<p><b>IMPORTANT</b> Enabling this feature and running Docker containers in your cluster has security implications. Given Docker’s integration with many powerful kernel features, it is imperative that administrators understand <aclass="externalLink"href="https://docs.docker.com/engine/security/security/">Docker security</a> before enabling this feature.</p></section><section>
<h2><aname="Overview"></a>Overview</h2>
<p><aclass="externalLink"href="https://www.docker.io/">Docker</a> combines an easy-to-use interface to Linux containers with easy-to-construct image files for those containers. In short, Docker enables users to bundle an application together with its preferred execution environment to be executed on a target machine. For more information about Docker, see their <aclass="externalLink"href="http://docs.docker.com">documentation</a>.</p>
<p>The Linux Container Executor (LCE) allows the YARN NodeManager to launch YARN containers to run either directly on the host machine or inside Docker containers. The application requesting the resources can specify for each container how it should be executed. The LCE also provides enhanced security and is required when deploying a secure cluster. When the LCE launches a YARN container to execute in a Docker container, the application can specify the Docker image to be used.</p>
<p>Docker containers provide a custom execution environment in which the application’s code runs, isolated from the execution environment of the NodeManager and other applications. These containers can include special libraries needed by the application, and they can have different versions of native tools and libraries including Perl, Python, and Java. Docker containers can even run a different flavor of Linux than what is running on the NodeManager.</p>
<p>Docker for YARN provides both consistency (all YARN containers will have the same software environment) and isolation (no interference with whatever is installed on the physical machine).</p></section><section>
<p>The LCE requires that container-executor binary be owned by root:hadoop and have 6050 permissions. In order to launch Docker containers, the Docker daemon must be running on all NodeManager hosts where Docker containers will be launched. The Docker client must also be installed on all NodeManager hosts where Docker containers will be launched and able to start Docker containers.</p>
<p>To prevent timeouts while starting jobs, any large Docker images to be used by an application should already be loaded in the Docker daemon’s cache on the NodeManager hosts. A simple way to load an image is by issuing a Docker pull request. For example:</p>
<divclass="source">
<divclass="source">
<pre> sudo docker pull library/openjdk:8
</pre></div></div>
<p>The following properties should be set in yarn-site.xml:</p>
Optional. The minimum acceptable GID for a remapped user. Users belonging
to any group with a GID lower than this value will not be allowed to
launch containers when user remapping is enabled.
</description>
</property>
</configuration>
</pre></div></div>
<p>In addition, a container-executor.cfg file must exist and contain settings for the container executor. The file must be owned by root with permissions 0400. The format of the file is the standard Java properties file format, for example</p>
<divclass="source">
<divclass="source">
<pre>`key=value`
</pre></div></div>
<p>The following properties are required to enable Docker support:</p>
<tdalign="left"> The Unix group of the NodeManager. It should match the yarn.nodemanager.linux-container-executor.group in the yarn-site.xml file. </td></tr>
</tbody>
</table>
<p>The container-executor.cfg must contain a section to determine the capabilities that containers are allowed. It contains the following properties:</p>
<tableborder="0"class="bodyTable">
<thead>
<trclass="a">
<thalign="left">Configuration Name </th>
<thalign="left"> Description </th></tr>
</thead><tbody>
<trclass="b">
<tdalign="left"><code>module.enabled</code></td>
<tdalign="left"> Must be “true” or “false” to enable or disable launching Docker containers respectively. Default value is 0. </td></tr>
<trclass="a">
<tdalign="left"><code>docker.binary</code></td>
<tdalign="left"> The binary used to launch Docker containers. /usr/bin/docker by default. </td></tr>
<tdalign="left"> Comma separated networks that containers are allowed to use. If no network is specified when launching the container, the default Docker network will be used. </td></tr>
<tdalign="left"> Comma separated directories that containers are allowed to mount in read-only mode. By default, no directories are allowed to mounted. </td></tr>
<tdalign="left"> Comma separated directories that containers are allowed to mount in read-write mode. By default, no directories are allowed to mounted. </td></tr>
<tdalign="left"> Set to “true” or “false” to enable or disable using the host’s PID namespace. Default value is “false”. </td></tr>
<tdalign="left"> Set to “true” or “false” to enable or disable launching privileged containers. Default value is “false”. </td></tr>
