You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-issues@hadoop.apache.org by "Eric Badger (JIRA)" <ji...@apache.org> on 2019/03/19 15:52:00 UTC

[jira] [Commented] (YARN-9391) Disable PATH variable to be passed to Docker container

    [ https://issues.apache.org/jira/browse/YARN-9391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16796216#comment-16796216 ] 

Eric Badger commented on YARN-9391:
-----------------------------------

We can already do this today by changing the whitelist to not include PATH, right [~Jim_Brennan]? 

I agree with [~eyang] that the PATH variable (or anything really) outside of the container shouldn't really be relevant inside of the container. Ideally, the image should define PATH so that it will override what the NM has. But, in the case that it isn't set, I'm not sure falling back to the NM PATH is the correct thing to do. At the best it's masking failures and at the worst it's leaking environment variable info about the host. 

And just a note, if PATH is set in the image, it will be selected over what is set in the whitelist. The only way this isn't true is if the variable was explicitly set by the user. [~Jim_Brennan] can correct me if I'm wrong on this. 

> Disable PATH variable to be passed to Docker container
> ------------------------------------------------------
>
>                 Key: YARN-9391
>                 URL: https://issues.apache.org/jira/browse/YARN-9391
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Eric Yang
>            Priority: Major
>
> This is observed from using Apache NiFi docker image.  It makes assumption that PATH variable contains /bin to reference to system utility.  Where host YARN environment PATH variable is default to leaked into container by accident and not containing /bin path (default configuration).  In general, it seems like node manager should block PATH variable from leaking into container.  Not sure if there is a valid use case that host PATH variable must leak into container from docker point of view.  From Hadoop point of view, if container is merely a chroot, and container is a mirror image of host worker dir.  It is good to keep host PATH variable the same.
> Maybe we want to be more specific that block PATH variable to leak into Docker container, if it is using ENTRYPOINT only?



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org