[
https://issues.apache.org/jira/browse/YARN-6456?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16621224#comment-16621224
]
Jason Lowe commented on YARN-6456:
----------------------------------
My apologies for the delay -- I missed the last comment being posted.
Since there's quite a bit of discussion around the allowed images part of this
patch, I think it would make sense to separate that part of it from the rest of
the patch. Technically all I think we really need here is the default image so
the Docker container runtime knows how to force a particular image when the
user didn't request a Docker container. The allowed images feature is a
nice-to-have thing that does not seem completely necessary, and we can file a
followup JIRA to add the ability to limit not only to a set of trusted
registries but also to a specified set of images. The allowed images
discussion can then be moved there, unblocking this one.
> Allow administrators to set a single ContainerRuntime for all containers
> ------------------------------------------------------------------------
>
> Key: YARN-6456
> URL: https://issues.apache.org/jira/browse/YARN-6456
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: nodemanager
> Reporter: Miklos Szegedi
> Assignee: Craig Condit
> Priority: Major
> Labels: Docker
> Attachments: YARN-6456-ForceDockerRuntimeIfSupported.patch,
> YARN-6456.001.patch, YARN-6456.002.patch, YARN-6456.003.patch
>
>
>
> With LCE, there are multiple ContainerRuntimes available for handling
> different types of containers; default, docker, java sandbox. Admins should
> have the ability to override the user decision and set a single global
> ContainerRuntime to be used for all containers.
> Original Description:
> {quote}One reason to use Docker containers is to be able to isolate different
> workloads, even, if they run as the same user.
> I have noticed some issues in the current design:
> 1. DockerLinuxContainerRuntime mounts containerLocalDirs
> {{nm-local-dir/usercache/user/appcache/application_1491598755372_0011/}} and
> userLocalDirs {{nm-local-dir/usercache/user/}}, so that a container can see
> and modify the files of another container. I think the application file cache
> directory should be enough for the container to run in most of the cases.
> 2. The whole cgroups directory is mounted. Would the container directory be
> enough?
> 3. There is no way to enforce exclusive use of Docker for all containers.
> There should be an option that it is not the user but the admin that requires
> to use Docker.
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
