[jira] [Commented] (YARN-9860) Enable service mode for Docker containers on YARN
[ https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16949191#comment-16949191 ] Prabhu Joseph commented on YARN-9860: - Thanks [~eyang] and [~shaneku...@gmail.com]. > Enable service mode for Docker containers on YARN > - > > Key: YARN-9860 > URL: https://issues.apache.org/jira/browse/YARN-9860 > Project: Hadoop YARN > Issue Type: Improvement >Affects Versions: 3.3.0 >Reporter: Prabhu Joseph >Assignee: Prabhu Joseph >Priority: Major > Fix For: 3.3.0 > > Attachments: Screen Shot 2019-10-09 at 11.27.19 AM.png, > YARN-9860-001.patch, YARN-9860-002.patch, YARN-9860-003.patch, > YARN-9860-004.patch, YARN-9860-005.patch, YARN-9860-006.patch, > YARN-9860-007.patch, YARN-9860-008.patch, YARN-9860-009.patch > > > This task is to add support to YARN for running Docker containers in "Service > Mode". > Service Mode - Run the container as defined by the image, but still allow for > injecting configuration. > Background: > Entrypoint mode helped - now able to use the ENV and ENTRYPOINT/CMD as > defined in the image. However, still requires modification to official images > due to user propagation > User propagation is problematic for running a secure cluster with sssd > > Implementation: > Must be enabled via c-e.cfg (example: docker.service-mode.allowed=true) > Must be requested at runtime - (example: > YARN_CONTAINER_RUNTIME_DOCKER_SERVICE_MODE=true) > Entrypoint mode is default enabled for this mode (If Service Mode is > requested, YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE should be set > to true) > Writable log mount will not be added - stdout logging may still work > with entrypoint mode - remove the writable bind mounts > User and groups will not be propagated (now: docker run --user nobody > --group-add=nobody , after: docker run ) > Read-only resources mounted at the file level, files get chmod 777, > parent directory only accessible by the run as user. > cc [~shaneku...@gmail.com] -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-9860) Enable service mode for Docker containers on YARN
[ https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16949005#comment-16949005 ] Hudson commented on YARN-9860: -- SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #17521 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/17521/]) YARN-9860. Enable service mode for Docker containers on YARN(eyang: rev 31e0122f4d4ddc4026470b45d2bf683ece137d44) * (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-core/src/main/java/org/apache/hadoop/yarn/service/conf/YarnServiceConstants.java * (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DockerLinuxContainerRuntime.java * (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.c * (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-core/src/main/java/org/apache/hadoop/yarn/service/provider/tarball/TarballProviderService.java * (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-core/src/test/java/org/apache/hadoop/yarn/service/provider/TestProviderUtils.java * (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-core/src/main/java/org/apache/hadoop/yarn/service/utils/SliderFileSystem.java * (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-core/src/main/java/org/apache/hadoop/yarn/service/api/records/ConfigFile.java * (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/docker/DockerRunCommand.java * (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md * (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/docker-util.h * (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-core/src/main/java/org/apache/hadoop/yarn/service/client/ServiceClient.java * (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-core/src/main/java/org/apache/hadoop/yarn/service/provider/ProviderUtils.java * (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-core/src/main/java/org/apache/hadoop/yarn/service/utils/CoreFileSystem.java * (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.h > Enable service mode for Docker containers on YARN > - > > Key: YARN-9860 > URL: https://issues.apache.org/jira/browse/YARN-9860 > Project: Hadoop YARN > Issue Type: Improvement >Affects Versions: 3.3.0 >Reporter: Prabhu Joseph >Assignee: Prabhu Joseph >Priority: Major > Attachments: Screen Shot 2019-10-09 at 11.27.19 AM.png, > YARN-9860-001.patch, YARN-9860-002.patch, YARN-9860-003.patch, > YARN-9860-004.patch, YARN-9860-005.patch, YARN-9860-006.patch, > YARN-9860-007.patch, YARN-9860-008.patch, YARN-9860-009.patch > > > This task is to add support to YARN for running Docker containers in "Service > Mode". > Service Mode - Run the container as defined by the image, but still allow for > injecting configuration. > Background: > Entrypoint mode helped - now able to use the ENV and ENTRYPOINT/CMD as > defined in the image. However, still requires modification to official images > due to user propagation > User propagation is problematic for running a secure cluster with sssd > > Implementation: > Must be enabled via c-e.cfg (example: docker.service-mode.allowed=true) > Must be requested at runtime - (example: > YARN_CONTAINER_RUNTIME_DOCKER_SERVICE_MODE=true) > Entrypoint mode is default enabled for this mode (If Service Mode is > requested, YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE should be set > to true) > Writable log mount will not be added - stdout logging may still work > with entrypoint mode - remove the writable bind mounts > User and groups will not be propagated (now: docker run --user nobody > --group-add=nobody , after: docker run ) > Read-only resources mounted at the file level, files get chmod 777, > parent directory only accessible by the run as user. > cc [~shaneku...@gmail.com] -- This message was sent by Atlassian Jira (v8.3.4#8
[jira] [Commented] (YARN-9860) Enable service mode for Docker containers on YARN
[ https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16948809#comment-16948809 ] Eric Yang commented on YARN-9860: - [~Prabhu Joseph] Thank you for the patch. +1 Patch 009 looks good to me. TestFederationInterceptor transient failure is not related to this issue. Will commit today, if no objections. > Enable service mode for Docker containers on YARN > - > > Key: YARN-9860 > URL: https://issues.apache.org/jira/browse/YARN-9860 > Project: Hadoop YARN > Issue Type: Improvement >Affects Versions: 3.3.0 >Reporter: Prabhu Joseph >Assignee: Prabhu Joseph >Priority: Major > Attachments: Screen Shot 2019-10-09 at 11.27.19 AM.png, > YARN-9860-001.patch, YARN-9860-002.patch, YARN-9860-003.patch, > YARN-9860-004.patch, YARN-9860-005.patch, YARN-9860-006.patch, > YARN-9860-007.patch, YARN-9860-008.patch, YARN-9860-009.patch > > > This task is to add support to YARN for running Docker containers in "Service > Mode". > Service Mode - Run the container as defined by the image, but still allow for > injecting configuration. > Background: > Entrypoint mode helped - now able to use the ENV and ENTRYPOINT/CMD as > defined in the image. However, still requires modification to official images > due to user propagation > User propagation is problematic for running a secure cluster with sssd > > Implementation: > Must be enabled via c-e.cfg (example: docker.service-mode.allowed=true) > Must be requested at runtime - (example: > YARN_CONTAINER_RUNTIME_DOCKER_SERVICE_MODE=true) > Entrypoint mode is default enabled for this mode (If Service Mode is > requested, YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE should be set > to true) > Writable log mount will not be added - stdout logging may still work > with entrypoint mode - remove the writable bind mounts > User and groups will not be propagated (now: docker run --user nobody > --group-add=nobody , after: docker run ) > Read-only resources mounted at the file level, files get chmod 777, > parent directory only accessible by the run as user. > cc [~shaneku...@gmail.com] -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-9860) Enable service mode for Docker containers on YARN
[ https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16948422#comment-16948422 ] Hadoop QA commented on YARN-9860: - | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 1m 41s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 1 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 1m 14s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 24m 46s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 7m 49s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 28s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 47s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 16m 15s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 0m 0s{color} | {color:blue} Skipped patched modules with no Java source: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 15s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 49s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 21s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 1m 28s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 8m 41s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} cc {color} | {color:green} 8m 41s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 8m 41s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 23s{color} | {color:green} hadoop-yarn-project/hadoop-yarn: The patch generated 0 new + 92 unchanged - 1 fixed = 92 total (was 93) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 39s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 13m 5s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 0m 0s{color} | {color:blue} Skipped patched modules with no Java source: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 7s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 18s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:red}-1{color} | {color:red} unit {color} | {color:red} 21m 17s{color} | {color:red} hadoop-yarn-server-nodemanager in the patch failed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 18m 56s{color} | {color:green} hadoop-yarn-services-core in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 0m 21s{color} | {color:green} hadoop-yarn-site in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 42s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}129m 45s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.yarn.server.nodemanager.amrmpr
