From 0bed0fec3cdde0d65237e8a69c298f75e530170a Mon Sep 17 00:00:00 2001 From: Robert Joseph Evans Date: Fri, 1 Jun 2012 18:19:02 +0000 Subject: [PATCH] svn merge -c 1345304. FIXES: HADOOP-8460. Document proper setting of HADOOP_PID_DIR and HADOOP_SECURE_DN_PID_DIR (bobby) git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1345306 13f79535-47bb-0310-9956-ffa450edef68 --- hadoop-common-project/hadoop-common/CHANGES.txt | 3 +++ .../hadoop-common/src/main/conf/hadoop-env.sh | 3 +++ .../hadoop-yarn-site/src/site/apt/ClusterSetup.apt.vm | 5 +++++ 3 files changed, 11 insertions(+) diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index 8c5f98e3b59..7b6dbc423cf 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -59,6 +59,9 @@ Release 2.0.1-alpha - UNRELEASED HADOOP-8452. DN logs backtrace when running under jsvc and /jmx is loaded (Andy Isaacson via bobby) + HADOOP-8460. Document proper setting of HADOOP_PID_DIR and + HADOOP_SECURE_DN_PID_DIR (bobby) + Release 2.0.0-alpha - UNRELEASED INCOMPATIBLE CHANGES diff --git a/hadoop-common-project/hadoop-common/src/main/conf/hadoop-env.sh b/hadoop-common-project/hadoop-common/src/main/conf/hadoop-env.sh index 8fea86388f1..33abeca1acf 100644 --- a/hadoop-common-project/hadoop-common/src/main/conf/hadoop-env.sh +++ b/hadoop-common-project/hadoop-common/src/main/conf/hadoop-env.sh @@ -67,6 +67,9 @@ export HADOOP_LOG_DIR=${HADOOP_LOG_DIR}/$USER export HADOOP_SECURE_DN_LOG_DIR=${HADOOP_LOG_DIR}/${HADOOP_HDFS_USER} # The directory where pid files are stored. /tmp by default. +# NOTE: this should be set to a directory that can only be written to by +# the user that will run the hadoop daemons. Otherwise there is the +# potential for a symlink attack. export HADOOP_PID_DIR=${HADOOP_PID_DIR} export HADOOP_SECURE_DN_PID_DIR=${HADOOP_PID_DIR} diff --git a/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/ClusterSetup.apt.vm b/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/ClusterSetup.apt.vm index 6301eb25663..3b075f7cb23 100644 --- a/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/ClusterSetup.apt.vm +++ b/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/ClusterSetup.apt.vm @@ -85,6 +85,11 @@ Hadoop MapReduce Next Generation - Cluster Setup At the very least you should specify the <<>> so that it is correctly defined on each remote node. + In most cases you should also specify <<>> and + <<>> to point to directories that can only be + written to by the users that are going to run the hadoop daemons. + Otherwise there is the potential for a symlink attack. + Administrators can configure individual daemons using the configuration options shown below in the table: