You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-issues@hadoop.apache.org by "Eric Yang (JIRA)" <ji...@apache.org> on 2019/01/02 17:58:00 UTC

[jira] [Commented] (YARN-7904) Privileged, trusted containers need all of their bind-mounted directories to be read-only

    [ https://issues.apache.org/jira/browse/YARN-7904?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16732257#comment-16732257 ] 

Eric Yang commented on YARN-7904:
---------------------------------

When privileged container is running as someone else, the root file system inside the container is managed by docker.  Docker sandbox directory can be clean up properly.  If the container mounts external volume/directories, the data will be written as the user running inside the container.  The file permission of the external volume/directories must have consistency between user in the container and host system to ensure no file system permissions are violated.  This is handled by YARN-7782 feature.  The only exception to the rule is when the node manager bind mount working directory for logging purpose using non-entrypoint mode.  Log file would be written as root user or other users that can create problems to prevent node manager from clean up the working directory.  

Instead of making all bind-mounted directories read-only.  We may want to consider to block privileged container from non-entrypoint mode to reduce the incompatible changes to the minimum.  Thought? 

> Privileged, trusted containers need all of their bind-mounted directories to be read-only
> -----------------------------------------------------------------------------------------
>
>                 Key: YARN-7904
>                 URL: https://issues.apache.org/jira/browse/YARN-7904
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Eric Badger
>            Assignee: Zhaohui Xin
>            Priority: Major
>              Labels: Docker
>
> Since they will be running as some other user than themselves, the NM likely won't be able to clean up after them because of permissions issues. So, to prevent this, we should make these directories read-only.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org