[jira] [Commented] (YARN-1253) Changes to LinuxContainerExecutor to use cgroups in unsecure mode

Mon, 30 Sep 2013 19:25:24 -0700 

    [ 
https://issues.apache.org/jira/browse/YARN-1253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13782571#comment-13782571
 ] 

Roman Shaposhnik commented on YARN-1253:
----------------------------------------

I've started doing some preliminary work on this JIRA, so hopefully I can 
explain some of the things that my patch is about to address:
  # the reason to use LCE in a non-secure mode is to be able to take advantage 
of cgroups mechanism, now perhaps cgroups functionality should be independent 
from the rest of LCE functionality, but re-using the current LCE design is also 
quite easy -- hence lets assume that for cgroups we need LCE
  # in a fully secure deployment, LCE works perfectly and makes YARN users 
correspond 1-1 with the local UNIX users provisioned on each worker node
  # in a non-secure deployment this 1-1 correspondence feels like a  burden 
that doesn't necessarily have to be there

Thus, the proposal is really to add a tiny bit of functionality to LCE where in 
a non-secure case it would be able to run all tasks under a single designated 
user (different from a user running nodemanager). On top of that, the notion of 
the YARN user (which no longer has to have a corresponding UNIX user) get 
preserved in everything else that LCE does (which really boils down to paths in 
the local filesystem used for localization).

> Changes to LinuxContainerExecutor to use cgroups in unsecure mode
> -----------------------------------------------------------------
>
>                 Key: YARN-1253
>                 URL: https://issues.apache.org/jira/browse/YARN-1253
>             Project: Hadoop YARN
>          Issue Type: New Feature
>          Components: nodemanager
>    Affects Versions: 2.1.0-beta
>            Reporter: Alejandro Abdelnur
>            Assignee: Roman Shaposhnik
>            Priority: Blocker
>
> When using cgroups we require LCE to be configured in the cluster to start 
> containers. 
> When LCE starts containers as the user that submitted the job. While this 
> works correctly in a secure setup, in an un-secure setup this presents a 
> couple issues:
> * LCE requires all Hadoop users submitting jobs to be Unix users in all nodes
> * Because users can impersonate other users, any user would have access to 
> any local file of other users
> Particularly, the second issue is not desirable as a user could get access to 
> ssh keys of other users in the nodes or if there are NFS mounts, get to other 
> users data outside of the cluster.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Reply via email to