You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "Remus Rusanu (JIRA)" <ji...@apache.org> on 2014/06/03 12:04:02 UTC
[jira] [Commented] (YARN-1972) Implement secure Windows Container
Executor
[ https://issues.apache.org/jira/browse/YARN-1972?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14016358#comment-14016358 ]
Remus Rusanu commented on YARN-1972:
------------------------------------
[~vinodkv] I spent some time to go over the ' Localizer already does createUserLocalDirs' issue and this here are my findings:
- both the DCE and the LCE create the local dirs before invoking the localizer. The DCE does this in DefaultContainerExecutor.startLocalizer and LCE does it in container-executor.c:iniitalize_app(). Both create the user local dirs (base/$user), the appcache (base/$user/appcache), the appdir (base/$user/appcache/$appid) and the log dirs. Both the DCE and the LCE use the first appdir to copy the localizer token file(s) and both DCE and LCE use the first appdir as the current directory (cwd) when launching the localizer. The only difference between DCE and LCE is that the DCE also creates the user file cache (base/$user/filecache)
- The localizer, in ContainerLocalizer.initDirs(), creates the app filecache (base/$user/appcache/$appid/filecache) and the user file cache (base/$user/filecache). The localizer does not attempt to create user local dirs (base/$user) nor appcache (base/$user/appcache) or appdir (base/$user/appcache/$appid). Since the tokens file is located in the appdir and the appdir is also the localizer cwd, the appid must exists before localizer launched.
So currently the only overlap between the dirs created by DCE and the localizer is the user file cache (base/$user/filecache). The WCE was modeled to do exactly what the DCE does, with addition of setting permissions and ownership on the directories so created. I can remove the creation of the user file cache (base/$user/filecache) from the DCE/WCE and let the localizer create it instead. The TestDefaultContainerExecutor expects the user file cache to be created by the DCE, I will also remove this expectation from the test.
> Implement secure Windows Container Executor
> -------------------------------------------
>
> Key: YARN-1972
> URL: https://issues.apache.org/jira/browse/YARN-1972
> Project: Hadoop YARN
> Issue Type: Improvement
> Components: nodemanager
> Reporter: Remus Rusanu
> Assignee: Remus Rusanu
> Labels: security, windows
> Attachments: YARN-1972.1.patch
>
>
> This work item represents the Java side changes required to implement a secure windows container executor, based on the YARN-1063 changes on native/winutils side.
> Necessary changes include leveraging the winutils task createas to launch the container process as the required user and a secure localizer (launch localization as a separate process running as the container user).
--
This message was sent by Atlassian JIRA
(v6.2#6252)