[jira] [Commented] (YARN-7468) Provide means for container network policy control

Thu, 09 Nov 2017 15:43:27 -0800 

    [ 
https://issues.apache.org/jira/browse/YARN-7468?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16246778#comment-16246778
 ] 

Allen Wittenauer commented on YARN-7468:
----------------------------------------

bq. Ideally, I'd have all the external endpoints secured to disallow this 
cluster from talking back except for very fine-grained allowances – it's a big 
world and I can't.

It also won't prevent DDoS attacks anyway.  Plus, while most of the Hadoop 
ecosystem has ACL support, in most cases it's not particularly well 
implemented, and that is before the dynamic reconfiguration use case you've 
effectively presented here.

bq.  In all fairness, I could use tcpspy and have it record the PID of 
processes today too

In the short term, it's probably easier to just force the use of LCE but with a 
wrapper around container-executor to set up the control information you want.  
Since the NM and c-e talk pretty much exclusively through a CLI (with all the 
security concerns that brings with it...), this setup should be pretty trivial 
to do and give you all the information you need to setup extra cgroups or 
whatever. 

That said, c-e probably should be more pluggable to allow people to run their 
own bits.  [I've been a proponent of c-e getting switched over to do dlopen()'s 
vs. the current static compiling for features.  This is a great example where 
it'd be extremely useful.] 

> Provide means for container network policy control
> --------------------------------------------------
>
>                 Key: YARN-7468
>                 URL: https://issues.apache.org/jira/browse/YARN-7468
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: nodemanager
>            Reporter: Clay B.
>            Priority: Minor
>
> To prevent data exfiltration from a YARN cluster, it would be very helpful to 
> have "firewall" rules able to map to a user/queue's containers.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to