[
https://issues.apache.org/jira/browse/YARN-9391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16796597#comment-16796597
]
Jim Brennan commented on YARN-9391:
-----------------------------------
[~eyang] if the concern is only for Nodemanager white-list variables leaking
through, it may be due to this code in ContainerExecutor.writeLaunchEnv():
{noformat}
// Add the whitelist vars to the environment. Do this after writing
// environment variables so they are not written twice.
for(String var : whitelistVars) {
if (!environment.containsKey(var)) {
String val = getNMEnvVar(var);
if (val != null) {
environment.put(var, val);
}
}
}
}
{noformat}
This is adding the white-listed variables to the environment map which gets
passed to launchContainer. In the native and non-entry-point cases, I don't
think this is necessary, but I am not 100% sure about that - we use the launch
script in those cases. In the entry-point case, this code is what may be adding
the white-list variables to the environment map, which you then pass raw to the
container. Note that it won't add variables that were already defined by the
user.
Do you think this might explain what you are seeing?
> Disable PATH variable to be passed to Docker container
> ------------------------------------------------------
>
> Key: YARN-9391
> URL: https://issues.apache.org/jira/browse/YARN-9391
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Eric Yang
> Priority: Major
>
> This is observed from using Apache NiFi docker image. It makes assumption
> that PATH variable contains /bin to reference to system utility. Where host
> YARN environment PATH variable is default to leaked into container by
> accident and not containing /bin path (default configuration). In general,
> it seems like node manager should block PATH variable from leaking into
> container. Not sure if there is a valid use case that host PATH variable
> must leak into container from docker point of view. From Hadoop point of
> view, if container is merely a chroot, and container is a mirror image of
> host worker dir. It is good to keep host PATH variable the same.
> Maybe we want to be more specific that block PATH variable to leak into
> Docker container, if it is using ENTRYPOINT only?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
