[ https://issues.apache.org/jira/browse/YARN-7506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16256115#comment-16256115 ]
Eric Yang commented on YARN-7506: --------------------------------- IMO, Container-executor is essentially a light weight sudo with extra validations in place to make sure that we protect root power from mistakes. Both docker and hadoop use "trusted" users to define security to ensure that trusted users have done their due diligence of validation before enabling root power. YARN user tap directly into docker.sock goes against our original philosophy of having both "trusted" user and root to perform validation. Root power may be used for validation logic when trusted user can not validate, such as symlink to local file system access that YARN-6623 solved. We can consider to keep most of logic in Java as long as root privileges is not required. The performance gain from tapping into docker socket is saving the cost of one fork but we would lose a lot of validations done by docker CLI. Conversely, I am in favor of keeping the balance. Not all code goes into container-executor, if they can be done in Java. If it can be helped, calling root cli is preferred than calling root owned network socket. I don't fully agree with YARN-5673 modules API design. The description is another plug-in architecture to enable more functionality with root power. I think this is a slippy slope to enable more risks in container-executor. [~ebadger] It is best to avoid running java as root. Java runtime includes a lot of third party code, which can be unpredictable with root power. > Overhaul the design of the Linux container-executor regarding Docker and > future runtimes > ---------------------------------------------------------------------------------------- > > Key: YARN-7506 > URL: https://issues.apache.org/jira/browse/YARN-7506 > Project: Hadoop YARN > Issue Type: Wish > Components: nodemanager > Reporter: Miklos Szegedi > Labels: Docker, container-executor > > I raise this topic to discuss a potential improvement of the container > executor tool in node manager. > container-executor has two main purposes. It executes Linux *system calls not > available from Java*, and it executes tasks *available to root that are not > available to the yarn user*. Historically container-executor did both by > doing impersonation. The yarn user is separated from root because it runs > network services, so *the yarn user should be restricted* by design. Because > of this it has it's own config file container-executor.cfg writable by root > only that specifies what actions are allowed for the yarn user. However, the > requirements have changed with Docker and that raises the following questions: > 1. The Docker feature of YARN requires root permissions to *access the Docker > socket* but it does not run any system calls, so could the Docker related > code in container-executor be *refactored into a separate Java process ran as > root*? Java would make the development much faster and more secure. > 2. The Docker feature only needs the Docker unix socket. It is not a good > idea to let the yarn user directly access the socket, since that would > elevate its privileges to root. However, the Java tool running as root > mentioned in the previous question could act as a *proxy on the Docker > socket* operating directly on the Docker REST API *eliminating the need to > use the Docker CLI*. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org