[jira] [Commented] (YARN-9860) Enable service mode for Docker containers on YARN
[ https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16948312#comment-16948312 ] Prabhu Joseph commented on YARN-9860: - [~eyang] Have updated container-executor.cfg config table and Application submission table in the Document in [^YARN-9860-009.patch] . Thanks. > Enable service mode for Docker containers on YARN > - > > Key: YARN-9860 > URL: https://issues.apache.org/jira/browse/YARN-9860 > Project: Hadoop YARN > Issue Type: Improvement >Affects Versions: 3.3.0 >Reporter: Prabhu Joseph >Assignee: Prabhu Joseph >Priority: Major > Attachments: Screen Shot 2019-10-09 at 11.27.19 AM.png, > YARN-9860-001.patch, YARN-9860-002.patch, YARN-9860-003.patch, > YARN-9860-004.patch, YARN-9860-005.patch, YARN-9860-006.patch, > YARN-9860-007.patch, YARN-9860-008.patch, YARN-9860-009.patch > > > This task is to add support to YARN for running Docker containers in "Service > Mode". > Service Mode - Run the container as defined by the image, but still allow for > injecting configuration. > Background: > Entrypoint mode helped - now able to use the ENV and ENTRYPOINT/CMD as > defined in the image. However, still requires modification to official images > due to user propagation > User propagation is problematic for running a secure cluster with sssd > > Implementation: > Must be enabled via c-e.cfg (example: docker.service-mode.allowed=true) > Must be requested at runtime - (example: > YARN_CONTAINER_RUNTIME_DOCKER_SERVICE_MODE=true) > Entrypoint mode is default enabled for this mode (If Service Mode is > requested, YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE should be set > to true) > Writable log mount will not be added - stdout logging may still work > with entrypoint mode - remove the writable bind mounts > User and groups will not be propagated (now: docker run --user nobody > --group-add=nobody , after: docker run ) > Read-only resources mounted at the file level, files get chmod 777, > parent directory only accessible by the run as user. > cc [~shaneku...@gmail.com] -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-9860) Enable service mode for Docker containers on YARN
[ https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16947430#comment-16947430 ] Hadoop QA commented on YARN-9860: - | (/) *{color:green}+1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 35s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 1 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 45s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 19m 8s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 7m 51s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 21s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 50s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 15m 49s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 0m 0s{color} | {color:blue} Skipped patched modules with no Java source: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 1m 55s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 26s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 17s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 1m 15s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 7m 16s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} cc {color} | {color:green} 7m 16s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 7m 16s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 17s{color} | {color:green} hadoop-yarn-project/hadoop-yarn: The patch generated 0 new + 91 unchanged - 1 fixed = 91 total (was 92) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 39s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 13m 0s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 0m 0s{color} | {color:blue} Skipped patched modules with no Java source: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 11s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 17s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 21m 12s{color} | {color:green} hadoop-yarn-server-nodemanager in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 18m 55s{color} | {color:green} hadoop-yarn-services-core in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 0m 23s{color} | {color:green} hadoop-yarn-site in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 40s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}119m 10s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Client=19.03.3 Server=19.03.3
[jira] [Commented] (YARN-9860) Enable service mode for Docker containers on YARN
[ https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16947380#comment-16947380 ] Prabhu Joseph commented on YARN-9860: - [~eyang] Have updated the DockerContainers.md with instructions for enabling service mode in [^YARN-9860-008.patch] . Thanks. !Screen Shot 2019-10-09 at 11.27.19 AM.png|height=300! > Enable service mode for Docker containers on YARN > - > > Key: YARN-9860 > URL: https://issues.apache.org/jira/browse/YARN-9860 > Project: Hadoop YARN > Issue Type: Improvement >Affects Versions: 3.3.0 >Reporter: Prabhu Joseph >Assignee: Prabhu Joseph >Priority: Major > Attachments: Screen Shot 2019-10-09 at 11.27.19 AM.png, > YARN-9860-001.patch, YARN-9860-002.patch, YARN-9860-003.patch, > YARN-9860-004.patch, YARN-9860-005.patch, YARN-9860-006.patch, > YARN-9860-007.patch, YARN-9860-008.patch > > > This task is to add support to YARN for running Docker containers in "Service > Mode". > Service Mode - Run the container as defined by the image, but still allow for > injecting configuration. > Background: > Entrypoint mode helped - now able to use the ENV and ENTRYPOINT/CMD as > defined in the image. However, still requires modification to official images > due to user propagation > User propagation is problematic for running a secure cluster with sssd > > Implementation: > Must be enabled via c-e.cfg (example: docker.service-mode.allowed=true) > Must be requested at runtime - (example: > YARN_CONTAINER_RUNTIME_DOCKER_SERVICE_MODE=true) > Entrypoint mode is default enabled for this mode (If Service Mode is > requested, YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE should be set > to true) > Writable log mount will not be added - stdout logging may still work > with entrypoint mode - remove the writable bind mounts > User and groups will not be propagated (now: docker run --user nobody > --group-add=nobody , after: docker run ) > Read-only resources mounted at the file level, files get chmod 777, > parent directory only accessible by the run as user. > cc [~shaneku...@gmail.com] -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-9860) Enable service mode for Docker containers on YARN
[ https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16947379#comment-16947379 ] Hadoop QA commented on YARN-9860: - | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 0s{color} | {color:blue} Docker mode activated. {color} | | {color:red}-1{color} | {color:red} patch {color} | {color:red} 0m 9s{color} | {color:red} YARN-9860 does not apply to trunk. Rebase required? Wrong Branch? See https://wiki.apache.org/hadoop/HowToContribute for help. {color} | \\ \\ || Subsystem || Report/Notes || | JIRA Issue | YARN-9860 | | Console output | https://builds.apache.org/job/PreCommit-YARN-Build/24939/console | | Powered by | Apache Yetus 0.8.0 http://yetus.apache.org | This message was automatically generated. > Enable service mode for Docker containers on YARN > - > > Key: YARN-9860 > URL: https://issues.apache.org/jira/browse/YARN-9860 > Project: Hadoop YARN > Issue Type: Improvement >Affects Versions: 3.3.0 >Reporter: Prabhu Joseph >Assignee: Prabhu Joseph >Priority: Major > Attachments: Screen Shot 2019-10-09 at 11.27.19 AM.png, > YARN-9860-001.patch, YARN-9860-002.patch, YARN-9860-003.patch, > YARN-9860-004.patch, YARN-9860-005.patch, YARN-9860-006.patch, > YARN-9860-007.patch, YARN-9860-008.patch > > > This task is to add support to YARN for running Docker containers in "Service > Mode". > Service Mode - Run the container as defined by the image, but still allow for > injecting configuration. > Background: > Entrypoint mode helped - now able to use the ENV and ENTRYPOINT/CMD as > defined in the image. However, still requires modification to official images > due to user propagation > User propagation is problematic for running a secure cluster with sssd > > Implementation: > Must be enabled via c-e.cfg (example: docker.service-mode.allowed=true) > Must be requested at runtime - (example: > YARN_CONTAINER_RUNTIME_DOCKER_SERVICE_MODE=true) > Entrypoint mode is default enabled for this mode (If Service Mode is > requested, YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE should be set > to true) > Writable log mount will not be added - stdout logging may still work > with entrypoint mode - remove the writable bind mounts > User and groups will not be propagated (now: docker run --user nobody > --group-add=nobody , after: docker run ) > Read-only resources mounted at the file level, files get chmod 777, > parent directory only accessible by the run as user. > cc [~shaneku...@gmail.com] -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-9860) Enable service mode for Docker containers on YARN
