[
https://issues.apache.org/jira/browse/YARN-3852?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14629276#comment-14629276
]
Varun Vasudev commented on YARN-3852:
-------------------------------------
Thanks for the patch [~ashahab]. The patch isn't working for me. There are two
issues -
# No default value for "docker.binary". I think we should assume this to be
"docker" and allow it to be overriden.
# The docker launch fails due to
{code}
if (change_effective_user(user_uid, user_gid) != 0)
{code}
in launch_docker_container_as_user. For docker run to work, the effective user
needs to be root(something like change_effective_user(0, user_gid) is probably
the right way).
Some other issues -
#
{code}
-static const char* DEFAULT_BANNED_USERS[] = {"yarn", "mapred", "hdfs", "bin",
0};
+static const char* DEFAULT_BANNED_USERS[] = {"mapred", "hdfs", "bin", 0};
{code}
Why are you removing the yarn user from the banned users? I'm guessing this is
due to a branch-2/trunk issue. The yarn user is banned in trunk but not in
branch-2
# A couple of formatting fixes
{code}
+ fprintf(LOGFILE, "done opening pid\n");
+ fflush(LOGFILE);
{code}
and
{code}
+ fprintf(LOGFILE, "done writing pid to tmp\n");
+ fflush(LOGFILE);
{code}
# Can we change the error message in the message below to a more descriptive
one?
{code}
+ fprintf(ERRORFILE, "Error reading\n");
+ fflush(ERRORFILE);
{code}
# In parse_docker_command_file
{code}
+ int read;
{code}
should we use ssize_t instead or int?
# In parse_docker_command_file, we have some exit(1) calls - can we change this
to use the error codes in container-executor.h?
# In run_docker
{code}
+ free(docker_binary);
+ free(args);
+ free(docker_command_with_binary);
+ free(docker_command);
+ exit_code = DOCKER_RUN_FAILED;
+ }
+ exit_code = 0;
+ return exit_code;
{code}
The exit code from the function will always be 0
# Formatting
{code}
+int create_script_paths(const char *work_dir,
+ const char *script_name, const char *cred_file,
+ char** script_file_dest, char** cred_file_dest,
+ int* container_file_source, int* cred_file_source ) {
{code}
# In create_script_paths, we use a bunch of goto's but the goto target doesn't
have any special logic or handling. Can we avoid using the goto?
#
{code}
+ //kill me now.
{code}
No need for the commentary :)
# In main.c
{code}
+ char * resources = argv[optind++];// key,value pair describing resources
+ char * resources_key = malloc(strlen(resources));
+ char * resources_value = malloc(strlen(resources));
{code}
Can we move the declarations of resources, resources_key and resources_value
out of the case block(since the same variables are used in two case blocks)?
> Add docker container support to container-executor
> ---------------------------------------------------
>
> Key: YARN-3852
> URL: https://issues.apache.org/jira/browse/YARN-3852
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: Sidharta Seethana
> Assignee: Abin Shahab
> Attachments: YARN-3852.patch
>
>
> For security reasons, we need to ensure that access to the docker daemon and
> the ability to run docker containers is restricted to privileged users ( i.e
> users running applications should not have direct access to docker). In order
> to ensure the node manager can run docker commands, we need to add docker
> support to the container-executor binary.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