<tdalign="left"> Comma separated list of privileged docker registries for running privileged docker containers. By default, no registries are defined. </td></tr>
<tdalign="left"> Comma separated list of trusted docker registries for running trusted privileged docker containers. By default, no registries are defined. </td></tr>
<tdalign="left"> Integer value to check docker container readiness. Each inspection is set with 3 seconds delay. Default value of 10 will wait 30 seconds for docker container to become ready before marked as container failed. </td></tr>
<tdalign="left"> Set to “true” or “false” to enable or disable docker container service mode. Default value is “false”. </td></tr>
</tbody>
</table>
<p>Please note that if you wish to run Docker containers that require access to the YARN local directories, you must add them to the docker.allowed.rw-mounts list.</p>
<p>In addition, containers are not permitted to mount any parent of the container-executor.cfg directory in read-write mode.</p>
<p>The following properties are optional:</p>
<tableborder="0"class="bodyTable">
<thead>
<trclass="a">
<thalign="left">Configuration Name </th>
<thalign="left"> Description </th></tr>
</thead><tbody>
<trclass="b">
<tdalign="left"><code>min.user.id</code></td>
<tdalign="left"> The minimum UID that is allowed to launch applications. The default is no minimum </td></tr>
<trclass="a">
<tdalign="left"><code>banned.users</code></td>
<tdalign="left"> A comma-separated list of usernames who should not be allowed to launch applications. The default setting is: yarn, mapred, hdfs, and bin. </td></tr>
<tdalign="left"> A comma-separated list of usernames who should be allowed to launch applications even if their UIDs are below the configured minimum. If a user appears in allowed.system.users and banned.users, the user will be considered banned. </td></tr>
<tdalign="left"> Must be “true” or “false”. “false” means traffic control commands are disabled. “true” means traffic control commands are allowed. </td></tr>
<p>In order to work with YARN, there are two requirements for Docker images.</p>
<p>First, the Docker container will be explicitly launched with the application owner as the container user. If the application owner is not a valid user in the Docker image, the application will fail. The container user is specified by the user’s UID. If the user’s UID is different between the NodeManager host and the Docker image, the container may be launched as the wrong user or may fail to launch because the UID does not exist. See <ahref="#user-management">User Management in Docker Container</a> section for more details.</p>
<p>Second, the Docker image must have whatever is expected by the application in order to execute. In the case of Hadoop (MapReduce or Spark), the Docker image must contain the JRE and Hadoop libraries and have the necessary environment variables set: JAVA_HOME, HADOOP_COMMON_PATH, HADOOP_HDFS_HOME, HADOOP_MAPRED_HOME, HADOOP_YARN_HOME, and HADOOP_CONF_DIR. Note that the Java and Hadoop component versions available in the Docker image must be compatible with what’s installed on the cluster and in any other Docker images being used for other tasks of the same job. Otherwise the Hadoop components started in the Docker container may be unable to communicate with external Hadoop components.</p>
<p>If a Docker image has a <aclass="externalLink"href="https://docs.docker.com/engine/reference/builder/#cmd">command</a> set, the behavior will depend on whether the <code>YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE</code> is set to true. If so, the command will be overridden when LCE launches the image with YARN’s container launch script.</p>
<p>If a Docker image has an entry point set and YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE is set to true, launch_command will be passed to ENTRYPOINT program as CMD parameters in Docker. The format of launch_command looks like: param1,param2 and this translates to CMD [ “param1”,“param2” ] in Docker.</p>
<p>If an application requests a Docker image that has not already been loaded by the Docker daemon on the host where it is to execute, the Docker daemon will implicitly perform a Docker pull command. Both MapReduce and Spark assume that tasks which take more that 10 minutes to report progress have stalled, so specifying a large Docker image may cause the application to fail.</p></section><section>
<p>The Docker plugin utilizes cgroups to limit resource usage of individual containers. Since launched containers belong to YARN, the command line option <code>--cgroup-parent</code> is used to define the appropriate control group.</p>
<p>Docker supports two different cgroups driver: <code>cgroupfs</code> and <code>systemd</code>. Note that only <code>cgroupfs</code> is supported - attempt to launch a Docker container with <code>systemd</code> results in the following, similar error message:</p>
Shell error output: /usr/bin/docker-current: Error response from daemon: cgroup-parent for systemd cgroup should be a valid slice named as "xxx.slice".
See '/usr/bin/docker-current run --help'.
