[
https://issues.apache.org/jira/browse/YARN-8569?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16644277#comment-16644277
]
Eric Yang commented on YARN-8569:
---------------------------------
{quote}
1) We use use set_user before the method to drop privileges.
{quote}
Good catch, check_user will be applied in the next patch.
{quote}
2) Root privilege should be only used by open_file_as_nm.
{quote}
In sync_yarn_sysfs, check_nm_local_dir make sure the nm_local_dir is owned by
yarn user. This ensure the copy file operation is safe guarded against
possible path exploits. This is equivalent to next point to ensure nm local
dirs are indeed owned by yarn.
{quote}
3) We should check all in/out file paths under local dirs defined by
container_executor.cfg.
{quote}
Initialize container, launch container, launch docker container, they are all
using nm-local-dirs path passed from node manager to container executor. There
is no definition of yarn.nodemanager.local-dirs in container-executor.cfg file.
For containing the scope of this JIRA, I opened YARN-8863 to track the
proposed global pattern change.
{quote}
4) Regarding to API, I think we should allow filename specified.
{quote}
I am concerned that tokens are localized in the same nmPrivate directory. If
filename can be specified, it may increase vulnerable surface for attack to use
the REST API to copy hdfs token into sysfs directory. I don't unsure this
appear to be innocent action is safe.
{quote}5) For the mounted dir for container, for app-level information, I would
prefer to put under ...sys/fs/app/<file> instead of ...sys/fs/<file> since we
want to support per-container information in the future.{quote}
Point 4 is a bit concerning to me. I am error on side of caution. Therefore,
I do not plan to make arbitrary filename change in this JIRA. Please open a
separate one, if you feel strongly about supporting custom filename in the rest
API.
> Create an interface to provide cluster information to application
> -----------------------------------------------------------------
>
> Key: YARN-8569
> URL: https://issues.apache.org/jira/browse/YARN-8569
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Eric Yang
> Assignee: Eric Yang
> Priority: Major
> Labels: Docker
> Attachments: YARN-8569 YARN sysfs interface to provide cluster
> information to application.pdf, YARN-8569.001.patch, YARN-8569.002.patch,
> YARN-8569.003.patch, YARN-8569.004.patch, YARN-8569.005.patch,
> YARN-8569.006.patch, YARN-8569.007.patch, YARN-8569.008.patch,
> YARN-8569.009.patch, YARN-8569.010.patch, YARN-8569.011.patch
>
>
> Some program requires container hostnames to be known for application to run.
> For example, distributed tensorflow requires launch_command that looks like:
> {code}
> # On ps0.example.com:
> $ python trainer.py \
> --ps_hosts=ps0.example.com:2222,ps1.example.com:2222 \
> --worker_hosts=worker0.example.com:2222,worker1.example.com:2222 \
> --job_name=ps --task_index=0
> # On ps1.example.com:
> $ python trainer.py \
> --ps_hosts=ps0.example.com:2222,ps1.example.com:2222 \
> --worker_hosts=worker0.example.com:2222,worker1.example.com:2222 \
> --job_name=ps --task_index=1
> # On worker0.example.com:
> $ python trainer.py \
> --ps_hosts=ps0.example.com:2222,ps1.example.com:2222 \
> --worker_hosts=worker0.example.com:2222,worker1.example.com:2222 \
> --job_name=worker --task_index=0
> # On worker1.example.com:
> $ python trainer.py \
> --ps_hosts=ps0.example.com:2222,ps1.example.com:2222 \
> --worker_hosts=worker0.example.com:2222,worker1.example.com:2222 \
> --job_name=worker --task_index=1
> {code}
> This is a bit cumbersome to orchestrate via Distributed Shell, or YARN
> services launch_command. In addition, the dynamic parameters do not work
> with YARN flex command. This is the classic pain point for application
> developer attempt to automate system environment settings as parameter to end
> user application.
> It would be great if YARN Docker integration can provide a simple option to
> expose hostnames of the yarn service via a mounted file. The file content
> gets updated when flex command is performed. This allows application
> developer to consume system environment settings via a standard interface.
> It is like /proc/devices for Linux, but for Hadoop. This may involve
> updating a file in distributed cache, and allow mounting of the file via
> container-executor.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