[ https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16947170#comment-16947170 ] Eric Yang commented on YARN-9860: - [~Prabhu Joseph] Thanks for point out the user error. The user principal name was misconfigured on my cluster to cause the error. There is clear message about the error in application master log file. I tested service mode=true and false. Both cases are working as expected and keytab file localization is set with proper permission. Please include instructions for enabling service mode in DockerContainers.md. Thanks again. > Enable service mode for Docker containers on YARN > - > > Key: YARN-9860 > URL: https://issues.apache.org/jira/browse/YARN-9860 > Project: Hadoop YARN > Issue Type: Improvement >Affects Versions: 3.3.0 >Reporter: Prabhu Joseph >Assignee: Prabhu Joseph >Priority: Major > Attachments: YARN-9860-001.patch, YARN-9860-002.patch, > YARN-9860-003.patch, YARN-9860-004.patch, YARN-9860-005.patch, > YARN-9860-006.patch, YARN-9860-007.patch > > > This task is to add support to YARN for running Docker containers in "Service > Mode". > Service Mode - Run the container as defined by the image, but still allow for > injecting configuration. > Background: > Entrypoint mode helped - now able to use the ENV and ENTRYPOINT/CMD as > defined in the image. However, still requires modification to official images > due to user propagation > User propagation is problematic for running a secure cluster with sssd > > Implementation: > Must be enabled via c-e.cfg (example: docker.service-mode.allowed=true) > Must be requested at runtime - (example: > YARN_CONTAINER_RUNTIME_DOCKER_SERVICE_MODE=true) > Entrypoint mode is default enabled for this mode (If Service Mode is > requested, YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE should be set > to true) > Writable log mount will not be added - stdout logging may still work > with entrypoint mode - remove the writable bind mounts > User and groups will not be propagated (now: docker run --user nobody > --group-add=nobody , after: docker run ) > Read-only resources mounted at the file level, files get chmod 777, > parent directory only accessible by the run as user. > cc [~shaneku...@gmail.com] -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-9860) Enable service mode for Docker containers on YARN
[ https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16946765#comment-16946765 ] Shane Kumpf commented on YARN-9860: --- {quote}Have changed the Keytab file visibility to PRIVATE and left others with default APPLICATION and can be overridden by user.\{quote} I don't think we want to change existing behavior with this patch. If it was previously APPLICATION, I think it should stay APPLICATION. If it really should be PRIVATE, that should be a follow up. I expect moving those resources to private is the cause of the exception above. > Enable service mode for Docker containers on YARN > - > > Key: YARN-9860 > URL: https://issues.apache.org/jira/browse/YARN-9860 > Project: Hadoop YARN > Issue Type: Improvement >Affects Versions: 3.3.0 >Reporter: Prabhu Joseph >Assignee: Prabhu Joseph >Priority: Major > Attachments: YARN-9860-001.patch, YARN-9860-002.patch, > YARN-9860-003.patch, YARN-9860-004.patch, YARN-9860-005.patch, > YARN-9860-006.patch, YARN-9860-007.patch > > > This task is to add support to YARN for running Docker containers in "Service > Mode". > Service Mode - Run the container as defined by the image, but still allow for > injecting configuration. > Background: > Entrypoint mode helped - now able to use the ENV and ENTRYPOINT/CMD as > defined in the image. However, still requires modification to official images > due to user propagation > User propagation is problematic for running a secure cluster with sssd > > Implementation: > Must be enabled via c-e.cfg (example: docker.service-mode.allowed=true) > Must be requested at runtime - (example: > YARN_CONTAINER_RUNTIME_DOCKER_SERVICE_MODE=true) > Entrypoint mode is default enabled for this mode (If Service Mode is > requested, YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE should be set > to true) > Writable log mount will not be added - stdout logging may still work > with entrypoint mode - remove the writable bind mounts > User and groups will not be propagated (now: docker run --user nobody > --group-add=nobody , after: docker run ) > Read-only resources mounted at the file level, files get chmod 777, > parent directory only accessible by the run as user. > cc [~shaneku...@gmail.com] -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-9860) Enable service mode for Docker containers on YARN
[ https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16946374#comment-16946374 ] Eric Yang commented on YARN-9860: - [~Prabhu Joseph] Thank you for the patch 007. I tested the patch on a kerberos enabled cluster, and containers fail to launch on the cluster. Node manager error log shows: {code} 2019-10-07 17:49:30,962 INFO org.apache.hadoop.yarn.server.nodemanager.containermanager.localizer.ResourceLocalizationService: Localizer failed for container_1570493636313_0004_02_01 java.io.IOException: Application application_1570493636313_0004 initialization failed (exitCode=-1) with output: null at org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor.startLocalizer(LinuxContainerExecutor.java:414) at org.apache.hadoop.yarn.server.nodemanager.containermanager.localizer.ResourceLocalizationService$LocalizerRunner.run(ResourceLocalizationService.java:1263) Caused by: org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.privileged.PrivilegedOperationException: java.io.InterruptedIOException: java.lang.InterruptedException at org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.privileged.PrivilegedOperationExecutor.executePrivilegedOperation(PrivilegedOperationExecutor.java:185) at org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor.startLocalizer(LinuxContainerExecutor.java:405) ... 1 more Caused by: java.io.InterruptedIOException: java.lang.InterruptedException at org.apache.hadoop.util.Shell.runCommand(Shell.java:1011) at org.apache.hadoop.util.Shell.run(Shell.java:901) at org.apache.hadoop.util.Shell$ShellCommandExecutor.execute(Shell.java:1213) at org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.privileged.PrivilegedOperationExecutor.executePrivilegedOperation(PrivilegedOperationExecutor.java:154) ... 2 more Caused by: java.lang.InterruptedException at java.lang.Object.wait(Native Method) at java.lang.Object.wait(Object.java:502) at java.lang.UNIXProcess.waitFor(UNIXProcess.java:395) at org.apache.hadoop.util.Shell.runCommand(Shell.java:1001) ... 5 more {code} I also checked the working directory. There is no localization of keytab file or tokens. Can you verify? > Enable service mode for Docker containers on YARN > - > > Key: YARN-9860 > URL: https://issues.apache.org/jira/browse/YARN-9860 > Project: Hadoop YARN > Issue Type: Improvement >Affects Versions: 3.3.0 >Reporter: Prabhu Joseph >Assignee: Prabhu Joseph >Priority: Major > Attachments: YARN-9860-001.patch, YARN-9860-002.patch, > YARN-9860-003.patch, YARN-9860-004.patch, YARN-9860-005.patch, > YARN-9860-006.patch, YARN-9860-007.patch > > > This task is to add support to YARN for running Docker containers in "Service > Mode". > Service Mode - Run the container as defined by the image, but still allow for > injecting configuration. > Background: > Entrypoint mode helped - now able to use the ENV and ENTRYPOINT/CMD as > defined in the image. However, still requires modification to official images > due to user propagation > User propagation is problematic for running a secure cluster with sssd > > Implementation: > Must be enabled via c-e.cfg (example: docker.service-mode.allowed=true) > Must be requested at runtime - (example: > YARN_CONTAINER_RUNTIME_DOCKER_SERVICE_MODE=true) > Entrypoint mode is default enabled for this mode (If Service Mode is > requested, YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE should be set > to true) > Writable log mount will not be added - stdout logging may still work > with entrypoint mode - remove the writable bind mounts > User and groups will not be propagated (now: docker run --user nobody > --group-add=nobody , after: docker run ) > Read-only resources mounted at the file level, files get chmod 777, > parent directory only accessible by the run as user. > cc [~shaneku...@gmail.com] -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-9860) Enable service mode for Docker containers on YARN
[ https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16945157#comment-16945157 ] Hadoop QA commented on YARN-9860: - | (/) *{color:green}+1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 44s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 1 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 42s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 20m 3s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 12m 27s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 43s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 38s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 18m 36s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 33s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 19s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 21s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 1m 24s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 10m 35s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} cc {color} | {color:green} 10m 35s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 10m 35s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 41s{color} | {color:green} hadoop-yarn-project/hadoop-yarn: The patch generated 0 new + 91 unchanged - 1 fixed = 91 total (was 92) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 27s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 15m 16s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 42s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 0s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 23m 7s{color} | {color:green} hadoop-yarn-server-nodemanager in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 20m 1s{color} | {color:green} hadoop-yarn-services-core in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 1m 4s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}137m 44s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Client=19.03.2 Server=19.03.2 Image:yetus/hadoop:1dde3efb91e | | JIRA Issue | YARN-9860 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12982285/YARN-9860-007.patch | | Optional Tests | dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle cc | | uname | Linux e14195d1a995 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/patchprocess/precommit/personality/provided.sh | | git revision | trunk / 55c5436 | | maven
