[
https://issues.apache.org/jira/browse/YARN-6456?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16612427#comment-16612427
]
Eric Yang commented on YARN-6456:
---------------------------------
[~ccondit-target] {quote}This configuration is here for parity with
allowed-runtimes. I don't believe this is redundant, as container-executor
configuration is meant to lock down yarn-to-root escalation paths.{quote}
There are two configurations: docker.trusted.registries and
docker.privileged.registries. The first one governs if the image is allowed to
run, and the second one check if the image can be ran as privileged. At this
time, only docker.trusted.registries is implemented, and images in trusted
privileges can run as privileged container as well as normal user's containers.
Non-trusted images are running in sandbox mode (no external mounts). The
purpose of the settings are similar, but not identical. We decided to build
the check in container-executor level instead of node manager level to prevent
unauthorized yarn user from spawning container with unauthorized binaries. The
newly introduced setting will not be enforced at root level. Therefore, it
does not have the same strength of protection as existing mechanism. There is
a high chance that new container runtime requires root privileges to start
container. If this is the case, it would be better to build the allowed image
and default image check in container-executor to be in parity with decisions
made last year.
[~jlowe] This extra check will generate support headache. From Java code to
container-executor is only a few millisecond difference, therefore fail fast in
this case might not make much difference. I also prefer to have more
configuration in yarn-site.xml, but container-executor doesn't parse xml file
is a limitation that can be solved in another story.
> Allow administrators to set a single ContainerRuntime for all containers
> ------------------------------------------------------------------------
>
> Key: YARN-6456
> URL: https://issues.apache.org/jira/browse/YARN-6456
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: nodemanager
> Reporter: Miklos Szegedi
> Assignee: Craig Condit
> Priority: Major
> Labels: Docker
> Attachments: YARN-6456-ForceDockerRuntimeIfSupported.patch,
> YARN-6456.001.patch, YARN-6456.002.patch, YARN-6456.003.patch
>
>
>
> With LCE, there are multiple ContainerRuntimes available for handling
> different types of containers; default, docker, java sandbox. Admins should
> have the ability to override the user decision and set a single global
> ContainerRuntime to be used for all containers.
> Original Description:
> {quote}One reason to use Docker containers is to be able to isolate different
> workloads, even, if they run as the same user.
> I have noticed some issues in the current design:
> 1. DockerLinuxContainerRuntime mounts containerLocalDirs
> {{nm-local-dir/usercache/user/appcache/application_1491598755372_0011/}} and
> userLocalDirs {{nm-local-dir/usercache/user/}}, so that a container can see
> and modify the files of another container. I think the application file cache
> directory should be enough for the container to run in most of the cases.
> 2. The whole cgroups directory is mounted. Would the container directory be
> enough?
> 3. There is no way to enforce exclusive use of Docker for all containers.
> There should be an option that it is not the user but the admin that requires
> to use Docker.
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