Shell output: main : command provided 4
</pre></div></div>
<p>This means you have to reconfigure the Docker deamon on each host where <code>systemd</code> driver is used.</p>
<p>Depending on what OS Hadoop is running on, reconfiguration might require different steps. However, if <code>systemd</code> was chosen for cgroups driver, it is likely that the <code>systemctl</code> command is available on the system.</p>
<p>Check the <code>ExecStart</code> property of the Docker daemon:</p>
<divclass="source">
<divclass="source">
<pre>~$ systemctl show --no-pager --property=ExecStart docker.service
<p>This example shows that the <code>native.cgroupdriver</code> is <code>systemd</code>. You have to modify that in the unit file of the daemon.</p>
<divclass="source">
<divclass="source">
<pre>~$ sudo systemctl edit --full docker.service
</pre></div></div>
<p>This brings up the whole configuration for editing. Just replace the <code>systemd</code> string to <code>cgroupfs</code>. Save the changes and restart both the systemd and Docker daemon:</p>
<p>Before attempting to launch a Docker container, make sure that the LCE configuration is working for applications requesting regular YARN containers. If after enabling the LCE one or more NodeManagers fail to start, the cause is most likely that the ownership and/or permissions on the container-executor binary are incorrect. Check the logs to confirm.</p>
<p>In order to run an application in a Docker container, set the following environment variables in the application’s environment:</p>
<tdalign="left"> Determines whether an application will be launched in a Docker container. If the value is “docker”, the application will be launched in a Docker container. Otherwise a regular process tree container will be used. </td></tr>
<tdalign="left"> Names which image will be used to launch the Docker container. Any image name that could be passed to the Docker client’s run command may be used. The image name may include a repo prefix. </td></tr>
<tdalign="left"> Controls whether the Docker container’s default command is overridden. When set to true, the Docker container’s command will be “bash <i>path_to_launch_script</i>”. When unset or set to false, the Docker container’s default command is used. </td></tr>
<tdalign="left"> Sets the network type to be used by the Docker container. It must be a valid value as determined by the yarn.nodemanager.runtime.linux.docker.allowed-container-networks property. </td></tr>
<tdalign="left"> Allows a user to specify ports mapping for the bridge network Docker container. The value of the environment variable should be a comma-separated list of ports mapping. It’s the same to “-p” option for the Docker run command. If the value is empty, “-P” will be added. </td></tr>
<tdalign="left"> Controls which PID namespace will be used by the Docker container. By default, each Docker container has its own PID namespace. To share the namespace of the host, the yarn.nodemanager.runtime.linux.docker.host-pid-namespace.allowed property must be set to true. If the host PID namespace is allowed and this environment variable is set to host, the Docker container will share the host’s PID namespace. No other value is allowed. </td></tr>
<tdalign="left"> Controls whether the Docker container is a privileged container. In order to use privileged containers, the yarn.nodemanager.runtime.linux.docker.privileged-containers.allowed property must be set to true, and the application owner must appear in the value of the yarn.nodemanager.runtime.linux.docker.privileged-containers.acl property. If this environment variable is set to true, a privileged Docker container will be used if allowed. No other value is allowed, so the environment variable should be left unset rather than setting it to false. </td></tr>
<tdalign="left"> Adds additional volume mounts to the Docker container. The value of the environment variable should be a comma-separated list of mounts. All such mounts must be given as <code>source:dest[:mode]</code> and the mode must be “ro” (read-only) or “rw” (read-write) to specify the type of access being requested. If neither is specified, read-write will be assumed. The mode may include a bind propagation option. In that case, the mode should either be of the form <code>[option]</code>, <code>rw+[option]</code>, or <code>ro+[option]</code>. Valid bind propagation options are shared, rshared, slave, rslave, private, and rprivate. The requested mounts will be validated by container-executor based on the values set in container-executor.cfg for <code>docker.allowed.ro-mounts</code> and <code>docker.allowed.rw-mounts</code>. </td></tr>
<tdalign="left"> Adds additional tmpfs mounts to the Docker container. The value of the environment variable should be a comma-separated list of absolute mount points within the container. </td></tr>
<tdalign="left"> Allows a user to request delayed deletion of the Docker container on a per container basis. If true, Docker containers will not be removed until the duration defined by yarn.nodemanager.delete.debug-delay-sec has elapsed. Administrators can disable this feature through the yarn-site property yarn.nodemanager.runtime.linux.docker.delayed-removal.allowed. This feature is disabled by default. When this feature is disabled or set to false, the container will be removed as soon as it exits. </td></tr>