[jira] [Commented] (YARN-9860) Enable service mode for Docker containers on YARN
[ https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16945138#comment-16945138 ] Prabhu Joseph commented on YARN-9860: - [~eyang] 1. Have used the value of hadoop.tmp.dir for public resource directory. 2. The existing behavior by default sets APPLICATION visibility for all files to be localized including keytab. * * CoreFileSystem#createAmResource* {code} // Setting to most private option -amResource.setVisibility(LocalResourceVisibility.APPLICATION); +if (visibility == null) { + visibility = LocalResourceVisibility.APPLICATION; +} +amResource.setVisibility(visibility); {code} Have changed the Keytab file visibility to PRIVATE and left others with default APPLICATION and can be overridden by user. > Enable service mode for Docker containers on YARN > - > > Key: YARN-9860 > URL: https://issues.apache.org/jira/browse/YARN-9860 > Project: Hadoop YARN > Issue Type: Improvement >Affects Versions: 3.3.0 >Reporter: Prabhu Joseph >Assignee: Prabhu Joseph >Priority: Major > Attachments: YARN-9860-001.patch, YARN-9860-002.patch, > YARN-9860-003.patch, YARN-9860-004.patch, YARN-9860-005.patch, > YARN-9860-006.patch, YARN-9860-007.patch > > > This task is to add support to YARN for running Docker containers in "Service > Mode". > Service Mode - Run the container as defined by the image, but still allow for > injecting configuration. > Background: > Entrypoint mode helped - now able to use the ENV and ENTRYPOINT/CMD as > defined in the image. However, still requires modification to official images > due to user propagation > User propagation is problematic for running a secure cluster with sssd > > Implementation: > Must be enabled via c-e.cfg (example: docker.service-mode.allowed=true) > Must be requested at runtime - (example: > YARN_CONTAINER_RUNTIME_DOCKER_SERVICE_MODE=true) > Entrypoint mode is default enabled for this mode (If Service Mode is > requested, YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE should be set > to true) > Writable log mount will not be added - stdout logging may still work > with entrypoint mode - remove the writable bind mounts > User and groups will not be propagated (now: docker run --user nobody > --group-add=nobody , after: docker run ) > Read-only resources mounted at the file level, files get chmod 777, > parent directory only accessible by the run as user. > cc [~shaneku...@gmail.com] -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-9860) Enable service mode for Docker containers on YARN
[ https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16944878#comment-16944878 ] Eric Yang commented on YARN-9860: - [~Prabhu Joseph] {code} + String SERVICES_PUBLIC_DIRECTORY = "/tmp/hadoop-yarn/staging/"; + {code} I think this should map to hadoop.tmp.dir directory prefix for correctness. I don't understand the resource localization changes in this patch. It will set keytab file visibility to application, I don't think this is correct. What is the purpose to set private resources to be application visibility? > Enable service mode for Docker containers on YARN > - > > Key: YARN-9860 > URL: https://issues.apache.org/jira/browse/YARN-9860 > Project: Hadoop YARN > Issue Type: Improvement >Affects Versions: 3.3.0 >Reporter: Prabhu Joseph >Assignee: Prabhu Joseph >Priority: Major > Attachments: YARN-9860-001.patch, YARN-9860-002.patch, > YARN-9860-003.patch, YARN-9860-004.patch, YARN-9860-005.patch, > YARN-9860-006.patch > > > This task is to add support to YARN for running Docker containers in "Service > Mode". > Service Mode - Run the container as defined by the image, but still allow for > injecting configuration. > Background: > Entrypoint mode helped - now able to use the ENV and ENTRYPOINT/CMD as > defined in the image. However, still requires modification to official images > due to user propagation > User propagation is problematic for running a secure cluster with sssd > > Implementation: > Must be enabled via c-e.cfg (example: docker.service-mode.allowed=true) > Must be requested at runtime - (example: > YARN_CONTAINER_RUNTIME_DOCKER_SERVICE_MODE=true) > Entrypoint mode is default enabled for this mode (If Service Mode is > requested, YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE should be set > to true) > Writable log mount will not be added - stdout logging may still work > with entrypoint mode - remove the writable bind mounts > User and groups will not be propagated (now: docker run --user nobody > --group-add=nobody , after: docker run ) > Read-only resources mounted at the file level, files get chmod 777, > parent directory only accessible by the run as user. > cc [~shaneku...@gmail.com] -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-9860) Enable service mode for Docker containers on YARN
[ https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16944829#comment-16944829 ] Hadoop QA commented on YARN-9860: - | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 1m 36s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 1 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 27s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 22m 25s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 9m 6s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 22s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 21s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 15m 40s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 1m 56s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 57s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 15s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 1m 8s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 7m 51s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} cc {color} | {color:green} 7m 51s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 7m 51s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 19s{color} | {color:green} hadoop-yarn-project/hadoop-yarn: The patch generated 0 new + 91 unchanged - 1 fixed = 91 total (was 92) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 14s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 13m 4s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 8s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 56s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 21m 14s{color} | {color:green} hadoop-yarn-server-nodemanager in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red} 23m 22s{color} | {color:red} hadoop-yarn-services-core in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 39s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}127m 37s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.yarn.service.component.TestComponentDecommissionInstances | | | hadoop.yarn.service.TestServiceAM | | | hadoop.yarn.service.TestYarnNativeServices | | | hadoop.yarn.service.monitor.TestServiceMonitor | \\ \\ || Subsystem || Report/Notes || | Docker | Client=19.03.2 Server=19.03.2 Image:yetus/hadoop:1dde3efb91e | | JIRA Issue | YARN-9860 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12982246/YARN-9860-006.patch | | Optional Tests | dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle cc | | uname |
[jira] [Commented] (YARN-9860) Enable service mode for Docker containers on YARN
[ https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16944743#comment-16944743 ] Prabhu Joseph commented on YARN-9860: - Thanks [~eyang] and [~shaneku...@gmail.com] for reviewing. Have addressed the review comments in [^YARN-9860-006.patch] . 1. Have refactored the docker-util.c with is_feature_enabled(). Tested with Native Service Job, Service Mode enable and disable works fine. 2. Ragarding System.getenv("USER"), have verified that the USER environment variable of container points to the actual user submitted the job irrespective of value of yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user. Containers are run as per the config, but still the staging, log directories are of job user. {code} container-executor when yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user = nobody /HADOOP/hadoop-3.3.0-SNAPSHOT/bin/container-executor nobody ambari-qa {code} > Enable service mode for Docker containers on YARN > - > > Key: YARN-9860 > URL: https://issues.apache.org/jira/browse/YARN-9860 > Project: Hadoop YARN > Issue Type: Improvement >Affects Versions: 3.3.0 >Reporter: Prabhu Joseph >Assignee: Prabhu Joseph >Priority: Major > Attachments: YARN-9860-001.patch, YARN-9860-002.patch, > YARN-9860-003.patch, YARN-9860-004.patch, YARN-9860-005.patch, > YARN-9860-006.patch > > > This task is to add support to YARN for running Docker containers in "Service > Mode". > Service Mode - Run the container as defined by the image, but still allow for > injecting configuration. > Background: > Entrypoint mode helped - now able to use the ENV and ENTRYPOINT/CMD as > defined in the image. However, still requires modification to official images > due to user propagation > User propagation is problematic for running a secure cluster with sssd > > Implementation: > Must be enabled via c-e.cfg (example: docker.service-mode.allowed=true) > Must be requested at runtime - (example: > YARN_CONTAINER_RUNTIME_DOCKER_SERVICE_MODE=true) > Entrypoint mode is default enabled for this mode (If Service Mode is > requested, YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE should be set > to true) > Writable log mount will not be added - stdout logging may still work > with entrypoint mode - remove the writable bind mounts > User and groups will not be propagated (now: docker run --user nobody > --group-add=nobody , after: docker run ) > Read-only resources mounted at the file level, files get chmod 777, > parent directory only accessible by the run as user. > cc [~shaneku...@gmail.com] -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-9860) Enable service mode for Docker containers on YARN
