[
https://issues.apache.org/jira/browse/YARN-7815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16346953#comment-16346953
]
Shane Kumpf commented on YARN-7815:
-----------------------------------
Thanks for all the discussion here!
{quote}I think that leaves us with this proposal which should accomplish that
and remove one of the mounts being made today:
1. nm-local-dir/filecache mounted read-only for access to localized public files
2. nm-local-dir/usercache/_user_/filecache mounted read-only for access to
localized user-private files
3. nm-local-dir/usercache/_user_/appcache/_applicationId_ mounted read-write
for access to the application work area and underlying container working
directory
{quote}
This is inline with my findings and I've got a patch mostly ready that
implements this approach. However, I'm running into an issue where some jars
need to be localized again. I'll post the patch or update the discussion once
I've tracked down the cause of that issue.
> Mount the filecache as read-only in Docker containers
> -----------------------------------------------------
>
> Key: YARN-7815
> URL: https://issues.apache.org/jira/browse/YARN-7815
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Shane Kumpf
> Assignee: Shane Kumpf
> Priority: Major
>
> Currently, when using the Docker runtime, the filecache directories are
> mounted read-write into the Docker containers. Read write access is not
> necessary. We should make this more restrictive by changing that mount to
> read-only.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