<tdalign="left"> Enable mounting of container working directory sysfs sub-directory into Docker container /hadoop/yarn/sysfs. This is useful for populating cluster information into container. </td></tr>
<tdalign="left"> Enable Service Mode which runs the docker container as defined by the image but does not set the user (–user and –group-add). </td></tr>
<tdalign="left"> Sets the docker client config using which docker container executor can access the remote docker image. </td></tr>
</tbody>
</table>
<p>The first two are required. The remainder can be set as needed. While controlling the container type through environment variables is somewhat less than ideal, it allows applications with no awareness of YARN’s Docker support (such as MapReduce and Spark) to nonetheless take advantage of it through their support for configuring the application environment.</p>
<p>Once an application has been submitted to be launched in a Docker container, the application will behave exactly as any other YARN application. Logs will be aggregated and stored in the relevant history server. The application life cycle will be the same as for a non-Docker application.</p></section><section>
<p><b>WARNING</b> Care should be taken when enabling this feature. Enabling access to directories such as, but not limited to, /, /etc, /run, or /home is not advisable and can result in containers negatively impacting the host or leaking sensitive information. <b>WARNING</b></p>
<p>Files and directories from the host are commonly needed within the Docker containers, which Docker provides through <aclass="externalLink"href="https://docs.docker.com/engine/tutorials/dockervolumes/">volumes</a>. Examples include localized resources, Apache Hadoop binaries, and sockets. To facilitate this need, YARN-6623 added the ability for administrators to set a whitelist of host directories that are allowed to be bind mounted as volumes into containers. YARN-5534 added the ability for users to supply a list of mounts that will be mounted into the containers, if allowed by the administrative whitelist.</p>
<p>In order to make use of this feature, the following must be configured.</p>
<ul>
<li>The administrator must define the volume whitelist in container-executor.cfg by setting <code>docker.allowed.ro-mounts</code> and <code>docker.allowed.rw-mounts</code> to the list of parent directories that are allowed to be mounted.</li>
<li>The application submitter requests the required volumes at application submission time using the <code>YARN_CONTAINER_RUNTIME_DOCKER_MOUNTS</code> environment variable.</li>
</ul>
<p>The administrator supplied whitelist is defined as a comma separated list of directories that are allowed to be mounted into containers. The source directory supplied by the user must either match or be a child of the specified directory.</p>
<p>The user supplied mount list is defined as a comma separated list in the form <i>source</i>:<i>destination</i> or <i>source</i>:<i>destination</i>:<i>mode</i>. The source is the file or directory on the host. The destination is the path within the container where the source will be bind mounted. The mode defines the mode the user expects for the mount, which can be ro (read-only) or rw (read-write). If not specified, rw is assumed. The mode may also include a bind propagation option (shared, rshared, slave, rslave, private, or rprivate). In that case, the mode should be of the form <i>option</i>, rw+<i>option</i>, or ro+<i>option</i>.</p>
<p>The following example outlines how to use this feature to mount the commonly needed /sys/fs/cgroup directory into the container running on YARN.</p>
<p>The administrator sets docker.allowed.ro-mounts in container-executor.cfg to “/sys/fs/cgroup”. Applications can now request that “/sys/fs/cgroup” be mounted from the host into the container in read-only mode.</p>
<p>At application submission time, the YARN_CONTAINER_RUNTIME_DOCKER_MOUNTS environment variable can then be set to request this mount. In this example, the environment variable would be set to “/sys/fs/cgroup:/sys/fs/cgroup:ro”. The destination path is not restricted, “/sys/fs/cgroup:/cgroup:ro” would also be valid given the example admin whitelist.</p></section><section>
<h2><aname="User_Management_in_Docker_Container"></a><ahref="#user-management"></a>User Management in Docker Container</h2>
<p>YARN’s Docker container support launches container processes using the uid:gid identity of the user, as defined on the NodeManager host. User and group name mismatches between the NodeManager host and container can lead to permission issues, failed container launches, or even security holes. Centralizing user and group management for both hosts and containers greatly reduces these risks. When running containerized applications on YARN, it is necessary to understand which uid:gid pair will be used to launch the container’s process.</p>
