[jira] [Commented] (YARN-9391) Disable PATH variable to be passed to Docker container

Tue, 19 Mar 2019 15:00:06 -0700 


    [ 
https://issues.apache.org/jira/browse/YARN-9391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16796560#comment-16796560
 ] 

Jim Brennan commented on YARN-9391:
-----------------------------------

[~ebadger] I assume you are referring to the PATH variable in particular, not 
to all environment variables.

I think in this case the PATH variable is being included in the whitelist for 
the NM (for the non-docker case that [~eyang] mentioned above).   I agree that 
it is unlikely that we really need the NM's PATH variable inside of a docker 
container.   I'm a little reluctant to have the NM just skip that whitelist 
entry for docker/oci runtimes.   Currently the whitelist environment variable 
processing/script writing is done in ContainerLaunch/ContainerExecutor.   What 
is there works for the non-entry-point case (as long as the PATH is defined in 
the image, which I think we are assuming here).

For the entry point case, the environment is added to the run command in 
DockerLinuxContainerRuntime.launchContainer().

> Disable PATH variable to be passed to Docker container
> ------------------------------------------------------
>
>                 Key: YARN-9391
>                 URL: https://issues.apache.org/jira/browse/YARN-9391
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Eric Yang
>            Priority: Major
>
> This is observed from using Apache NiFi docker image.  It makes assumption 
> that PATH variable contains /bin to reference to system utility.  Where host 
> YARN environment PATH variable is default to leaked into container by 
> accident and not containing /bin path (default configuration).  In general, 
> it seems like node manager should block PATH variable from leaking into 
> container.  Not sure if there is a valid use case that host PATH variable 
> must leak into container from docker point of view.  From Hadoop point of 
> view, if container is merely a chroot, and container is a mirror image of 
> host worker dir.  It is good to keep host PATH variable the same.
> Maybe we want to be more specific that block PATH variable to leak into 
> Docker container, if it is using ENTRYPOINT only?



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to