[ https://issues.apache.org/jira/browse/YARN-7857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16352816#comment-16352816 ]
Jim Brennan commented on YARN-7857: ----------------------------------- [~miklos.szeg...@cloudera.com] I have prepared another patch that only adds the {{-fstack-check}} option for GCC versions > 4.8. But on further review and reflection, I have come around to the opinion that the security issue is more important than this incompatibility, especially given that we have addressed that incompatibility in YARN-7796. I have not found anything that officially changes the recommendation of using {{-fstack-check}} to help combat stack clash attacks, and I have not found an alternative command line option for gcc. So I am reluctant to remove {{-fstack-check}} for any versions of GCC when it is currently not causing a problem. My original motivation of preventing us from running into the same incompatibility again (due to future changes to container-executor code) does not seem worth re-opening a significant security hole. > -fstack-check compilation flag causes binary incompatibility for > container-executor between RHEL 6 and RHEL 7 > ------------------------------------------------------------------------------------------------------------- > > Key: YARN-7857 > URL: https://issues.apache.org/jira/browse/YARN-7857 > Project: Hadoop YARN > Issue Type: Bug > Components: nodemanager > Affects Versions: 3.0.0 > Reporter: Jim Brennan > Assignee: Jim Brennan > Priority: Major > Attachments: YARN-7857.001.patch > > > The segmentation fault in container-executor reported in [YARN-7796] appears > to be due to a binary compatibility issue with the {{-fstack-check}} flag > that was added in [YARN-6721] > Based on my testing, a container-executor (without the patch from > [YARN-7796]) compiled on RHEL 6 with the -fstack-check flag always hits this > segmentation fault when run on RHEL 7. But if you compile without this flag, > the container-executor runs on RHEL 7 with no problems. I also verified this > with a simple program that just does the copy_file. > I think we need to either remove this flag, or find a suitable alternative. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org