[
https://issues.apache.org/jira/browse/YARN-6456?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16630305#comment-16630305
]
Craig Condit commented on YARN-6456:
------------------------------------
[~eyang], your assessment of how the properties interact is correct. The
{{yarn.nodemanager.runtime.linux.allowed-runtimes}} property dictates the set
of runtimes which may be selected from, while
{{yarn.nodemanager.runtime.linux.type}} sets the default. Without this, all
application submissions would need to specify a runtime type or they would
fail. This is also why a default docker image can be specified. The idea is
that an administrator can allow jobs to run under any runtime without
user-visible configuration.
The mapping between runtime type names and classes uses the same logic as the
{{YARN_CONTAINER_RUNTIME_TYPE}} environment variable (and in fact uses the same
code). The value of {{yarn.nodeanager.runtime.linux.type}} is used as a default
for {{YARN_CONTAINER_RUNTIME_TYPE}} if it is not provided by the user.
Similarly, {{yarn.nodemanager.runtime.linux.docker.image-name}} is used as a
default for {{YARN_CONTAINER_RUNTIME_DOCKER_IMAGE}}.
> Allow administrators to set a single ContainerRuntime for all containers
> ------------------------------------------------------------------------
>
> Key: YARN-6456
> URL: https://issues.apache.org/jira/browse/YARN-6456
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: nodemanager
> Reporter: Miklos Szegedi
> Assignee: Craig Condit
> Priority: Major
> Labels: Docker
> Attachments: YARN-6456-ForceDockerRuntimeIfSupported.patch,
> YARN-6456.001.patch, YARN-6456.002.patch, YARN-6456.003.patch,
> YARN-6456.004.patch, YARN-6456.005.patch
>
>
>
> With LCE, there are multiple ContainerRuntimes available for handling
> different types of containers; default, docker, java sandbox. Admins should
> have the ability to override the user decision and set a single global
> ContainerRuntime to be used for all containers.
> Original Description:
> {quote}One reason to use Docker containers is to be able to isolate different
> workloads, even, if they run as the same user.
> I have noticed some issues in the current design:
> 1. DockerLinuxContainerRuntime mounts containerLocalDirs
> {{nm-local-dir/usercache/user/appcache/application_1491598755372_0011/}} and
> userLocalDirs {{nm-local-dir/usercache/user/}}, so that a container can see
> and modify the files of another container. I think the application file cache
> directory should be enough for the container to run in most of the cases.
> 2. The whole cgroups directory is mounted. Would the container directory be
> enough?
> 3. There is no way to enforce exclusive use of Docker for all containers.
> There should be an option that it is not the user but the admin that requires
> to use Docker.
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
