[
https://issues.apache.org/jira/browse/YARN-8986?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16687516#comment-16687516
]
Eric Yang commented on YARN-8986:
---------------------------------
[~Charo Zhang] {quote}"If you don’t want to preface the docker command with
sudo, create a Unix group called docker and add users to it", it means we just
need add YARN user who start NM java process to docker group, and we have done
like this in our cluster. In another case,If we try to use /sys/fs/cgroup, we
must grant YARN user the access to /sys/fs/cgroup/cpu,cpuacct, so we add YARN
user do docker group is not giving too much power, it just can run docker
command without sudo access.{quote}
Unfortunately this is not acceptable answer to YARN community in general.
Docker command can be abused to allow parameter hijack to get into other
people's container or cause damage at host level. For example, using
YARN_CONTAINER_RUNTIME_DOCKER_PORTS_MAPPING=8888:88,22 --privileged can result
in construction of parameter passed to docker run with --privileged flag, if no
additional validation is done.
This is the reason that container-executor does a lot of validations before
invoking docker commands that it crafted internally. This is to make it harder
to get full docker power to prevent hacking yarn user. For secure cluster, the
right approach to use cgroup is to create /sys/fs/cgroup/cpu/yarn with yarn
user permission to modify only this subtree to prevent yarn user from damaging
other program's cgroup controls. We play by the rule that Hadoop community set
for us.
{quote}At same time, i am going to try performing docker operations in
container-executor to make process of adding "-P".{quote}
Thanks for looking into doing this in container-executor.
> publish all exposed ports to random ports when using bridge network
> -------------------------------------------------------------------
>
> Key: YARN-8986
> URL: https://issues.apache.org/jira/browse/YARN-8986
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Affects Versions: 3.1.1
> Reporter: Charo Zhang
> Assignee: Charo Zhang
> Priority: Minor
> Labels: Docker
> Fix For: 3.1.2
>
> Attachments: 20181108155450.png, YARN-8986.001.patch,
> YARN-8986.002.patch, YARN-8986.003.patch
>
>
> it's better to publish all exposed ports to random ports(-P) or support port
> mapping(-p) for bridge network when using bridge network for docker container.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
