From 777390497437717cc32f88fd3312d9e608f4a6bc Mon Sep 17 00:00:00 2001 From: Shane Kumpf Date: Fri, 3 Aug 2018 18:20:49 -0600 Subject: [PATCH] YARN-8287. Update documentation and yarn-default related to the Docker runtime. Contributed by Craig Condit (cherry picked from commit bcfc9851f4c6d37d9a119c16ea7d4d253d3b9614) --- .../src/main/resources/yarn-default.xml | 13 ++-- .../src/site/markdown/DockerContainers.md | 66 ++++++++++++++++--- 2 files changed, 64 insertions(+), 15 deletions(-) diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml index 2491cafd737..a54f78006a1 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml @@ -1713,16 +1713,19 @@ This configuration setting determines the capabilities assigned to docker containers when they are launched. While these may not be case-sensitive from a docker perspective, it is best to keep these - uppercase. To run without any capabilites, set this value to + uppercase. To run without any capabilities, set this value to "none" or "NONE" yarn.nodemanager.runtime.linux.docker.capabilities CHOWN,DAC_OVERRIDE,FSETID,FOWNER,MKNOD,NET_RAW,SETGID,SETUID,SETFCAP,SETPCAP,NET_BIND_SERVICE,SYS_CHROOT,KILL,AUDIT_WRITE - This configuration setting determines if - privileged docker containers are allowed on this cluster. - Use with extreme care. + This configuration setting determines if privileged docker + containers are allowed on this cluster. Privileged containers are granted + the complete set of capabilities and are not subject to the limitations + imposed by the device cgroup controller. In other words, privileged + containers can do almost everything that the host can do. Use with + extreme care. yarn.nodemanager.runtime.linux.docker.privileged-containers.allowed false @@ -2003,8 +2006,6 @@ false - - Adjustment to the container OS scheduling priority. In Linux, passed diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md index e35c906de31..0001489ee27 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md @@ -19,10 +19,8 @@ Launching Applications Using Docker Containers Security Warning --------------- -**IMPORTANT** This feature is experimental and is not complete. **IMPORTANT** -Enabling this feature and running Docker containers in your cluster has security -implications. With this feature enabled, it may be possible to gain root access -to the YARN NodeManager hosts. Given Docker's integration with many powerful +**IMPORTANT** Enabling this feature and running Docker containers in your +cluster has security implications. Given Docker's integration with many powerful kernel features, it is imperative that administrators understand [Docker security](https://docs.docker.com/engine/security/security/) before enabling this feature. @@ -56,10 +54,6 @@ Docker for YARN provides both consistency (all YARN containers will have the same software environment) and isolation (no interference with whatever is installed on the physical machine). -Docker support in the LCE is still evolving. To track progress, follow -[YARN-3611](https://issues.apache.org/jira/browse/YARN-3611), the umbrella JIRA -for Docker support improvements. - Cluster Configuration --------------------- @@ -153,7 +147,30 @@ The following properties should be set in yarn-site.xml: false Optional. Whether applications are allowed to run in privileged - containers. + containers. Privileged containers are granted the complete set of + capabilities and are not subject to the limitations imposed by the device + cgroup controller. In other words, privileged containers can do almost + everything that the host can do. Use with extreme care. + + + + + yarn.nodemanager.runtime.linux.docker.delayed-removal.allowed + false + + Optional. Whether or not users are allowed to request that Docker + containers honor the debug deletion delay. This is useful for + troubleshooting Docker container related launch failures. + + + + + yarn.nodemanager.runtime.linux.docker.stop.grace-period + 10 + + Optional. A configurable value to pass to the Docker Stop command. This + value defines the number of seconds between the docker stop command sending + a SIGTERM and a SIGKILL. @@ -177,6 +194,36 @@ The following properties should be set in yarn-site.xml: "none" or "NONE" + + + yarn.nodemanager.runtime.linux.docker.enable-userremapping.allowed + true + + Optional. Whether docker containers are run with the UID and GID of the + calling user. + + + + + yarn.nodemanager.runtime.linux.docker.userremapping-uid-threshold + 1 + + Optional. The minimum acceptable UID for a remapped user. Users with UIDs + lower than this value will not be allowed to launch containers when user + remapping is enabled. + + + + + yarn.nodemanager.runtime.linux.docker.userremapping-gid-threshold + 1 + + Optional. The minimum acceptable GID for a remapped user. Users belonging + to any group with a GID lower than this value will not be allowed to + launch containers when user remapping is enabled. + + + ``` @@ -204,6 +251,7 @@ are allowed. It contains the following properties: | `docker.allowed.networks` | Comma separated networks that containers are allowed to use. If no network is specified when launching the container, the default Docker network will be used. | | `docker.allowed.ro-mounts` | Comma separated directories that containers are allowed to mount in read-only mode. By default, no directories are allowed to mounted. | | `docker.allowed.rw-mounts` | Comma separated directories that containers are allowed to mount in read-write mode. By default, no directories are allowed to mounted. | +| `docker.allowed.volume-drivers` | Comma separated list of volume drivers which are allowed to be used. By default, no volume drivers are allowed. | | `docker.host-pid-namespace.enabled` | Set to "true" or "false" to enable or disable using the host's PID namespace. Default value is "false". | | `docker.privileged-containers.enabled` | Set to "true" or "false" to enable or disable launching privileged containers. Default value is "false". | | `docker.trusted.registries` | Comma separated list of trusted docker registries for running trusted privileged docker containers. By default, no registries are defined. |