[jira] [Commented] (YARN-8777) Container Executor C binary change to execute interactive docker command

Tue, 18 Sep 2018 21:12:11 -0700 


    [ 
https://issues.apache.org/jira/browse/YARN-8777?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16620077#comment-16620077
 ] 

Eric Yang commented on YARN-8777:
---------------------------------

[~Zian Chen] {quote}
The method param list have out an outlen which didn't match the signature, and 
we miss description for param args, is this typo?
{quote}

Good catch, I will make correction.

{quote}we can probably give an enum to index several common used command 
options, and ask node manager only pass index which can be matched with one of 
these enum elements, in this way we can have some kind of flexibility without 
open up bigger attack interface. {quote}

The enum approach can be used for fixed number of parameters or a small set of 
parameters.  It is probably not an ideal interface to pass arbitrary commands 
to container-executor for docker exec.  One possible danger is sending hex code 
as argv to trigger buffer overflow in container-executor or docker, where there 
is no logic to validate the arbitrary command.

{quote}should we also take care of passing shell commands inside the container 
?{quote}

The entire pipeline looks like websocket > node manger > container-executor > 
docker -it exec bash.  Every keystroke is write from web socket to bash to 
interpret the incoming input stream via stdin.  All output are written out from 
bash to stdout back to web socket.  This simulates the terminal behavior.  
There is no need to do additional processing of shell commands with current 
arrangement.

> Container Executor C binary change to execute interactive docker command
> ------------------------------------------------------------------------
>
>                 Key: YARN-8777
>                 URL: https://issues.apache.org/jira/browse/YARN-8777
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Zian Chen
>            Assignee: Eric Yang
>            Priority: Major
>              Labels: Docker
>         Attachments: YARN-8777.001.patch
>
>
> Since Container Executor provides Container execution using the native 
> container-executor binary, we also need to make changes to accept new 
> “dockerExec” method to invoke the corresponding native function to execute 
> docker exec command to the running container.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to