[ 
https://issues.apache.org/jira/browse/YARN-7815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16344123#comment-16344123
 ] 

Jason Lowe commented on YARN-7815:
----------------------------------

bq. Can we break anything if we move localized user-private files from 
nm-local-dir/usercache/user to nm-local-dir/usercache/user/filecache during 
upgrade?

Moving files on running apps is definitely going to break some of them. IIUC 
there's no proposal to move any files as part of this, just change whether or 
not containers have read-write access to certain local paths even if they try 
to explicitly change the permissions (as they could today with user-private 
files since they own them).  Right now we mount nm-local-dir/usercache/user to 
get access to its underlying filecache directory, and this simply proposes to 
directly mount nm-local-dir/usercache/user/filecache rather than the parent, as 
the parent cannot be mounted read-only due to the other read-write directories 
we are trying to mount underneath it (i.e.: the applications's appcache 
directory).

bq. Should not we remove this comment and code in this case?

I think this is still useful. The intent of that code is not to lock down and 
completely prevent AM-RM token access by any means.  It's there to prevent 
_accidental_ use of the AM-RM token. For example, if some task code ended up 
calling an API that requires contacting the RM (e.g.: acting like a client and 
trying to get job status) then that could easily DDoS the RM for a large job. 
The lack of AM-RM token for tasks means a connection to an RM will not work by 
default.  It can still be done (e.g.: Oozie launcher tasks that launch other 
jobs), but it doesn't do this by default.

Sure, a task could try really hard to go hunting for one if they happened to be 
running on the same node as the AM. If we're worried about that then the simple 
fix is to have the AM delete the token file after it's been consumed and before 
it starts launching tasks.

> Mount the filecache as read-only in Docker containers
> -----------------------------------------------------
>
>                 Key: YARN-7815
>                 URL: https://issues.apache.org/jira/browse/YARN-7815
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Shane Kumpf
>            Assignee: Shane Kumpf
>            Priority: Major
>
> Currently, when using the Docker runtime, the filecache directories are 
> mounted read-write into the Docker containers. Read write access is not 
> necessary. We should make this more restrictive by changing that mount to 
> read-only.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to