[ https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16944678#comment-16944678 ] Prabhu Joseph commented on YARN-9860: - Please ignore [^YARN-9860-005.patch] which has a bug in docker-util.c in the refactor code. WIll fix the same. > Enable service mode for Docker containers on YARN > - > > Key: YARN-9860 > URL: https://issues.apache.org/jira/browse/YARN-9860 > Project: Hadoop YARN > Issue Type: Improvement >Affects Versions: 3.3.0 >Reporter: Prabhu Joseph >Assignee: Prabhu Joseph >Priority: Major > Attachments: YARN-9860-001.patch, YARN-9860-002.patch, > YARN-9860-003.patch, YARN-9860-004.patch, YARN-9860-005.patch > > > This task is to add support to YARN for running Docker containers in "Service > Mode". > Service Mode - Run the container as defined by the image, but still allow for > injecting configuration. > Background: > Entrypoint mode helped - now able to use the ENV and ENTRYPOINT/CMD as > defined in the image. However, still requires modification to official images > due to user propagation > User propagation is problematic for running a secure cluster with sssd > > Implementation: > Must be enabled via c-e.cfg (example: docker.service-mode.allowed=true) > Must be requested at runtime - (example: > YARN_CONTAINER_RUNTIME_DOCKER_SERVICE_MODE=true) > Entrypoint mode is default enabled for this mode (If Service Mode is > requested, YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE should be set > to true) > Writable log mount will not be added - stdout logging may still work > with entrypoint mode - remove the writable bind mounts > User and groups will not be propagated (now: docker run --user nobody > --group-add=nobody , after: docker run ) > Read-only resources mounted at the file level, files get chmod 777, > parent directory only accessible by the run as user. > cc [~shaneku...@gmail.com] -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-9860) Enable service mode for Docker containers on YARN
[ https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16944671#comment-16944671 ] Hadoop QA commented on YARN-9860: - | (/) *{color:green}+1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 25s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 1 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 43s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 16m 54s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 7m 27s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 19s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 33s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 14m 47s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 3s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 14s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 18s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 1m 4s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 6m 45s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} cc {color} | {color:green} 6m 45s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 6m 45s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 17s{color} | {color:green} hadoop-yarn-project/hadoop-yarn: The patch generated 0 new + 92 unchanged - 1 fixed = 92 total (was 93) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 25s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 12m 3s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 14s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 9s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 21m 34s{color} | {color:green} hadoop-yarn-server-nodemanager in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 19m 14s{color} | {color:green} hadoop-yarn-services-core in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 46s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}114m 7s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Client=19.03.1 Server=19.03.1 Image:yetus/hadoop:1dde3efb91e | | JIRA Issue | YARN-9860 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12982237/YARN-9860-005.patch | | Optional Tests | dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle cc | | uname | Linux dc6f6ba7b700 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/patchprocess/precommit/personality/provided.sh | | git revision | trunk / 531cc93 | | maven
[jira] [Commented] (YARN-9860) Enable service mode for Docker containers on YARN
[ https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16944417#comment-16944417 ] Hadoop QA commented on YARN-9860: - | (/) *{color:green}+1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 23s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 1s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 1 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 51s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 17m 33s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 7m 45s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 18s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 30s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 14m 31s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 6s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 10s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 17s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 1m 1s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 6m 53s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} cc {color} | {color:green} 6m 53s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 6m 53s{color} | {color:green} the patch passed {color} | | {color:orange}-0{color} | {color:orange} checkstyle {color} | {color:orange} 1m 16s{color} | {color:orange} hadoop-yarn-project/hadoop-yarn: The patch generated 1 new + 90 unchanged - 1 fixed = 91 total (was 91) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 24s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 11m 55s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 18s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 3s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 21m 38s{color} | {color:green} hadoop-yarn-server-nodemanager in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 18m 56s{color} | {color:green} hadoop-yarn-services-core in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 47s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}114m 22s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Client=19.03.1 Server=19.03.1 Image:yetus/hadoop:1dde3efb91e | | JIRA Issue | YARN-9860 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12982192/YARN-9860-004.patch | | Optional Tests | dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle cc | | uname | Linux e383fde9def2 4.15.0-60-generic #67-Ubuntu SMP Thu Aug 22 16:55:30 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/patchprocess/precommit/personality/provided.sh | | git revision | trunk / 2478cba | | m
[jira] [Commented] (YARN-9860) Enable service mode for Docker containers on YARN
[ https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16944124#comment-16944124 ] Hadoop QA commented on YARN-9860: - | (/) *{color:green}+1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 39s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 1 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 17s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 19m 14s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 7m 48s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 19s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 20s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 15m 27s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 1m 53s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 58s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 15s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 1m 0s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 7m 15s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} cc {color} | {color:green} 7m 15s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 7m 15s{color} | {color:green} the patch passed {color} | | {color:orange}-0{color} | {color:orange} checkstyle {color} | {color:orange} 1m 16s{color} | {color:orange} hadoop-yarn-project/hadoop-yarn: The patch generated 36 new + 91 unchanged - 1 fixed = 127 total (was 92) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 14s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 13m 21s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 12s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 54s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 21m 15s{color} | {color:green} hadoop-yarn-server-nodemanager in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 18m 47s{color} | {color:green} hadoop-yarn-services-core in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 39s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}116m 41s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Client=19.03.2 Server=19.03.2 Image:yetus/hadoop:0e026cb0cef | | JIRA Issue | YARN-9860 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12982163/YARN-9860-003.patch | | Optional Tests | dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle cc | | uname | Linux c9cf1d7e1526 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/patchprocess/precommit/personality/provided.sh | | git revision | trunk / 9446686 | |
[jira] [Commented] (YARN-9860) Enable service mode for Docker containers on YARN
