[
https://issues.apache.org/jira/browse/YARN-7815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16344123#comment-16344123
]
Jason Lowe commented on YARN-7815:
----------------------------------
bq. Can we break anything if we move localized user-private files from
nm-local-dir/usercache/user to nm-local-dir/usercache/user/filecache during
upgrade?
Moving files on running apps is definitely going to break some of them. IIUC
there's no proposal to move any files as part of this, just change whether or
not containers have read-write access to certain local paths even if they try
to explicitly change the permissions (as they could today with user-private
files since they own them). Right now we mount nm-local-dir/usercache/user to
get access to its underlying filecache directory, and this simply proposes to
directly mount nm-local-dir/usercache/user/filecache rather than the parent, as
the parent cannot be mounted read-only due to the other read-write directories
we are trying to mount underneath it (i.e.: the applications's appcache
directory).
bq. Should not we remove this comment and code in this case?
I think this is still useful. The intent of that code is not to lock down and
completely prevent AM-RM token access by any means. It's there to prevent
_accidental_ use of the AM-RM token. For example, if some task code ended up
calling an API that requires contacting the RM (e.g.: acting like a client and
trying to get job status) then that could easily DDoS the RM for a large job.
The lack of AM-RM token for tasks means a connection to an RM will not work by
default. It can still be done (e.g.: Oozie launcher tasks that launch other
jobs), but it doesn't do this by default.
Sure, a task could try really hard to go hunting for one if they happened to be
running on the same node as the AM. If we're worried about that then the simple
fix is to have the AM delete the token file after it's been consumed and before
it starts launching tasks.
> Mount the filecache as read-only in Docker containers
> -----------------------------------------------------
>
> Key: YARN-7815
> URL: https://issues.apache.org/jira/browse/YARN-7815
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Shane Kumpf
> Assignee: Shane Kumpf
> Priority: Major
>
> Currently, when using the Docker runtime, the filecache directories are
> mounted read-write into the Docker containers. Read write access is not
> necessary. We should make this more restrictive by changing that mount to
> read-only.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
