You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-issues@hadoop.apache.org by "Eric Yang (JIRA)" <ji...@apache.org> on 2018/05/23 00:54:00 UTC

[jira] [Commented] (YARN-8342) Using docker image from a non-privileged registry, the launch_command is not honored

    [ https://issues.apache.org/jira/browse/YARN-8342?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16486530#comment-16486530 ] 

Eric Yang commented on YARN-8342:
---------------------------------

The current behavior is documented in [YARN-7516|https://issues.apache.org/jira/browse/YARN-7516?focusedCommentId=16353125&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-16353125].  Non-trusted image is not allowed to supply launch command into container due to [reason|https://issues.apache.org/jira/browse/YARN-7516?focusedCommentId=16353125&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-16353125] stated by Shane.  We don't allow mounting of host disks to untrusted image to prevent the image from putting unauthorized files that can not be erased in the localizer directory.  When using untrusted image with yarn mode, this will generate a launch_container.sh that runs a empty bash command and exit immediately according to Shane.  The end result is some what unexpected even though it minimized the security risks. 

The solution is to set YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE=true in yarn-env.sh, and this will turn the cluster into docker mode as default.  There is no launch_container.sh required in docker mode, and we might be able to lift drop launch command restriction.

> Using docker image from a non-privileged registry, the launch_command is not honored
> ------------------------------------------------------------------------------------
>
>                 Key: YARN-8342
>                 URL: https://issues.apache.org/jira/browse/YARN-8342
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Wangda Tan
>            Priority: Critical
>              Labels: Docker
>
> During test of the Docker feature, I found that if a container comes from non-privileged docker registry, the specified launch command will be ignored. Container will success without any log, which is very confusing to end users. And this behavior is inconsistent to containers from privileged docker registries.
> cc: [~eyang], [~shanekumpf@gmail.com], [~ebadger], [~jlowe]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org