[jira] [Commented] (YARN-5280) Allow YARN containers to run with Java Security Manager

Thu, 17 Nov 2016 07:41:13 -0800 

    [ 
https://issues.apache.org/jira/browse/YARN-5280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15673999#comment-15673999
 ] 

Varun Vasudev commented on YARN-5280:
-------------------------------------

{quote}
The difficulty arises when moving the functionality from prepareContainer to 
launchContainer. In particular I need to modify the actual java run command 
instead of the container launch command. The only way I have found to modify 
the run command found within the launch_container.sh is through the 
LinuxContainerExecutor#writeLaunchEnv. A method which links the 
LinuxContainerExecutor with the ContainerRuntime prior to the environment being 
written seems necessary for this feature. I am very interested in your thoughts 
on this matter.
{quote}

Ah you're correct. I missed this. How about we add a new method called 
prepareContainer in the ContainerExecutor base class which does nothing by 
default and override it in the LinuxContainerExecutor class to call the 
runtime's prepareContainer method? We can call this method before we call 
writeLaunchEnv. That should solve your requirement, correct?

> Allow YARN containers to run with Java Security Manager
> -------------------------------------------------------
>
>                 Key: YARN-5280
>                 URL: https://issues.apache.org/jira/browse/YARN-5280
>             Project: Hadoop YARN
>          Issue Type: New Feature
>          Components: nodemanager, yarn
>    Affects Versions: 2.6.4
>            Reporter: Greg Phillips
>            Assignee: Greg Phillips
>            Priority: Minor
>              Labels: oct16-medium
>         Attachments: YARN-5280.001.patch, YARN-5280.002.patch, 
> YARN-5280.003.patch, YARN-5280.004.patch, YARN-5280.patch, 
> YARNContainerSandbox.pdf
>
>
> YARN applications have the ability to perform privileged actions which have 
> the potential to add instability into the cluster. The Java Security Manager 
> can be used to prevent users from running privileged actions while still 
> allowing their core data processing use cases. 
> Introduce a YARN flag which will allow a Hadoop administrator to enable the 
> Java Security Manager for user code, while still providing complete 
> permissions to core Hadoop libraries.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to