[
https://issues.apache.org/jira/browse/YARN-5280?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Greg Phillips updated YARN-5280:
--------------------------------
Attachment: YARN-5280.005.patch
This patch is built against branch-3.0.0-alpha1 and adds a new
LinuxContainerRuntime similar to the docker implementation. App-by-app
whitelisting is now available via application queues.
The following configurations are now available to modify the behavior of the
JVMSandboxContainerRuntime:
*yarn.nodemanager.linux-container-executor.sandbox-mode* : This yarn-site.xml
setting has three options:
* *disabled* - Default behavior. JavaSandboxLinuxContainerRuntime is disabled
* *permissive* - JVM containers will run with Java Security Manager enabled.
Non-JVM containers will run normally
* *enforcing* - JVM containers will run with Java Security Manager enabled.
Non-JVM containers will be prevented from executing and an
ContainerExecutionException will be thrown
*yarn.nodemanager.linux-container-executor.sandbox-mode.file.permissions* :
Determines the file permissions for the application directories. The
permissions come in the form of comma separated values (e.g.
read,write,execute,delete). Defaults to read for read-only.
*yarn.nodemanager.linux-container-executor.sandbox-mode.policy* : Accepts
canonical path to a java policy file on the local filesystem. This file will be
loaded as the base policy, any additional container grants will be appended to
this base file. If not specified, the default java.policy file provided in the
jar resources will be used.
*yarn.nodemanager.linux-container-executor.sandbox-mode.queue* : Optional
setting to specify a YARN queue which will be exempt from the sand-boxing
process.
> Allow YARN containers to run with Java Security Manager
> -------------------------------------------------------
>
> Key: YARN-5280
> URL: https://issues.apache.org/jira/browse/YARN-5280
> Project: Hadoop YARN
> Issue Type: New Feature
> Components: nodemanager, yarn
> Affects Versions: 2.6.4
> Reporter: Greg Phillips
> Assignee: Greg Phillips
> Priority: Minor
> Attachments: YARN-5280.005.patch, YARN-5280.patch,
> YARNContainerSandbox.pdf
>
>
> YARN applications have the ability to perform privileged actions which have
> the potential to add instability into the cluster. The Java Security Manager
> can be used to prevent users from running privileged actions while still
> allowing their core data processing use cases.
> Introduce a YARN flag which will allow a Hadoop administrator to enable the
> Java Security Manager for user code, while still providing complete
> permissions to core Hadoop libraries.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
