[jira] [Commented] (YARN-10867) YARN should expose a ENV used to map a custom device into docker container

Tue, 20 Jul 2021 20:25:08 -0700 


    [ 
https://issues.apache.org/jira/browse/YARN-10867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17384623#comment-17384623
 ] 

Chi Heng commented on YARN-10867:
---------------------------------

Hi [~ebadger]

First,regardless of security issues,{{YARN_CONTAINER_RUNTIME_DOCKER_MOUNTS will 
be turned to an -v arg when docker container starts(docker do this using Linux 
binding mount).I suppose it is not suitable for /dev/fuse,GPU,RDMA or other 
devices.Actually I tried to mount device as a volume into docker,but the device 
cant't be used in container.}}

And back to security issues, actually I just need some docker capabilites like 
'SYS_ADMIN' .But since I can't mount a device into container,I had to request a 
privileged docker container to complete this job ('–privileged'),where devices 
is inluded by default.Thus the problem became complex.The privileged container 
runs with root user,so the log aggregation can't work normally.And the user 
which submitted the application is used to call the docker command, so I had to 
add all non-privileged  user into docker group .

I suppose it is not a good idea using privileged container to complete this 
job, expose an new ENV like '{{YARN_CONTAINER_RUNTIME_DOCKER_DEVICES}}' may be 
a better option

> YARN should expose a ENV used to map a custom device into docker container
> --------------------------------------------------------------------------
>
>                 Key: YARN-10867
>                 URL: https://issues.apache.org/jira/browse/YARN-10867
>             Project: Hadoop YARN
>          Issue Type: Improvement
>            Reporter: Chi Heng
>            Priority: Major
>
> In some scenarios, like mounting a FUSE in docker,user needs to map a custom 
> device (eg. /dev/fuse) into docker container.I notice that an adddevice 
> method is defined in [ 
> hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/docker/DockerRunCommand.java
>  
> |https://github.com/apache/hadoop/blob/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/docker/DockerRunCommand.java]
>  ,I suppose that an ENV or config property should to be exposed to user to 
> call this method



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to