[ https://issues.apache.org/jira/browse/YARN-7729?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16329001#comment-16329001 ]
Shane Kumpf edited comment on YARN-7729 at 1/17/18 4:55 PM: ------------------------------------------------------------ Thanks for the patch, [~billie.rinaldi]! I tested this out and it works as expected. A couple of minor items to address. # The javadoc in DockerLinuxContainerRuntime is missing the new environment variable YARN_CONTAINER_RUNTIME_DOCKER_CONTAINER_PID_NAMESPACE # The yarn-site and container-executor.cfg settings aren't consistent; yarn-site uses host-pid-namespace, while container-executor uses pid-host. Perhaps it would be good to make them consistent. # Currently the value for docker.pid-host.enabled is 1/0. To align with YARN-7717 this should be a case insensitive true/false. Given this is a new option, I would eliminate support for 1/0 completely on this config. # Formatting was changed within {{TestDockerContainerRuntime#testLaunchPrivilegedContainersInvalidEnvVar}}, but I don't think that is necessary. {code:java} List<String> dockerCommands = Files.readAllLines( Paths.get(dockerCommandFile), Charset.forName("UTF-8"));{code} # Minor copy/paste comment error in {{TestDockerContainerRuntime#testLaunchPidNamespaceContainersInvalidEnvVar}} {code:java} //ensure --privileged isn't in the invocation Assert.assertTrue("Unexpected --privileged in docker run args : " + command, !command.contains("--privileged"));{code} was (Author: shaneku...@gmail.com): Thanks for the patch, [~billie.rinaldi]! I tested this out and it works as expected. A couple of minor items to address. # The javadoc in DockerLinuxContainerRuntime is missing the new environment variable YARN_CONTAINER_RUNTIME_DOCKER_CONTAINER_PID_NAMESPACE # The yarn-site and container-executor.cfg settings aren't consistent; yarn-site uses host-pid-namespace, while container-executor uses pid-host. Perhaps it would be good to make them consistent. # Currently the value for docker.pid-host.enabled is 1/0. To align with YARN-7717 this should be a case insensitive true/false. Given this is a new option, I would eliminate support for 1/0 completely on this config. # Formatting was changed within {{TestDockerContainerRuntime#testLaunchPrivilegedContainersInvalidEnvVar}}, but I don't think that is necessary. {code:java} List<String> dockerCommands = Files.readAllLines( Paths.get(dockerCommandFile), Charset.forName("UTF-8"));{code} # Minor copy/paste comment error in \{{TestDockerContainerRuntime#testLaunchPidNamespaceContainersInvalidEnvVar}} {code:java} //ensure --privileged isn't in the invocation Assert.assertTrue("Unexpected --privileged in docker run args : " + command, !command.contains("--privileged"));{code} > Add support for setting the PID namespace mode > ---------------------------------------------- > > Key: YARN-7729 > URL: https://issues.apache.org/jira/browse/YARN-7729 > Project: Hadoop YARN > Issue Type: Sub-task > Components: nodemanager > Reporter: Shane Kumpf > Assignee: Billie Rinaldi > Priority: Major > Attachments: YARN-7729.001.patch, YARN-7729.002.patch > > > Docker has support for allowing containers to share the PID namespace with > the host or other containers via the {{docker run --pid}} flag. > There are a number of use cases where this is desirable: > * Monitoring tools running in containers that need access to the host level > PIDs. > * Debug containers that can attach to another container to run strace, gdb, > etc. > * Testing Docker on YARN in a container, where the docker socket is bind > mounted. > Enabling this feature should be considered privileged as it exposes host > details inside the container. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org