[jira] [Commented] (YARN-9391) Disable PATH variable to be passed to Docker container

Tue, 19 Mar 2019 09:20:10 -0700 


    [ 
https://issues.apache.org/jira/browse/YARN-9391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16796238#comment-16796238
 ] 

Eric Yang commented on YARN-9391:
---------------------------------

[~ebadger] When filtering PATH variable from environment white list, it has 
some undesired side effects for mapreduce style workload outside of docker 
container.  For example, streaming task that depends on python will not work 
anymore.

If we are looking at the problem by partition of container types, the desired 
outcome looks more like this:

| | Linux Container | Docker without EntryPoint | Docker with EntryPoint |
| Allowed variables | All white listed variables | All white listed variables + 
Docker specific variables + YARN User defined variables | Subset of white 
listed variables + YARN Docker specific variables + User defined variables |
| Shell expansion of variables | Yes | Yes | No |

It looks like the subset of variables to pass for entrypoint mode is LANG and 
TZ only . The rest will have undesired side effects.

> Disable PATH variable to be passed to Docker container
> ------------------------------------------------------
>
>                 Key: YARN-9391
>                 URL: https://issues.apache.org/jira/browse/YARN-9391
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Eric Yang
>            Priority: Major
>
> This is observed from using Apache NiFi docker image.  It makes assumption 
> that PATH variable contains /bin to reference to system utility.  Where host 
> YARN environment PATH variable is default to leaked into container by 
> accident and not containing /bin path (default configuration).  In general, 
> it seems like node manager should block PATH variable from leaking into 
> container.  Not sure if there is a valid use case that host PATH variable 
> must leak into container from docker point of view.  From Hadoop point of 
> view, if container is merely a chroot, and container is a mirror image of 
> host worker dir.  It is good to keep host PATH variable the same.
> Maybe we want to be more specific that block PATH variable to leak into 
> Docker container, if it is using ENTRYPOINT only?



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to