<p>As an example of what is meant by uid:gid pair, consider the following. By default, in non-secure mode, YARN will launch processes as the user <code>nobody</code> (see the table at the bottom of <ahref="./NodeManagerCgroups.html">Using CGroups with YARN</a> for how the run as user is determined in non-secure mode). On CentOS based systems, the <code>nobody</code> user’s uid is <code>99</code> and the <code>nobody</code> group is <code>99</code>. As a result, YARN will call <code>docker run</code> with <code>--user 99:99</code>. If the <code>nobody</code> user does not have the uid <code>99</code> in the container, the launch may fail or have unexpected results.</p>
<p>One exception to this rule is the use of Privileged Docker containers. Privileged containers will not set the uid:gid pair when launching the container and will honor the USER or GROUP entries in the Dockerfile. This allows running privileged containers as any user which has security implications. Please understand these implications before enabling Privileged Docker containers.</p>
<p>There are many ways to address user and group management. Docker, by default, will authenticate users against <code>/etc/passwd</code> (and <code>/etc/shadow</code>) within the container. Using the default <code>/etc/passwd</code> supplied in the Docker image is unlikely to contain the appropriate user entries and will result in launch failures. It is highly recommended to centralize user and group management. Several approaches to user and group management are outlined below.</p><section>
<h3><aname="Static_user_management"></a>Static user management</h3>
<p>The most basic approach to managing user and groups is to modify the user and group within the Docker image. This approach is only viable in non-secure mode where all container processes will be launched as a single known user, for instance <code>nobody</code>. In this case, the only requirement is that the uid:gid pair of the nobody user and group must match between the host and container. On a CentOS based system, this means that the nobody user in the container needs the UID <code>99</code> and the nobody group in the container needs GID <code>99</code>.</p>
<p>One approach to change the UID and GID is by leveraging <code>usermod</code> and <code>groupmod</code>. The following sets the correct UID and GID for the nobody user/group.</p>
<divclass="source">
<divclass="source">
<pre>usermod -u 99 nobody
groupmod -g 99 nobody
</pre></div></div>
<p>This approach is not recommended beyond testing given the inflexibility to add users.</p></section><section>
<h3><aname="Bind_mounting"></a>Bind mounting</h3>
<p>When organizations already have automation in place to create local users on each system, it may be appropriate to bind mount /etc/passwd and /etc/group into the container as an alternative to modifying the container image directly. To enable the ability to bind mount /etc/passwd and /etc/group, update <code>docker.allowed.ro-mounts</code> in <code>container-executor.cfg</code> to include those paths. When submitting the application, <code>YARN_CONTAINER_RUNTIME_DOCKER_MOUNTS</code> will need to include <code>/etc/passwd:/etc/passwd:ro</code> and <code>/etc/group:/etc/group:ro</code>.</p>
<p>There are several challenges with this bind mount approach that need to be considered.</p>
<olstyle="list-style-type: decimal">
<li>Any users and groups defined in the image will be overwritten by the host’s users and groups</li>
<li>No users and groups can be added once the container is started, as /etc/passwd and /etc/group are immutible in the container. Do not mount these read-write as it can render the host inoperable.</li>
</ol>
<p>This approach is not recommended beyond testing given the inflexibility to modify running containers.</p></section><section>
<h3><aname="SSSD"></a>SSSD</h3>
<p>An alternative approach that allows for centrally managing users and groups is SSSD. System Security Services Daemon (SSSD) provides access to different identity and authentication providers, such as LDAP or Active Directory.</p>
<p>The traditional schema for Linux authentication is as follows:</p>
<p>We can bind-mount the UNIX sockets SSSD communicates over into the container. This will allow the SSSD client side libraries to authenticate against the SSSD running on the host. As a result, user information does not need to exist in /etc/passwd of the docker image and will instead be serviced by SSSD.</p>
<p>Step by step configuration for host and container:</p>
<olstyle="list-style-type: decimal">
<li>Host config</li>
</ol>
<ul>
<li>Install packages
<divclass="source">
<divclass="source">
<pre># yum -y install sssd-common sssd-proxy
</pre></div></div>
</li>
<li>create a PAM service for the container.
<divclass="source">
<divclass="source">
<pre># cat /etc/pam.d/sss_proxy
auth required pam_unix.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
</pre></div></div>
</li>
<li>create SSSD config file, /etc/sssd/sssd.conf Please note that the permissions must be 0600 and the file must be owned by root:root.
