[jira] [Commented] (YARN-6623) Add support to turn off launching privileged containers in the container-executor

Mon, 21 Aug 2017 07:21:44 -0700 

    [ 
https://issues.apache.org/jira/browse/YARN-6623?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16135223#comment-16135223
 ] 

Shane Kumpf commented on YARN-6623:
-----------------------------------

{quote}
#define EXECUTOR_PATH_MAX 131072

This is lots of allocation. The OS actually needs to zero all the allocated 
memory before giving it to other processes after close, so this might add to 
the overall CPU usage and memory bandwidth.
{quote}
Given that yarn local dirs are bind mounted into containers, using 4096 has 
proven problematic with even a small number of yarn local dirs/disks (3 in the 
case I saw). We're going to need to make the size of this buffer configurable. 
If it seems more appropriate to do so in a separate issue, I'm fine with that.

{quote}
Image can be specified by a digest, which is more secure. I do not see that 
supported by the regex. IMAGE[:TAG|@DIGEST]
{quote}
This is the same regex used on the java side, just duplicated in c-e to address 
the concerns with direct invocation. We should fix this both places to support 
the digest notation. Again, this seems like a separate issue from what this 
patch is addressing.

> Add support to turn off launching privileged containers in the 
> container-executor
> ---------------------------------------------------------------------------------
>
>                 Key: YARN-6623
>                 URL: https://issues.apache.org/jira/browse/YARN-6623
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: nodemanager
>            Reporter: Varun Vasudev
>            Assignee: Varun Vasudev
>            Priority: Blocker
>         Attachments: YARN-6623.001.patch, YARN-6623.002.patch, 
> YARN-6623.003.patch, YARN-6623.004.patch
>
>
> Currently, launching privileged containers is controlled by the NM. We should 
> add a flag to the container-executor.cfg allowing admins to disable launching 
> privileged containers at the container-executor level.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to