[
https://issues.apache.org/jira/browse/YARN-1972?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14012407#comment-14012407
]
Remus Rusanu commented on YARN-1972:
------------------------------------
Some responses in the mean-while, before I finish the design doc:
> What are the requirements on the NodeManager user?
It must be a member of local administrators group or LocalSystem. That means
the equivalent of *nix 'root'. This is a requirement derived from the need to
call
[`LoadUserProfile()`](http://msdn.microsoft.com/en-us/library/windows/desktop/bb762281(v=vs.85).aspx)
which documents that "the caller must be an administrator or the LocalSystem
account. It is not sufficient for the caller to merely impersonate the
administrator or LocalSystem account.". All in all a very high privilege
required for NM. We are considering a future iteration in which we extract the
privileged operations into a dedicated NT service (=daemon) and bestow the high
privileges only to this service.
> You are launching so many commands for every container - to chown files, to
> copy files etc.
We'll measure. the obvious problem, imho, is the many process spawns implied in
chmod/chown/simlink, which are all implemented via winutils. I believe that
these should be addresses by moving these operations into NativeIO and invoke
them via JNI, avoiding the process creation cost (significant on Windows). I
don't think that moving the localization into native code would result in much
benefit over a proper Java implementation.
> Localizer already does createUserLocalDirs
I didn't notice this. I've seen the DCE do this, I assumed it need to be done.
As the Localizer would run as the task user, then letting the Localizer create
this dirs removes the need to chown them after creation, they will be created
'as needed' out-of-the-box. A double win :)
> skips things like the setting niceness
We sure can add niceness to WCE as well, the OS supports it. I opted not to as
it can be added later as an incremental approach (trying to keep this patch
manageable size).
> Why cannot we simply use the localizerId?
I was getting duplicate errors because of task retries. For sure in my
experiments (2.2 based) the localizerId was no unique enough.
> Implement secure Windows Container Executor
> -------------------------------------------
>
> Key: YARN-1972
> URL: https://issues.apache.org/jira/browse/YARN-1972
> Project: Hadoop YARN
> Issue Type: Improvement
> Components: nodemanager
> Reporter: Remus Rusanu
> Assignee: Remus Rusanu
> Labels: security, windows
> Attachments: YARN-1972.1.patch
>
>
> This work item represents the Java side changes required to implement a
> secure windows container executor, based on the YARN-1063 changes on
> native/winutils side.
> Necessary changes include leveraging the winutils task createas to launch the
> container process as the required user and a secure localizer (launch
> localization as a separate process running as the container user).
--
This message was sent by Atlassian JIRA
(v6.2#6252)
