[jira] [Commented] (YARN-6456) Isolation of Docker containers In LinuxContainerExecutor

Mon, 10 Apr 2017 05:54:06 -0700 

    [ 
https://issues.apache.org/jira/browse/YARN-6456?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15962801#comment-15962801
 ] 

Jason Lowe commented on YARN-6456:
----------------------------------

bq. DockerLinuxContainerRuntime mounts containerLocalDirs 
nm-local-dir/usercache/user/appcache/application_1491598755372_0011/ and 
userLocalDirs nm-local-dir/usercache/user/

The application directories are needed so the container can deposit output for 
subsequent tasks to pick up via an auxiliary service (e.g.: maps leaving 
intermediate data so the MapReduce shuffle handler can serve it to reducers).  
In addition the application filecache directory is not sufficient, as it misses 
distributed cache resources that have visibility PRIVATE (instead of 
APPLICATION).


> Isolation of Docker containers In LinuxContainerExecutor
> --------------------------------------------------------
>
>                 Key: YARN-6456
>                 URL: https://issues.apache.org/jira/browse/YARN-6456
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: nodemanager
>            Reporter: Miklos Szegedi
>
> One reason to use Docker containers is to be able to isolate different 
> workloads, even, if they run as the same user.
> I have noticed some issues in the current design:
> 1. DockerLinuxContainerRuntime mounts containerLocalDirs 
> {{nm-local-dir/usercache/user/appcache/application_1491598755372_0011/}} and 
> userLocalDirs {{nm-local-dir/usercache/user/}}, so that a container can see 
> and modify the files of another container. I think the application file cache 
> directory should be enough for the container to run in most of the cases.
> 2. The whole cgroups directory is mounted. Would the container directory be 
> enough?
> 3. There is no way to enforce exclusive use of Docker for all containers. 
> There should be an option that it is not the user but the admin that requires 
> to use Docker.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to