<divclass="source">
<divclass="source">
<pre># cat /etc/sssd/sssd/conf
[sssd]
services = nss,pam
config_file_version = 2
domains = proxy
[nss]
[pam]
[domain/proxy]
id_provider = proxy
proxy_lib_name = files
proxy_pam_target = sss_proxy
</pre></div></div>
</li>
<li>start sssd
<divclass="source">
<divclass="source">
<pre># systemctl start sssd
</pre></div></div>
</li>
<li>verify a user can be retrieved with sssd
<divclass="source">
<divclass="source">
<pre># getent passwd -s sss localuser
</pre></div></div>
</li>
</ul>
<olstyle="list-style-type: decimal">
<li>Container setup</li>
</ol>
<p>It’s important to bind-mount the /var/lib/sss/pipes directory from the host to the container since SSSD UNIX sockets are located there.</p>
<divclass="source">
<divclass="source">
<pre>-v /var/lib/sss/pipes:/var/lib/sss/pipes:rw
</pre></div></div>
<olstyle="list-style-type: decimal">
<li>Container config</li>
</ol>
<p>All the steps below should be executed on the container itself.</p>
<ul>
<li>
<p>Install only the sss client libraries</p>
<divclass="source">
<divclass="source">
<pre># yum -y install sssd-client
</pre></div></div>
</li>
<li>
<p>make sure sss is configured for passwd and group databases in</p>
<divclass="source">
<divclass="source">
<pre>/etc/nsswitch.conf
</pre></div></div>
</li>
<li>
<p>configure the PAM service that the application uses to call into SSSD</p>
<divclass="source">
<divclass="source">
<pre># cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
<p>Privileged docker container can interact with host system devices. This can cause harm to host operating system without proper care. In order to mitigate risk of allowing privileged container to run on Hadoop cluster, we implemented a controlled process to sandbox unauthorized privileged docker images.</p>
<p>The default behavior disallows any privileged docker containers. Privileged docker is only allowed with ENTRYPOINT enabled docker image, and <code>docker.privileged-containers.enabled</code> is set to enabled. Docker image can run with root privileges in the docker container, but access to host level devices are disabled. This allows developer and tester to run docker images from internet with some restrictions to prevent harm to host operating system.</p>
<p>When docker images have been certified by developers and testers to be trustworthy. The trusted image can be promoted to trusted docker registry. System administrator can define <code>docker.trusted.registries</code>, and setup private docker registry server to promote trusted images. System administrator may choose to allow official docker images from Docker Hub to be part of trusted registries. “library” is the name to use for trusting official docker images. Container-executor.cfg example:</p>
<divclass="source">
<divclass="source">
<pre>[docker]
docker.privileged-containers.enabled=true
docker.trusted.registries=library
</pre></div></div>
<p>Fine grained access control can also be defined using <code>docker.privileged-containers.registries</code> to allow only a subset of Docker images to run as privileged containers. If <code>docker.privileged-containers.registries</code> is not defined, YARN will fall back to use <code>docker.trusted.registries</code> as access control for privileged Docker images. Fine grained access control example:</p>
<p>In development environment, local images can be tagged with a repository name prefix to enable trust. The recommendation of choosing a repository name is using a local hostname and port number to prevent accidentially pulling docker images from Docker Hub or use reserved Docker Hub keyword: “local”. Docker run will look for docker images on Docker Hub, if the image does not exist locally. Using a local hostname and port in image name can prevent accidental pulling of canonical images from docker hub. Example of tagging image with localhost:5000 as trusted registry:</p>
<divclass="source">
<divclass="source">
<pre>docker tag centos:latest localhost:5000/centos:latest
</pre></div></div>
<p>Let’s say you have an Ubuntu-based image with some changes in the local repository and you wish to use it. The following example tags the <code>local_ubuntu</code> image:</p>
<divclass="source">
<divclass="source">
<pre>docker tag local_ubuntu local/ubuntu:latest
</pre></div></div>
<p>Next, you have to add <code>local</code> to <code>docker.trusted.registries</code>. The image can be referenced by using <code>local/ubuntu</code>.</p>