[ https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16942957#comment-16942957 ] Shane Kumpf commented on YARN-9860: --- {quote}It looks like we are reverting to our old habit of using 0 for true. It would be more consistent to use is_feature_enabled() method to determine if service_mode is enabled, and reduce some code debris. {quote} Good points, I agree these comments should be addressed. {quote}Container-executor already dup the container run output into stdout and stderr log files with proper user permission for entrypoint mode because the log files are initialized as user who runs the container executor rather than the user in the container. It works for both secure and non-secure mode. I fail to see the need to craft logging mechanism for the given reasoning for service mode. Let me know if I missed something. {quote} Excellent, I can confirm this is working exactly how we'd want. I overlooked this before. Seems logging isn't an issue after all. Thanks for pointing that out! I did retest the patch today and it is still working as expected. With the patch applied in my dev VM, below is the ps and logs from the official postgres image running under YARN with zero changes! *ps:* {code:java} root@centos7-0:/# ps -ef UIDPID PPID C STIME TTY TIME CMD postgres 1 0 0 16:13 ?00:00:00 postgres postgres53 1 0 16:13 ?00:00:00 postgres: checkpointer postgres54 1 0 16:13 ?00:00:00 postgres: background writer postgres55 1 0 16:13 ?00:00:00 postgres: walwriter postgres56 1 0 16:13 ?00:00:00 postgres: autovacuum launcher postgres57 1 0 16:13 ?00:00:00 postgres: stats collector postgres58 1 0 16:13 ?00:00:00 postgres: logical replication launcher root59 0 4 16:14 pts/000:00:00 bash root6459 0 16:14 pts/000:00:00 ps -ef {code} *Logs:* {code:java} [root@y7001 ~]# yarn logs -applicationId application_1570018164872_0005 -containerId container_1570018164872_0005_01_02 2019-10-02 16:26:40,269 INFO client.RMProxy: Connecting to ResourceManager at y7001.yns.foo.com/192.168.70.211:9104 Container: container_1570018164872_0005_01_02 on y7001.yns.foo.com:9105 LogAggregationType: LOCAL === LogType:stdout.txt LogLastModifiedTime:Wed Oct 02 16:13:31 + 2019 LogLength:2638 LogContents: Launching docker container... Docker run command: /usr/bin/docker run --name=container_1570018164872_0005_01_02 --net=host -v /tmp/hadoop-yarn/nm-local-dir/filecache/13/httpd-proxy.conf:/etc/httpd/conf.d/httpd-proxy.conf:ro --cgroup-parent=/hadoop-yarn/container_1570018164872_0005_01_02 --cap-drop=ALL --cap-add=SYS_CHROOT --cap-add=MKNOD --cap-add=SETFCAP --cap-add=SETPCAP --cap-add=FSETID --cap-add=CHOWN --cap-add=AUDIT_WRITE --cap-add=SETGID --cap-add=NET_RAW --cap-add=FOWNER --cap-add=SETUID --cap-add=DAC_OVERRIDE --cap-add=KILL --cap-add=NET_BIND_SERVICE --hostname=centos7-0.skumpftest.hadoopuser.ynsdev --env-file /tmp/hadoop-yarn/nm-local-dir/nmPrivate/application_1570018164872_0005/container_1570018164872_0005_01_02/docker.container_1570018164872_0005_01_028354800474788286290.env library/postgres The files belonging to this database system will be owned by user "postgres". This user must also own the server process. The database cluster will be initialized with locale "en_US.UTF-8". The default database encoding has accordingly been set to "UTF8". The default text search configuration will be set to "english". Data page checksums are disabled. fixing permissions on existing directory /var/lib/postgresql/data ... ok creating subdirectories ... ok selecting default max_connections ... 100 selecting default shared_buffers ... 128MB selecting default timezone ... Etc/UTC selecting dynamic shared memory implementation ... posix creating configuration files ... ok running bootstrap script ... ok performing post-bootstrap initialization ... ok syncing data to disk ... ok Success. You can now start the database server using: pg_ctl -D /var/lib/postgresql/data -l logfile start waiting for server to start2019-10-02 16:13:31.231 UTC [43] LOG: listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432" 2019-10-02 16:13:31.253 UTC [44] LOG: database system was shut down at 2019-10-02 16:13:30 UTC 2019-10-02 16:13:31.259 UTC [43] LOG: database system is ready to accept connections done server started /usr/local/bin/docker-entrypoint.sh: ignoring /docker-entrypoint-initdb.d/* waiting for server to shut down...2019-10-02 16:13:31.322 UTC [43] LOG: received fast shutdown request .2019-10-02 16:13:31.325 UTC [43] LOG: aborting any active transactions 2019-10-02 16:13:31.329 UTC [43] LOG: background worker "logi
[jira] [Commented] (YARN-9860) Enable service mode for Docker containers on YARN
[ https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16942921#comment-16942921 ] Eric Yang commented on YARN-9860: - {quote}That code does the opposite of what you stated, user is only passed when service mode is NOT enabled, which is what we want.{quote} It looks like we are reverting to our old habit of using 0 for true. It would be more consistent to use is_feature_enabled() method to determine if service_mode is enabled, and reduce some code debris. {quote}You are spot on that this will be an issue. The challenge is that if we mount the read-write log dirs into the container and the container user isn't the user YARN expects, the writes could fail or YARN may be unable to clean up the logs. I talked with Craig on this a bit and he had some interesting thoughts on how we might handle it with fuse. For the sake of this patch, I didn't want to get bogged down in the details there, given this has enough going already. Could we address logging in a follow up? In the meantime, with debug delay enabled, doing a docker logs on the exited container will allow admins to take a look, since the output redirection typically done by YARN is dropped in Service Mode.{quote} Container-executor already [dup|https://github.com/apache/hadoop/blob/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c#L1982] the container run output into stdout and stderr log files with proper user permission for entrypoint mode because the log files are initialized as user who runs the container executor rather than the user in the container. It works for both secure and non-secure mode. I fail to see the need to craft logging mechanism for the given reasoning for service mode. Let me know if I missed something. > Enable service mode for Docker containers on YARN > - > > Key: YARN-9860 > URL: https://issues.apache.org/jira/browse/YARN-9860 > Project: Hadoop YARN > Issue Type: Improvement >Affects Versions: 3.3.0 >Reporter: Prabhu Joseph >Assignee: Prabhu Joseph >Priority: Major > Attachments: YARN-9860-001.patch, YARN-9860-002.patch > > > This task is to add support to YARN for running Docker containers in "Service > Mode". > Service Mode - Run the container as defined by the image, but still allow for > injecting configuration. > Background: > Entrypoint mode helped - now able to use the ENV and ENTRYPOINT/CMD as > defined in the image. However, still requires modification to official images > due to user propagation > User propagation is problematic for running a secure cluster with sssd > > Implementation: > Must be enabled via c-e.cfg (example: docker.service-mode.allowed=true) > Must be requested at runtime - (example: > YARN_CONTAINER_RUNTIME_DOCKER_SERVICE_MODE=true) > Entrypoint mode is default enabled for this mode (If Service Mode is > requested, YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE should be set > to true) > Writable log mount will not be added - stdout logging may still work > with entrypoint mode - remove the writable bind mounts > User and groups will not be propagated (now: docker run --user nobody > --group-add=nobody , after: docker run ) > Read-only resources mounted at the file level, files get chmod 777, > parent directory only accessible by the run as user. > cc [~shaneku...@gmail.com] -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-9860) Enable service mode for Docker containers on YARN
[ https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16942833#comment-16942833 ] Eric Badger commented on YARN-9860: --- {quote} You are spot on that this will be an issue. The challenge is that if we mount the read-write log dirs into the container and the container user isn't the user YARN expects, the writes could fail or YARN may be unable to clean up the logs. I talked with Craig on this a bit and he had some interesting thoughts on how we might handle it with fuse. For the sake of this patch, I didn't want to get bogged down in the details there, given this has enough going already. Could we address logging in a follow up? In the meantime, with debug delay enabled, doing a docker logs on the exited container will allow admins to take a look, since the output redirection typically done by YARN is dropped in Service Mode. {quote} I'm ok having a followup for this. My comment was mostly for my own information. I'm not opposed to the feature, I just think it might be a little bit difficult to deal with if there are configuration issues or other issues that cause the containers to fail. I think that debug delay to not remove containers for awhile after completion could be a useful debugging tool, though. > Enable service mode for Docker containers on YARN > - > > Key: YARN-9860 > URL: https://issues.apache.org/jira/browse/YARN-9860 > Project: Hadoop YARN > Issue Type: Improvement >Affects Versions: 3.3.0 >Reporter: Prabhu Joseph >Assignee: Prabhu Joseph >Priority: Major > Attachments: YARN-9860-001.patch, YARN-9860-002.patch > > > This task is to add support to YARN for running Docker containers in "Service > Mode". > Service Mode - Run the container as defined by the image, but still allow for > injecting configuration. > Background: > Entrypoint mode helped - now able to use the ENV and ENTRYPOINT/CMD as > defined in the image. However, still requires modification to official images > due to user propagation > User propagation is problematic for running a secure cluster with sssd > > Implementation: > Must be enabled via c-e.cfg (example: docker.service-mode.allowed=true) > Must be requested at runtime - (example: > YARN_CONTAINER_RUNTIME_DOCKER_SERVICE_MODE=true) > Entrypoint mode is default enabled for this mode (If Service Mode is > requested, YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE should be set > to true) > Writable log mount will not be added - stdout logging may still work > with entrypoint mode - remove the writable bind mounts > User and groups will not be propagated (now: docker run --user nobody > --group-add=nobody , after: docker run ) > Read-only resources mounted at the file level, files get chmod 777, > parent directory only accessible by the run as user. > cc [~shaneku...@gmail.com] -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-9860) Enable service mode for Docker containers on YARN
