You are viewing a plain text version of this content. The canonical link for it is here.
Posted to mapreduce-user@hadoop.apache.org by Rajesh Kartha <ka...@gmail.com> on 2015/03/26 16:16:40 UTC
Linux Container Executor (LCE) vs Default Container Executor(DCE)
Hello,
I was wondering what are the main differences between LCE and DCE under '
*simple*' Hadoop security.
>From my readings LCE gives:
- granularity to control execution like ban users, min uid
- use cgroups to control resources
While DCE uses ulimits.
In both cases the container is executed under the user submitting it.
Any further insights is appreciated.
Thanks,
Rajesh
Re: Linux Container Executor (LCE) vs Default Container Executor(DCE)
Posted by Rajesh Kartha <ka...@gmail.com>.
Thank you Harsh !!
Are there any other ways to find the owner of the containers. I suppose
one way is doing a "*ps -ef|grep container*" and view the process details.
Regards,
Rajesh
On Thu, Mar 26, 2015 at 11:31 AM, Harsh J <ha...@cloudera.com> wrote:
> > In both cases the container is executed under the user submitting it.
>
> This is incorrect. The DCE executes as the NodeManager process user
> ('yarn' typically), and the LCE in non-secure mode by default runs only as
> 'nobody' (or arbitrary static user) unless asked to run as the actual user
> by switching off the static user config.
>
> On Thu, Mar 26, 2015 at 8:46 PM, Rajesh Kartha <ka...@gmail.com> wrote:
>
>> Hello,
>>
>> I was wondering what are the main differences between LCE and DCE under '
>> *simple*' Hadoop security.
>>
>> From my readings LCE gives:
>> - granularity to control execution like ban users, min uid
>> - use cgroups to control resources
>>
>> While DCE uses ulimits.
>>
>> In both cases the container is executed under the user submitting it.
>>
>> Any further insights is appreciated.
>>
>> Thanks,
>> Rajesh
>>
>
>
>
> --
> Harsh J
>
Re: Linux Container Executor (LCE) vs Default Container Executor(DCE)
Posted by Rajesh Kartha <ka...@gmail.com>.
Thank you Harsh !!
Are there any other ways to find the owner of the containers. I suppose
one way is doing a "*ps -ef|grep container*" and view the process details.
Regards,
Rajesh
On Thu, Mar 26, 2015 at 11:31 AM, Harsh J <ha...@cloudera.com> wrote:
> > In both cases the container is executed under the user submitting it.
>
> This is incorrect. The DCE executes as the NodeManager process user
> ('yarn' typically), and the LCE in non-secure mode by default runs only as
> 'nobody' (or arbitrary static user) unless asked to run as the actual user
> by switching off the static user config.
>
> On Thu, Mar 26, 2015 at 8:46 PM, Rajesh Kartha <ka...@gmail.com> wrote:
>
>> Hello,
>>
>> I was wondering what are the main differences between LCE and DCE under '
>> *simple*' Hadoop security.
>>
>> From my readings LCE gives:
>> - granularity to control execution like ban users, min uid
>> - use cgroups to control resources
>>
>> While DCE uses ulimits.
>>
>> In both cases the container is executed under the user submitting it.
>>
>> Any further insights is appreciated.
>>
>> Thanks,
>> Rajesh
>>
>
>
>
> --
> Harsh J
>
Re: Linux Container Executor (LCE) vs Default Container Executor(DCE)
Posted by Rajesh Kartha <ka...@gmail.com>.
Thank you Harsh !!
Are there any other ways to find the owner of the containers. I suppose
one way is doing a "*ps -ef|grep container*" and view the process details.
Regards,
Rajesh
On Thu, Mar 26, 2015 at 11:31 AM, Harsh J <ha...@cloudera.com> wrote:
> > In both cases the container is executed under the user submitting it.
>
> This is incorrect. The DCE executes as the NodeManager process user
> ('yarn' typically), and the LCE in non-secure mode by default runs only as
> 'nobody' (or arbitrary static user) unless asked to run as the actual user
> by switching off the static user config.
>
> On Thu, Mar 26, 2015 at 8:46 PM, Rajesh Kartha <ka...@gmail.com> wrote:
>
>> Hello,
>>
>> I was wondering what are the main differences between LCE and DCE under '
>> *simple*' Hadoop security.
>>
>> From my readings LCE gives:
>> - granularity to control execution like ban users, min uid
>> - use cgroups to control resources
>>
>> While DCE uses ulimits.
>>
>> In both cases the container is executed under the user submitting it.
>>
>> Any further insights is appreciated.
>>
>> Thanks,
>> Rajesh
>>
>
>
>
> --
> Harsh J
>
Re: Linux Container Executor (LCE) vs Default Container Executor(DCE)
Posted by Rajesh Kartha <ka...@gmail.com>.
Thank you Harsh !!
Are there any other ways to find the owner of the containers. I suppose
one way is doing a "*ps -ef|grep container*" and view the process details.
