Anton, > > It is easy to run, but what about performance and security? > > There is two way: > > 1. True nested container. In that case we have AUFS as storage in nested > containers. And we have to use --privilege.
Even the normal yarn may need --priviledge (Because of "normal" yarn containerization) Not sure if it would be possible to place the container workload on a docker volume. Surely we will not want to place hadoop storage on an overlay storage. > 2. Fake nested container when we provide docker.socket from host to YARN > container. In that case all containers run on same level. But that way > looks like not safe. Having access to a docker socket is never secure, right. But I am not sure we need to expose the docker socket even to the yarn payload. Olaf > > On 27 December 2017 at 11:47, Roman Shaposhnik <[email protected]> wrote: > >> On Wed, Dec 27, 2017 at 12:13 AM, Anton Chevychalov <[email protected]> >> wrote: >>> Note that new YARN supports Docker as payload. So it is really difficult >>> to put that to containers. >> >> It actually isn't that difficult -- nested containers are pretty easy >> to do -- take >> a look at how Kubernetes folks are doing it for Minikube. >> >> Thanks, >> Roman. >> > > > > -- > Anton B Chevychalov > Team Lead at ArenaData.io
