[
https://issues.apache.org/jira/browse/YARN-6726?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16099233#comment-16099233
]
Wangda Tan commented on YARN-6726:
----------------------------------
Thanks [[email protected]] for the patch.
Discussed with Shane offline, in general the approach looks good, I haven't
done detailed reviews of code yet. Few comments/questions:
1) Could we do more strict container_id checking, checking string starts with
container_ might not be enough? Probably you can check the method
(validate_container_id) I added to YARN-6852. Which we can avoid less malicious
kill container, etc.
2) {{LOGFILE flush}}, I'm not quite sure about this item, could you elaborate?
3) Regarding to comment from [~chris.douglas],
bq. We also need to prevent the yarn user from becoming root ...
If we can limit docker command only apply to containers launched by YARN (which
we can use strict container_id pattern matching to identify that), it should be
already much better than what we have today. We can implement other options
such as enable/disable component, dynamic load libraries, etc. along with
YARN-5673.
> Fix issues with docker commands executed by container-executor
> --------------------------------------------------------------
>
> Key: YARN-6726
> URL: https://issues.apache.org/jira/browse/YARN-6726
> Project: Hadoop YARN
> Issue Type: Bug
> Components: nodemanager
> Reporter: Shane Kumpf
> Assignee: Shane Kumpf
> Attachments: YARN-6726.001.patch
>
>
> docker inspect, rm, stop, etc are issued through container-executor. Commands
> other than docker run are not functioning properly.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
