[jira] [Comment Edited] (YARN-8986) publish all exposed ports to random ports when using bridge network

Wed, 14 Nov 2018 10:34:15 -0800 


    [ 
https://issues.apache.org/jira/browse/YARN-8986?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16686938#comment-16686938
 ] 

Eric Yang edited comment on YARN-8986 at 11/14/18 6:23 PM:
-----------------------------------------------------------

[~Charo Zhang] Thank you for the patch.  This patch assumes YARN user has 
ability to run "docker" command line.  This is not true in secure clusters.  
[Docker access|https://docs.docker.com/install/linux/linux-postinstall/] should 
be given to trusted system admin with sudo access only.  YARN user can only 
acquire privileges to run docker command via C version of container-executor 
binary.  This ensures that we are not giving too much power to YARN user.

We should route "docker network ls" check through C version of 
container-executor to perform docker operations.  The decision making process 
of adding "-P" probably belongs to get_docker_run_command.

YARN_CONTAINER_RUNTIME_DOCKER_PORTS_MAPPING looks ok.  Do you plan to support 
specific binding of host IP?  i.e. 127.0.0.1:8080:80 to restrict the container 
port 80 to map to host 127.0.0.1:8080.


was (Author: eyang):
[~Charo Zhang] Thank you for the patch.  This patch assumes YARN user has 
ability to run "docker" command line.  This is not true in secure clusters.  
[Docker access|https://docs.docker.com/install/linux/linux-postinstall/] should 
be given to trusted system admin with sudo access only.  YARN user can only 
acquire privileges to run docker command via C version of container-executor 
binary.  This ensures that we are not giving too much power to YARN user.

We should route "docker network ls" check through C version of 
container-executor to perform docker operations.  The decision making process 
of adding "-P" probably belongs to get_docker_run_command.

> publish all exposed ports to random ports when using bridge network
> -------------------------------------------------------------------
>
>                 Key: YARN-8986
>                 URL: https://issues.apache.org/jira/browse/YARN-8986
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>    Affects Versions: 3.1.1
>            Reporter: Charo Zhang
>            Assignee: Charo Zhang
>            Priority: Minor
>              Labels: Docker
>             Fix For: 3.1.2
>
>         Attachments: 20181108155450.png, YARN-8986.001.patch, 
> YARN-8986.002.patch, YARN-8986.003.patch
>
>
> it's better to publish all exposed ports to random ports(-P) or support port 
> mapping(-p) for bridge network when using bridge network for docker container.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to