<p>Trusted images are allowed to mount external devices such as HDFS via NFS gateway, or host level Hadoop configuration. If system administrators allow writing to external volumes using <code>docker.allow.rw-mounts directive</code>, privileged docker container can have full control of host level files in the predefined volumes.</p>
<p>For <ahref="./yarn-service/Examples.html">YARN Service HTTPD example</a>, container-executor.cfg must define centos docker registry to be trusted for the example to run.</p></section><section>
<p>On restart, the NodeManager, as part of the NodeManager’s recovery process, will validate that a container is still running by checking for the existence of the container’s PID directory in the /proc filesystem. For security purposes, operating system administrator may enable the <i>hidepid</i> mount option for the /proc filesystem. If the <i>hidepid</i> option is enabled, the <i>yarn</i> user’s primary group must be whitelisted by setting the gid mount flag similar to below. Without the <i>yarn</i> user’s primary group whitelisted, container reacquisition will fail and the container will be killed on NodeManager restart.</p>
<h2><aname="Connecting_to_a_Docker_Trusted_Registry"></a>Connecting to a Docker Trusted Registry</h2>
<p>The Docker client command will draw its configuration from the default location, which is $HOME/.docker/config.json on the NodeManager host. The Docker configuration is where secure repository credentials are stored, so use of the LCE with secure Docker repos is discouraged using this method.</p>
<p>YARN-5428 added support to Distributed Shell for securely supplying the Docker client configuration. See the Distributed Shell help for usage. Support for additional frameworks is planned.</p>
<p>As a work-around, you may manually log the Docker daemon on every NodeManager host into the secure repo using the Docker login command:</p>
<divclass="source">
<divclass="source">
<pre> docker login [OPTIONS] [SERVER]
Register or log in to a Docker registry server, if no server is specified
"https://index.docker.io/v1/" is the default.
-e, --email="" Email
-p, --password="" Password
-u, --username="" Username
</pre></div></div>
<p>Note that this approach means that all users will have access to the secure repo.</p>
<p>Hadoop integrates with Docker Trusted Registry via YARN service API. Docker registry can store Docker images on HDFS, S3 or external storage using CSI driver.</p><section>
<h3><aname="Docker_Registry_on_HDFS"></a>Docker Registry on HDFS</h3>
<p>NFS Gateway provides capability to mount HDFS as NFS mount point. Docker Registry can configure to write to HDFS mount point using standard file system API.</p>
<p>Docker trusted registry is deployed in YARN framework, and the URL to access the registry following Hadoop Registry DNS format:</p>
<divclass="source">
<divclass="source">
<pre>registry.docker-registry.$USER.$DOMAIN:5000
</pre></div></div>
<p>When docker-registry application reaches STABLE state in YARN, user can push or pull docker images to Docker Trusted Registry by prefix image name with registry.docker-registry.registry.example.com:5000/.</p></section><section>
<h3><aname="Docker_Registry_on_S3"></a>Docker Registry on S3</h3>
<p>Docker Registry provides its own S3 driver and YAML configuration. YARN service configuration can generate YAML template, and enable direct Docker Registry to S3 storage. This option is the top choice for deploying Docker Trusted Registry on AWS. Configuring Docker registry storage driver to S3 requires mounting /etc/docker/registry/config.yml file (through YARN_CONTAINER_RUNTIME_DOCKER_MOUNTS), which needs to configure an S3 bucket with its corresponding accesskey and secretKey.</p>
<p>Sample config.yml</p>
<divclass="source">
<divclass="source">
<pre>version: 0.1
log:
fields:
service: registry
http:
addr: :5000
storage:
cache:
blobdescriptor: inmemory
s3:
accesskey: #AWS_KEY#
secretkey: #AWS_SECRET#
region: #AWS_REGION#
bucket: #AWS_BUCKET#
encrypt: #ENCRYPT#
secure: #SECURE#
chunksize: 5242880
multipartcopychunksize: 33554432
multipartcopymaxconcurrency: 100
multipartcopythresholdsize: 33554432
rootdirectory: #STORAGE_PATH#
</pre></div></div>
<p>Docker Registry can be started using YARN service: registry.json</p>
"YARN_CONTAINER_RUNTIME_DOCKER_MOUNTS":"<path to config.yml>:/etc/docker/registry/config.yml",
},
"properties": {
"docker.network": "host"
}
}
}
]
}
</pre></div></div>
<p>For further details and parameters that could be configured in the S3 storage driver, please refer <aclass="externalLink"href="https://docs.docker.com/registry/storage-drivers/s3/">https://docs.docker.com/registry/storage-drivers/s3/</a>.</p></section></section><section>