[ https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16942699#comment-16942699 ] Shane Kumpf commented on YARN-9860: --- {quote}Can you give more clear definition of service mode? {quote} To simplify it the best I can, in Service Mode, YARN does not set the user (--user and --group-add) when running the container. The rest of the changes are in support of dropping the user in this mode. A simple use case where this is needed is running the official postgres image without modification. Note that this mode is disabled by default to limit any security implications. {quote}I don't understand the reason to add --user= parameter only when service mode is enabled. {quote} That code does the opposite of what you stated, user is only passed when service mode is NOT enabled, which is what we want. {quote}If there are no log directories, how would you attack debugging container failures? {quote} You are spot on that this will be an issue. The challenge is that if we mount the read-write log dirs into the container and the container user isn't the user YARN expects, the writes could fail or YARN may be unable to clean up the logs. I talked with Craig on this a bit and he had some interesting thoughts on how we might handle it with fuse. For the sake of this patch, I didn't want to get bogged down in the details there, given this has enough going already. Could we address logging in a follow up? In the meantime, with debug delay enabled, doing a {{docker logs}} on the exited container will allow admins to take a look, since the output redirection typically done by YARN is dropped in Service Mode. I've done extensive testing of an earlier version of this patch and it addresses the use case and works as expected. I'm going to do some additional testing today with the patch here to make sure there are no regressions. > Enable service mode for Docker containers on YARN > - > > Key: YARN-9860 > URL: https://issues.apache.org/jira/browse/YARN-9860 > Project: Hadoop YARN > Issue Type: Improvement >Affects Versions: 3.3.0 >Reporter: Prabhu Joseph >Assignee: Prabhu Joseph >Priority: Major > Attachments: YARN-9860-001.patch, YARN-9860-002.patch > > > This task is to add support to YARN for running Docker containers in "Service > Mode". > Service Mode - Run the container as defined by the image, but still allow for > injecting configuration. > Background: > Entrypoint mode helped - now able to use the ENV and ENTRYPOINT/CMD as > defined in the image. However, still requires modification to official images > due to user propagation > User propagation is problematic for running a secure cluster with sssd > > Implementation: > Must be enabled via c-e.cfg (example: docker.service-mode.allowed=true) > Must be requested at runtime - (example: > YARN_CONTAINER_RUNTIME_DOCKER_SERVICE_MODE=true) > Entrypoint mode is default enabled for this mode (If Service Mode is > requested, YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE should be set > to true) > Writable log mount will not be added - stdout logging may still work > with entrypoint mode - remove the writable bind mounts > User and groups will not be propagated (now: docker run --user nobody > --group-add=nobody , after: docker run ) > Read-only resources mounted at the file level, files get chmod 777, > parent directory only accessible by the run as user. > cc [~shaneku...@gmail.com] -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-9860) Enable service mode for Docker containers on YARN
[ https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16942423#comment-16942423 ] Eric Yang commented on YARN-9860: - Patch 002 uses System.getenv("USER") to determine the current running user. This may grab the yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user which is different than the user that store files for public resource directory. {code} @@ -1640,12 +1675,14 @@ int get_docker_run_command(const char *command_file, const struct configuration privileged = get_configuration_value("privileged", DOCKER_COMMAND_FILE_SECTION, &command_config); if (privileged == NULL || strcmp(privileged, "false") == 0) { -char *user_buffer = make_string("--user=%s", user); -ret = add_to_args(args, user_buffer); -free(user_buffer); -if (ret != 0) { - ret = BUFFER_TOO_SMALL; - goto free_and_exit; +if (service_mode_enabled != 0) { + char *user_buffer = make_string("--user=%s", user); + ret = add_to_args(args, user_buffer); + free(user_buffer); + if (ret != 0) { +ret = BUFFER_TOO_SMALL; +goto free_and_exit; + } } no_new_privileges_enabled = get_configuration_value("docker.no-new-privileges.enabled", @@ -1725,9 +1762,11 @@ int get_docker_run_command(const char *command_file, const struct configuration goto free_and_exit; } {code} I don't understand the reason to add --user= parameter only when service mode is enabled. Need more clarity on what service mode is, and what it tries to do with enabling application visibility. Is service mode trying to get a root like container without giving actual root access? > Enable service mode for Docker containers on YARN > - > > Key: YARN-9860 > URL: https://issues.apache.org/jira/browse/YARN-9860 > Project: Hadoop YARN > Issue Type: Improvement >Affects Versions: 3.3.0 >Reporter: Prabhu Joseph >Assignee: Prabhu Joseph >Priority: Major > Attachments: YARN-9860-001.patch, YARN-9860-002.patch > > > This task is to add support to YARN for running Docker containers in "Service > Mode". > Service Mode - Run the container as defined by the image, but still allow for > injecting configuration. > Background: > Entrypoint mode helped - now able to use the ENV and ENTRYPOINT/CMD as > defined in the image. However, still requires modification to official images > due to user propagation > User propagation is problematic for running a secure cluster with sssd > > Implementation: > Must be enabled via c-e.cfg (example: docker.service-mode.allowed=true) > Must be requested at runtime - (example: > YARN_CONTAINER_RUNTIME_DOCKER_SERVICE_MODE=true) > Entrypoint mode is default enabled for this mode (If Service Mode is > requested, YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE should be set > to true) > Writable log mount will not be added - stdout logging may still work > with entrypoint mode - remove the writable bind mounts > User and groups will not be propagated (now: docker run --user nobody > --group-add=nobody , after: docker run ) > Read-only resources mounted at the file level, files get chmod 777, > parent directory only accessible by the run as user. > cc [~shaneku...@gmail.com] -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-9860) Enable service mode for Docker containers on YARN
[ https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16942403#comment-16942403 ] Eric Yang commented on YARN-9860: - [~Prabhu Joseph] [~shaneku...@gmail.com] Can you give more clear definition of service mode? >From the code, I can not tell how configuration are injected, and how is this >mode an improvement to what is available. Thanks > Enable service mode for Docker containers on YARN > - > > Key: YARN-9860 > URL: https://issues.apache.org/jira/browse/YARN-9860 > Project: Hadoop YARN > Issue Type: Improvement >Affects Versions: 3.3.0 >Reporter: Prabhu Joseph >Assignee: Prabhu Joseph >Priority: Major > Attachments: YARN-9860-001.patch, YARN-9860-002.patch > > > This task is to add support to YARN for running Docker containers in "Service > Mode". > Service Mode - Run the container as defined by the image, but still allow for > injecting configuration. > Background: > Entrypoint mode helped - now able to use the ENV and ENTRYPOINT/CMD as > defined in the image. However, still requires modification to official images > due to user propagation > User propagation is problematic for running a secure cluster with sssd > > Implementation: > Must be enabled via c-e.cfg (example: docker.service-mode.allowed=true) > Must be requested at runtime - (example: > YARN_CONTAINER_RUNTIME_DOCKER_SERVICE_MODE=true) > Entrypoint mode is default enabled for this mode (If Service Mode is > requested, YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE should be set > to true) > Writable log mount will not be added - stdout logging may still work > with entrypoint mode - remove the writable bind mounts > User and groups will not be propagated (now: docker run --user nobody > --group-add=nobody , after: docker run ) > Read-only resources mounted at the file level, files get chmod 777, > parent directory only accessible by the run as user. > cc [~shaneku...@gmail.com] -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-9860) Enable service mode for Docker containers on YARN
