[ https://issues.apache.org/jira/browse/YARN-6456?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16621224#comment-16621224 ]
Jason Lowe commented on YARN-6456: ---------------------------------- My apologies for the delay -- I missed the last comment being posted. Since there's quite a bit of discussion around the allowed images part of this patch, I think it would make sense to separate that part of it from the rest of the patch. Technically all I think we really need here is the default image so the Docker container runtime knows how to force a particular image when the user didn't request a Docker container. The allowed images feature is a nice-to-have thing that does not seem completely necessary, and we can file a followup JIRA to add the ability to limit not only to a set of trusted registries but also to a specified set of images. The allowed images discussion can then be moved there, unblocking this one. > Allow administrators to set a single ContainerRuntime for all containers > ------------------------------------------------------------------------ > > Key: YARN-6456 > URL: https://issues.apache.org/jira/browse/YARN-6456 > Project: Hadoop YARN > Issue Type: Sub-task > Components: nodemanager > Reporter: Miklos Szegedi > Assignee: Craig Condit > Priority: Major > Labels: Docker > Attachments: YARN-6456-ForceDockerRuntimeIfSupported.patch, > YARN-6456.001.patch, YARN-6456.002.patch, YARN-6456.003.patch > > > > With LCE, there are multiple ContainerRuntimes available for handling > different types of containers; default, docker, java sandbox. Admins should > have the ability to override the user decision and set a single global > ContainerRuntime to be used for all containers. > Original Description: > {quote}One reason to use Docker containers is to be able to isolate different > workloads, even, if they run as the same user. > I have noticed some issues in the current design: > 1. DockerLinuxContainerRuntime mounts containerLocalDirs > {{nm-local-dir/usercache/user/appcache/application_1491598755372_0011/}} and > userLocalDirs {{nm-local-dir/usercache/user/}}, so that a container can see > and modify the files of another container. I think the application file cache > directory should be enough for the container to run in most of the cases. > 2. The whole cgroups directory is mounted. Would the container directory be > enough? > 3. There is no way to enforce exclusive use of Docker for all containers. > There should be an option that it is not the user but the admin that requires > to use Docker. > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org