<p>This example assumes that Hadoop is installed to <code>/usr/local/hadoop</code>.</p>
<p>Additionally, <code>docker.allowed.ro-mounts</code> in <code>container-executor.cfg</code> has been updated to include the directories: <code>/usr/local/hadoop,/etc/passwd,/etc/group</code>.</p>
<p>To submit the pi job to run in Docker containers, run the following commands:</p>
<p>Note that the application master, map tasks, and reduce tasks are configured independently. In this example, we are using the <code>openjdk:8</code> image for all three.</p></section><section>
<p>This example assumes that Hadoop is installed to <code>/usr/local/hadoop</code> and Spark is installed to <code>/usr/local/spark</code>.</p>
<p>Additionally, <code>docker.allowed.ro-mounts</code> in <code>container-executor.cfg</code> has been updated to include the directories: <code>/usr/local/hadoop,/etc/passwd,/etc/group</code>.</p>
<p>To run a Spark shell in Docker containers, run the following command:</p>
<p>Note that the application master and executors are configured independently. In this example, we are using the <code>openjdk:8</code> image for both.</p>
<p>When using remote container registry, the YARN_CONTAINER_RUNTIME_DOCKER_CLIENT_CONFIG must reference the config.json file containing the credentials used to authenticate.</p>
<p>When Docker support was introduced to Hadoop 2.x, the platform was designed to run existing Hadoop programs inside Docker container. Log redirection and environment setup are integrated with Node Manager. In Hadoop 3.x, Hadoop Docker support extends beyond running Hadoop workload, and support Docker container in Docker native form using ENTRYPOINT from dockerfile. Application can decide to support YARN mode as default or Docker mode as default by defining YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE environment variable. System administrator can also set as default setting for the cluster to make ENTRY_POINT as default mode of operation.</p>
<p>In yarn-site.xml, add YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE to node manager environment white list:</p>
<h2><aname="Requirements_when_not_using_ENTRYPOINT_.28YARN_mode.29"></a>Requirements when not using ENTRYPOINT (YARN mode)</h2>
<p>There are two requirements when ENTRYPOINT is not used:</p>
<olstyle="list-style-type: decimal">
<li>
<p><code>/bin/bash</code> must be available inside the image. This is generally true, however, tiny Docker images (eg. ones which use busybox for shell commands) might not have bash installed. In this case, the following error is displayed:</p>
Shell error output: /usr/bin/docker-current: Error response from daemon: oci runtime error: container_linux.go:235: starting container process caused "exec: \"bash\": executable file not found in $PATH".
Shell output: main : command provided 4
</pre></div></div>
</li>
<li>
<p><code>find</code> command must also be available inside the image. Not having <code>find</code> causes this error:</p>
<divclass="source">
<divclass="source">
<pre>Container exited with a non-zero exit code 127. Error file: prelaunch.err.
Last 4096 bytes of prelaunch.err :
/tmp/hadoop-systest/nm-local-dir/usercache/hadoopuser/appcache/application_1561638268473_0017/container_1561638268473_0017_01_000002/launch_container.sh: line 44: find: command not found
<p>YARN SysFS is a pseudo file system provided by the YARN framework that exports information about clustering information to Docker container. Cluster information is exported to /hadoop/yarn/sysfs path. This API allows application developer to obtain clustering information without external service dependencies. Custom application master can populate cluster information by calling node manager REST API. YARN service framework automatically populates cluster information to /hadoop/yarn/sysfs/app.json. For more information about YARN service, see: <ahref="./yarn-service/Overview.html">YARN Service</a>.</p></section><section>
<h2><aname="Docker_Container_Service_Mode"></a>Docker Container Service Mode</h2>
<p>Docker Container Service Mode runs the container as defined by the image but does not set the user (–user and –group-add). This mode is disabled by default. The administrator sets docker.service-mode.enabled to true in container-executor.cfg under docker section to enable.</p>
<p>Part of a container-executor.cfg which allows docker service mode is below:</p>
<p>Application User can enable or disable service mode at job level by exporting environment variable YARN_CONTAINER_RUNTIME_DOCKER_SERVICE_MODE in the application’s environment with value true or false respectively.</p></section>