[ https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16942244#comment-16942244 ] Prabhu Joseph commented on YARN-9860: - Thanks [~ebadger] for reviewing. Will update you on above comment. > Enable service mode for Docker containers on YARN > - > > Key: YARN-9860 > URL: https://issues.apache.org/jira/browse/YARN-9860 > Project: Hadoop YARN > Issue Type: Improvement >Affects Versions: 3.3.0 >Reporter: Prabhu Joseph >Assignee: Prabhu Joseph >Priority: Major > Attachments: YARN-9860-001.patch, YARN-9860-002.patch > > > This task is to add support to YARN for running Docker containers in "Service > Mode". > Service Mode - Run the container as defined by the image, but still allow for > injecting configuration. > Background: > Entrypoint mode helped - now able to use the ENV and ENTRYPOINT/CMD as > defined in the image. However, still requires modification to official images > due to user propagation > User propagation is problematic for running a secure cluster with sssd > > Implementation: > Must be enabled via c-e.cfg (example: docker.service-mode.allowed=true) > Must be requested at runtime - (example: > YARN_CONTAINER_RUNTIME_DOCKER_SERVICE_MODE=true) > Entrypoint mode is default enabled for this mode (If Service Mode is > requested, YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE should be set > to true) > Writable log mount will not be added - stdout logging may still work > with entrypoint mode - remove the writable bind mounts > User and groups will not be propagated (now: docker run --user nobody > --group-add=nobody , after: docker run ) > Read-only resources mounted at the file level, files get chmod 777, > parent directory only accessible by the run as user. > cc [~shaneku...@gmail.com] -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-9860) Enable service mode for Docker containers on YARN
[ https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16939893#comment-16939893 ] Hadoop QA commented on YARN-9860: - | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 46s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 1 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 44s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 17m 34s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 8m 6s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 22s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 30s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 14m 35s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 9s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 13s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 16s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 1m 6s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 7m 15s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} cc {color} | {color:green} 7m 15s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 7m 15s{color} | {color:green} the patch passed {color} | | {color:orange}-0{color} | {color:orange} checkstyle {color} | {color:orange} 1m 14s{color} | {color:orange} hadoop-yarn-project/hadoop-yarn: The patch generated 36 new + 92 unchanged - 1 fixed = 128 total (was 93) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 23s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 13m 3s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 19s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 3s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:red}-1{color} | {color:red} unit {color} | {color:red} 21m 26s{color} | {color:red} hadoop-yarn-server-nodemanager in the patch failed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 18m 52s{color} | {color:green} hadoop-yarn-services-core in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 43s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}116m 34s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.yarn.server.nodemanager.amrmproxy.TestFederationInterceptor | \\ \\ || Subsystem || Report/Notes || | Docker | Client=19.03.1 Server=19.03.1 Image:yetus/hadoop:efed4450bf1 | | JIRA Issue | YARN-9860 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12981574/YARN-9860-002.patch | | Optional Tests | dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle cc | | uname | Linux a31e0ccc6b1a 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | |
[jira] [Commented] (YARN-9860) Enable service mode for Docker containers on YARN
[ https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16939677#comment-16939677 ] Eric Badger commented on YARN-9860: --- If there are no log directories, how would you attack debugging container failures? > Enable service mode for Docker containers on YARN > - > > Key: YARN-9860 > URL: https://issues.apache.org/jira/browse/YARN-9860 > Project: Hadoop YARN > Issue Type: Improvement >Affects Versions: 3.3.0 >Reporter: Prabhu Joseph >Assignee: Prabhu Joseph >Priority: Major > Attachments: YARN-9860-001.patch, YARN-9860-002.patch > > > This task is to add support to YARN for running Docker containers in "Service > Mode". > Service Mode - Run the container as defined by the image, but still allow for > injecting configuration. > Background: > Entrypoint mode helped - now able to use the ENV and ENTRYPOINT/CMD as > defined in the image. However, still requires modification to official images > due to user propagation > User propagation is problematic for running a secure cluster with sssd > > Implementation: > Must be enabled via c-e.cfg (example: docker.service-mode.allowed=true) > Must be requested at runtime - (example: > YARN_CONTAINER_RUNTIME_DOCKER_SERVICE_MODE=true) > Entrypoint mode is default enabled for this mode (If Service Mode is > requested, YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE should be set > to true) > Writable log mount will not be added - stdout logging may still work > with entrypoint mode - remove the writable bind mounts > User and groups will not be propagated (now: docker run --user nobody > --group-add=nobody , after: docker run ) > Read-only resources mounted at the file level, files get chmod 777, > parent directory only accessible by the run as user. > cc [~shaneku...@gmail.com] -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-9860) Enable service mode for Docker containers on YARN
[ https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16939534#comment-16939534 ] Prabhu Joseph commented on YARN-9860: - [~skumpf] [~sunilg] Can you review this Jira when you get time. This provides service mode for Docker containers on YARN. The testcase failures are not related and have raised YARN-9862 to fix the same. Thanks. > Enable service mode for Docker containers on YARN > - > > Key: YARN-9860 > URL: https://issues.apache.org/jira/browse/YARN-9860 > Project: Hadoop YARN > Issue Type: Improvement >Affects Versions: 3.3.0 >Reporter: Prabhu Joseph >Assignee: Prabhu Joseph >Priority: Major > Attachments: YARN-9860-001.patch, YARN-9860-002.patch > > > This task is to add support to YARN for running Docker containers in "Service > Mode". > Service Mode - Run the container as defined by the image, but still allow for > injecting configuration. > Background: > Entrypoint mode helped - now able to use the ENV and ENTRYPOINT/CMD as > defined in the image. However, still requires modification to official images > due to user propagation > User propagation is problematic for running a secure cluster with sssd > > Implementation: > Must be enabled via c-e.cfg (example: docker.service-mode.allowed=true) > Must be requested at runtime - (example: > YARN_CONTAINER_RUNTIME_DOCKER_SERVICE_MODE=true) > Entrypoint mode is default enabled for this mode (If Service Mode is > requested, YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE should be set > to true) > Writable log mount will not be added - stdout logging may still work > with entrypoint mode - remove the writable bind mounts > User and groups will not be propagated (now: docker run --user nobody > --group-add=nobody , after: docker run ) > Read-only resources mounted at the file level, files get chmod 777, > parent directory only accessible by the run as user. > cc [~shaneku...@gmail.com] -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-9860) Enable service mode for Docker containers on YARN
[ https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16939354#comment-16939354 ] Hadoop QA commented on YARN-9860: - | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 29s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 1 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 50s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 17m 47s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 7m 20s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 22s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 33s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 14m 50s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 6s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 14s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 17s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 1m 3s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 6m 41s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} cc {color} | {color:green} 6m 41s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 6m 41s{color} | {color:green} the patch passed {color} | | {color:orange}-0{color} | {color:orange} checkstyle {color} | {color:orange} 1m 17s{color} | {color:orange} hadoop-yarn-project/hadoop-yarn: The patch generated 5 new + 92 unchanged - 1 fixed = 97 total (was 93) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 24s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 12m 5s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 13s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 9s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 21m 28s{color} | {color:green} hadoop-yarn-server-nodemanager in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red} 19m 20s{color} | {color:red} hadoop-yarn-services-core in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 41s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}114m 57s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Client=19.03.1 Server=19.03.1 Image:yetus/hadoop:efed4450bf1 | | JIRA Issue | YARN-9860 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12981534/YARN-9860-001.patch | | Optional Tests | dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle cc | | uname | Linux 27658fe680d3 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/patchprocess/precommit/personality/provided.sh | | git revision | trunk / 8a9ede5 | | maven | versi