allowing their core data processing use cases. > Introduce a YARN flag which will allow a Hadoop administrator to enable the > Java Security Manager for user code, while still providing complete > permissions to core Hadoop libraries. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org