[ https://issues.apache.org/jira/browse/YARN-6456?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16630305#comment-16630305 ]
Craig Condit commented on YARN-6456: ------------------------------------ [~eyang], your assessment of how the properties interact is correct. The {{yarn.nodemanager.runtime.linux.allowed-runtimes}} property dictates the set of runtimes which may be selected from, while {{yarn.nodemanager.runtime.linux.type}} sets the default. Without this, all application submissions would need to specify a runtime type or they would fail. This is also why a default docker image can be specified. The idea is that an administrator can allow jobs to run under any runtime without user-visible configuration. The mapping between runtime type names and classes uses the same logic as the {{YARN_CONTAINER_RUNTIME_TYPE}} environment variable (and in fact uses the same code). The value of {{yarn.nodeanager.runtime.linux.type}} is used as a default for {{YARN_CONTAINER_RUNTIME_TYPE}} if it is not provided by the user. Similarly, {{yarn.nodemanager.runtime.linux.docker.image-name}} is used as a default for {{YARN_CONTAINER_RUNTIME_DOCKER_IMAGE}}. > Allow administrators to set a single ContainerRuntime for all containers > ------------------------------------------------------------------------ > > Key: YARN-6456 > URL: https://issues.apache.org/jira/browse/YARN-6456 > Project: Hadoop YARN > Issue Type: Sub-task > Components: nodemanager > Reporter: Miklos Szegedi > Assignee: Craig Condit > Priority: Major > Labels: Docker > Attachments: YARN-6456-ForceDockerRuntimeIfSupported.patch, > YARN-6456.001.patch, YARN-6456.002.patch, YARN-6456.003.patch, > YARN-6456.004.patch, YARN-6456.005.patch > > > > With LCE, there are multiple ContainerRuntimes available for handling > different types of containers; default, docker, java sandbox. Admins should > have the ability to override the user decision and set a single global > ContainerRuntime to be used for all containers. > Original Description: > {quote}One reason to use Docker containers is to be able to isolate different > workloads, even, if they run as the same user. > I have noticed some issues in the current design: > 1. DockerLinuxContainerRuntime mounts containerLocalDirs > {{nm-local-dir/usercache/user/appcache/application_1491598755372_0011/}} and > userLocalDirs {{nm-local-dir/usercache/user/}}, so that a container can see > and modify the files of another container. I think the application file cache > directory should be enough for the container to run in most of the cases. > 2. The whole cgroups directory is mounted. Would the container directory be > enough? > 3. There is no way to enforce exclusive use of Docker for all containers. > There should be an option that it is not the user but the admin that requires > to use Docker. > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org