[
https://issues.apache.org/jira/browse/YARN-7729?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16329001#comment-16329001
]
Shane Kumpf edited comment on YARN-7729 at 1/17/18 4:55 PM:
------------------------------------------------------------
Thanks for the patch, [~billie.rinaldi]! I tested this out and it works as
expected. A couple of minor items to address.
# The javadoc in DockerLinuxContainerRuntime is missing the new environment
variable YARN_CONTAINER_RUNTIME_DOCKER_CONTAINER_PID_NAMESPACE
# The yarn-site and container-executor.cfg settings aren't consistent;
yarn-site uses host-pid-namespace, while container-executor uses pid-host.
Perhaps it would be good to make them consistent.
# Currently the value for docker.pid-host.enabled is 1/0. To align with
YARN-7717 this should be a case insensitive true/false. Given this is a new
option, I would eliminate support for 1/0 completely on this config.
# Formatting was changed within
{{TestDockerContainerRuntime#testLaunchPrivilegedContainersInvalidEnvVar}}, but
I don't think that is necessary.
{code:java}
List<String> dockerCommands = Files.readAllLines(
Paths.get(dockerCommandFile), Charset.forName("UTF-8"));{code}
# Minor copy/paste comment error in
\{{TestDockerContainerRuntime#testLaunchPidNamespaceContainersInvalidEnvVar}}
{code:java}
//ensure --privileged isn't in the invocation
Assert.assertTrue("Unexpected --privileged in docker run args : " + command,
!command.contains("--privileged"));{code}
was (Author: [email protected]):
Thanks for the patch, [~billie.rinaldi]! I tested this out and it works as
expected. A couple of minor items to address.
# The javadoc in DockerLinuxContainerRuntime is missing the new environment
variable YARN_CONTAINER_RUNTIME_DOCKER_CONTAINER_PID_NAMESPACE
# The yarn-site and container-executor.cfg settings aren't consistent;
yarn-site uses host-pid-namespace, while container-executor uses pid-host.
Perhaps it would be good to make them consistent.
# Currently the value for docker.pid-host.enabled is 1/0. To align with
YARN-7717 this should be a case insensitive true/false. Given this is a new
option, I would eliminate support for 1/0 completely on this config.
# Formatting was changed within
{{TestDockerContainerRuntime#testLaunchPrivilegedContainersInvalidEnvVar}}, but
I don't think that is necessary.
> Add support for setting the PID namespace mode
> ----------------------------------------------
>
> Key: YARN-7729
> URL: https://issues.apache.org/jira/browse/YARN-7729
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: nodemanager
> Reporter: Shane Kumpf
> Assignee: Billie Rinaldi
> Priority: Major
> Attachments: YARN-7729.001.patch, YARN-7729.002.patch
>
>
> Docker has support for allowing containers to share the PID namespace with
> the host or other containers via the {{docker run --pid}} flag.
> There are a number of use cases where this is desirable:
> * Monitoring tools running in containers that need access to the host level
> PIDs.
> * Debug containers that can attach to another container to run strace, gdb,
> etc.
> * Testing Docker on YARN in a container, where the docker socket is bind
> mounted.
> Enabling this feature should be considered privileged as it exposes host
> details inside the container.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
