[jira] [Commented] (YARN-7468) Provide means for container network policy control

Fri, 05 Jan 2018 15:30:40 -0800 

    [ 
https://issues.apache.org/jira/browse/YARN-7468?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16314127#comment-16314127
 ] 

Wangda Tan commented on YARN-7468:
----------------------------------

Thanks [~xgong],

1) Instead of reusing OutboundBandwidthResourceHandler, suggest to directly 
implement tagging class from ResourceHandler since 
OutboundBandwidthResourceHandler is an empty class.

2) In the configuration, suggest to add new configs to 
yarn.nodemanager.network-tagging.*, and not touch existing configs. 

3) Similarly, inside ResourceHandlerModule, add a new method (like 
getNetworkTaggingHandler).

4) Inside NetworkPacketTaggingHandlerImpl, it looks like the 
containerIdClassIdMap is not read by anyone, I think we can simplify the impl a 
bit by removing containerIdClassIdMap, we may not need to do anything inside 
reacquireContainer as well.

5) Suggestion to NetworkTagMappingParser: I think what we really need is not a 
parser, instead we need an abstract to get classid from Container. So I 
recommend to:
- initial -> initialize
- getNetworkTagID, changing parameter from username to 
{{org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container}}

> Provide means for container network policy control
> --------------------------------------------------
>
>                 Key: YARN-7468
>                 URL: https://issues.apache.org/jira/browse/YARN-7468
>             Project: Hadoop YARN
>          Issue Type: Task
>          Components: nodemanager
>            Reporter: Clay B.
>            Assignee: Xuan Gong
>            Priority: Minor
>         Attachments: YARN-7468.trunk.1.patch, YARN-7468.trunk.1.patch, 
> YARN-7468.trunk.2.patch, YARN-7468.trunk.2.patch, [YARN-7468] [Design] 
> Provide means for container network policy control.pdf
>
>
> To prevent data exfiltration from a YARN cluster, it would be very helpful to 
> have "firewall" rules able to map to a user/queue's containers.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to