[
https://issues.apache.org/jira/browse/YARN-6472?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15971132#comment-15971132
]
Greg Phillips commented on YARN-6472:
-------------------------------------
[[email protected]] - The nmPrivate directory is drwx------ and
owned by the yarn user in recommended configurations. The generated policy
files need to be both writable by the Nodemanager & accessible by the run-as
user. These constraints rule out most of the sub-directories of the NM.
Additionally the sandbox feature is designed to follow the pattern set by the
DockerLinuxContainerRuntime which uses the hadoop temp directory to store the
files generated by the NM for use by the container user.
> Possible Java sandbox improvements
> ----------------------------------
>
> Key: YARN-6472
> URL: https://issues.apache.org/jira/browse/YARN-6472
> Project: Hadoop YARN
> Issue Type: Bug
> Reporter: Miklos Szegedi
> Assignee: Greg Phillips
> Attachments: YARN-6472.001.patch, YARN-6472.002.patch
>
>
> I set the sandbox to enforcing mode. Unfortunately I was able to break out of
> the sandbox running native code with the following command:
> {code}
> cmd = "$JAVA_HOME/bin/java %s -Xmx825955249
> org.apache.hadoop.yarn.applications.helloworld.HelloWorld `touch
> ../../helloworld`" + \
> " 1><LOG_DIR>/AppMaster.stdout 2><LOG_DIR>/AppMaster.stderr"
> $ ls .../nm-local-dir/usercache/root/appcache/
> helloworld
> {code}
> Also, if I am not using sandboxes, could we create the nm-sandbox-policies
> directory (empty) lazily?
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
