[
https://issues.apache.org/jira/browse/YARN-8259?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16497266#comment-16497266
]
Shane Kumpf commented on YARN-8259:
-----------------------------------
Thanks for the feedback, [~ebadger].
{quote}if the yarn user is whitelisted for hidepid, then isn't that going to
get you basically the same situation as checking pids as a privileged user?
{quote}
Perhaps non-starter was a bit harsh. I do see what you mean but I think they
are a bit different. To clarify, if the admin has explicitly enabled hidepid,
allowing yarn to bypass that protection via c-e would be surprising behavior,
IMO. If hidepid is disabled or the yarn user is explicitly whitelisted, then
the admin should not be surprised that the yarn user can see all pids.
> Revisit liveliness checks for Docker containers
> -----------------------------------------------
>
> Key: YARN-8259
> URL: https://issues.apache.org/jira/browse/YARN-8259
> Project: Hadoop YARN
> Issue Type: Sub-task
> Affects Versions: 3.0.2, 3.2.0, 3.1.1
> Reporter: Shane Kumpf
> Assignee: Shane Kumpf
> Priority: Blocker
> Labels: Docker
> Attachments: YARN-8259.001.patch
>
>
> As privileged containers may execute as a user that does not match the YARN
> run as user, sending the null signal for liveliness checks could fail. We
> need to reconsider how liveliness checks are handled in the Docker case.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