Regards,
Rajesh
On Thu, Mar 26, 2015 at 11:31 AM, Harsh J <ha...@cloudera.com> wrote:
> > In both cases the container is executed under the user submitting it.
>
> This is incorrect. The DCE executes as the NodeManager process user
> ('yarn' typically), and the LCE in non-secure mode by default runs only as
> 'nobody' (or arbitrary static user) unless asked to run as the actual user
> by switching off the static user config.
>
> On Thu, Mar 26, 2015 at 8:46 PM, Rajesh Kartha <ka...@gmail.com> wrote:
>
>> Hello,
>>
>> I was wondering what are the main differences between LCE and DCE under '
>> *simple*' Hadoop security.
>>
>> From my readings LCE gives:
>> - granularity to control execution like ban users, min uid
>> - use cgroups to control resources
>>
>> While DCE uses ulimits.
>>
>> In both cases the container is executed under the user submitting it.
>>
>> Any further insights is appreciated.
>>
>> Thanks,
>> Rajesh
>>
>
>
>
> --
> Harsh J
>
Re: Linux Container Executor (LCE) vs Default Container Executor(DCE)
Posted by Harsh J <ha...@cloudera.com>.
> In both cases the container is executed under the user submitting it.
This is incorrect. The DCE executes as the NodeManager process user ('yarn'
typically), and the LCE in non-secure mode by default runs only as 'nobody'
(or arbitrary static user) unless asked to run as the actual user by
switching off the static user config.
On Thu, Mar 26, 2015 at 8:46 PM, Rajesh Kartha <ka...@gmail.com> wrote:
> Hello,
>
> I was wondering what are the main differences between LCE and DCE under '
> *simple*' Hadoop security.
>
> From my readings LCE gives:
> - granularity to control execution like ban users, min uid
> - use cgroups to control resources
>
> While DCE uses ulimits.
>
> In both cases the container is executed under the user submitting it.
>
> Any further insights is appreciated.
>
> Thanks,
> Rajesh
>
--
Harsh J
Re: Linux Container Executor (LCE) vs Default Container Executor(DCE)
Posted by Harsh J <ha...@cloudera.com>.
> In both cases the container is executed under the user submitting it.
This is incorrect. The DCE executes as the NodeManager process user ('yarn'
typically), and the LCE in non-secure mode by default runs only as 'nobody'
(or arbitrary static user) unless asked to run as the actual user by
switching off the static user config.
On Thu, Mar 26, 2015 at 8:46 PM, Rajesh Kartha <ka...@gmail.com> wrote:
> Hello,
>
> I was wondering what are the main differences between LCE and DCE under '
> *simple*' Hadoop security.
>
> From my readings LCE gives:
> - granularity to control execution like ban users, min uid
> - use cgroups to control resources
>
> While DCE uses ulimits.
>
> In both cases the container is executed under the user submitting it.
>
> Any further insights is appreciated.
>
> Thanks,
> Rajesh
>
--
Harsh J
Re: Linux Container Executor (LCE) vs Default Container Executor(DCE)
Posted by Harsh J <ha...@cloudera.com>.
> In both cases the container is executed under the user submitting it.
This is incorrect. The DCE executes as the NodeManager process user ('yarn'
typically), and the LCE in non-secure mode by default runs only as 'nobody'
(or arbitrary static user) unless asked to run as the actual user by
switching off the static user config.
On Thu, Mar 26, 2015 at 8:46 PM, Rajesh Kartha <ka...@gmail.com> wrote:
> Hello,
>
> I was wondering what are the main differences between LCE and DCE under '
> *simple*' Hadoop security.
>
> From my readings LCE gives:
> - granularity to control execution like ban users, min uid
> - use cgroups to control resources
>
> While DCE uses ulimits.
>
> In both cases the container is executed under the user submitting it.
>
> Any further insights is appreciated.
>
> Thanks,
> Rajesh
>
--
Harsh J
Re: Linux Container Executor (LCE) vs Default Container Executor(DCE)
Posted by Harsh J <ha...@cloudera.com>.
> In both cases the container is executed under the user submitting it.
This is incorrect. The DCE executes as the NodeManager process user ('yarn'
typically), and the LCE in non-secure mode by default runs only as 'nobody'
(or arbitrary static user) unless asked to run as the actual user by
switching off the static user config.
On Thu, Mar 26, 2015 at 8:46 PM, Rajesh Kartha <ka...@gmail.com> wrote:
> Hello,
>
> I was wondering what are the main differences between LCE and DCE under '
> *simple*' Hadoop security.
>
> From my readings LCE gives:
> - granularity to control execution like ban users, min uid
> - use cgroups to control resources
>
> While DCE uses ulimits.
>
> In both cases the container is executed under the user submitting it.
>
> Any further insights is appreciated.
>
> Thanks,
> Rajesh
>
--
Harsh J