[
https://issues.apache.org/jira/browse/YARN-7654?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16420659#comment-16420659
]
Eric Yang commented on YARN-7654:
---------------------------------
[~jlowe] {quote}
I strongly disagree here. It is much more dangerous try to place the untrusted
environment variable settings on the docker command-line directly rather than
in a separate file that can only be interpreted as env settings by docker. The
envfile approach drastically simplifies this implementation, makes it much more
secure, and reduces the need to significantly lengthen an already potentially
very long docker run command line.{quote}
There are some quirks with env file. On Mac, it doesn't function the same for
key value pair that are quoted. When specified both --env-file and -e, the
evaluation order is env file then -e. The small inconsistency around this area
is unsettling for me. Another concern is the ENV file is in the localizer
directory, and job submitter can call identical filename to override the file.
YARN service API allows payload of configuration files to localizer directory,
this may allow user to shoot himself on the foot.
When using execvp, we know that the -e k=v are static arguments, and there is
no shell expansion. ARG_MAX limit helps to safe guard over all size to prevent
buffer overflow. The output is written to stdout.txt for debugging purpose.
It is more resilient and user friendly to implement as -e pairs. This is the
reason that I am more in favor of the cmd section approach.
[~billie.rinaldi][~shaneku...@gmail.com] [~ebadger], we need a tight breaker.
Please charm in on the env-file vs cmd section to compose -e.
{quote}So ignore the code in the vnsprintf manpage, but the point of the
comment is still valid{quote}
Agree, I have written a variant in string-utils.c to improve the string
formatting issue. It will be included in the next patch.
> Support ENTRY_POINT for docker container
> ----------------------------------------
>
> Key: YARN-7654
> URL: https://issues.apache.org/jira/browse/YARN-7654
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Affects Versions: 3.1.0
> Reporter: Eric Yang
> Assignee: Eric Yang
> Priority: Blocker
> Attachments: YARN-7654.001.patch, YARN-7654.002.patch,
> YARN-7654.003.patch, YARN-7654.004.patch, YARN-7654.005.patch,
> YARN-7654.006.patch, YARN-7654.007.patch
>
>
> Docker image may have ENTRY_POINT predefined, but this is not supported in
> the current implementation. It would be nice if we can detect existence of
> {{launch_command}} and base on this variable launch docker container in
> different ways:
> h3. Launch command exists
> {code}
> docker run [image]:[version]
> docker exec [container_id] [launch_command]
> {code}
> h3. Use ENTRY_POINT
> {code}
> docker run [image]:[version]
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
