Miklos Szegedi created YARN-6456:
------------------------------------
Summary: Isolation of Docker containers In LinuxContainerExecutor
Key: YARN-6456
URL: https://issues.apache.org/jira/browse/YARN-6456
Project: Hadoop YARN
Issue Type: Bug
Components: nodemanager
Reporter: Miklos Szegedi
One reason to use Docker containers is to be able to isolate different
workloads, even, if they run as the same user.
I have noticed some issues in the current design:
1. DockerLinuxContainerRuntime mounts containerLocalDirs
{{nm-local-dir/usercache/user/appcache/application_1491598755372_0011/}} and
userLocalDirs {{nm-local-dir/usercache/user/}}, so that a container can see and
modify the files of another container. I think the application file cache
directory should be enough for the container to run in most of the cases.
2. The whole cgroups directory is mounted. Would the container directory be
enough?
3. There is no way to enforce exclusive use of Docker for all containers. There
should be an option that it is not the user but the admin that requires to use
Docker.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
