The following are some salient points:

1. We want to run tasks as the user who submitted the job, rather than as the user running the daemon.
2. I think we also don't want to run the daemon as a privileged user (such as root) in order to solve this requirement. Right ?
3. The directories and files used by the task should have appropriate permissions. Currently these directories and files are mostly created by the daemons, but used by the task. A few are used/accessed by the daemons also. Some of these directories and files are the following:
   1. mapred.local.dir/taskTracker/archive - directories containing distributed cache archives
   2. mapred.local.dir/taskTracker/jobcache/$jobid/ - Include work (which is a scratch space), jars (containing the job jars), job.xml.
   3. mapred.local.dir/taskTracker/jobcache/$jobid/$taskid - Include job.xml, output (intermediate files), work (current working dir) and temp (work/tmp) directories for the task.
   4. mapred.local.dir/taskTracker/pids/$taskid - Written by the shell launching the task, but read by the daemons.
4. What should 'appropriate' permissions mean ? I guess read/write/execute (on directories) for the owner of the job is required. What should the permissions be for others ? If the task is the only consumer, then the permissions for others can be turned off. However, there are cases where the daemon / other processes might read the files. For instance:
   1. The distributed cache files can be shared across jobs.
   2. Jetty seems to require read permissions on the intermediate files to serve them to the reducers.
      In the above cases, can we make these world readable ?
   3. Task logs are currently generated under ${hadoop.log.dir}/userlogs/$taskid. These are served from the TaskLogServlet of the TaskTracker.
5. Apart from launching the task itself, we may need some other actions to be performed as the job owner. For instance:
   1. Killing of a task
   2. Maybe setting up and cleaning up of the directories / files
   3. Running the debug script - mapred.map|reduce.task.debug.script

Is there anything that I am missing ? Comments on the questions of shared directories / files - distributed cache, intermediate outputs, log files ?

If (1) is addressed just by setting the UGI in some way, then this had disadvantages compared to the seteuid/su - which facilitates secured access to non-HDFS resources (e.g. NFS in smaller environments).

We do want to run the daemons as non-privileged users, and yet go with a setuid based approach to run tasks as a regular user. One approach that was proposed to do this is as follows:

• We create a setuid executable, say a taskcontroller, that will be owned by root.
• This executable can take the following arguments - <user> <command> <command arguments>.
• <user> will be the job owner.
• <command> will be an action that needs to be performed, such as LAUNCH_JVM, KILL_TASK, etc.
• <command arguments> will depend on the command. For e.g. LAUNCH_JVM would have the arguments currently used to launch a JVM via the ShellCommandExecutor.
• The tasktracker will launch this executable with the appropriate command and arguments when needed.
• As the executable is a setuid exe, it will run as root, and will quickly drop privileges using setuid, to run as the user.
• Then the arguments will be used to execute the required action, for e.g. launching a VM or killing a task.
• Before dropping privileges, if needed, the executable could set up directories with appropriate ownership, etc.
• Naturally this would be platform specific. Hence, we can define a TaskController class that defines APIs to encapsulate these actions. For e.g., something like:

  abstract class TaskController {
  
    abstract void launchTask();
    abstract void killTask(Task t);
    // etc...
  }

• This could be extended by a LinuxTaskController, that converts the generic arguments into something that can be passed to executable - for e.g. maybe a process ID.
• One specific point is about the directory / file permissions. Sameer was of the opinion that the permissions should be quite strict, that is, world readable rights are not allowed. There are cases where the task as well as the daemon may need to access files. To handle this, one suggestion is to first set the permissions to the user, and then change the ownership to the daemon after the task is done.

The points above specify a broad approach. Please comment on whether this seems reasonable, reasonable in parts, or completely way off the mark. smile. Based on feedback, I would start implementing a prototype to flush out the details.

It should be written in C, not Java to ensure it has enough access to the platform to actually be secure. In particular, it has to clear both real and effective user ids.

I'd like to see the proposed list of commands for the setuid program.

No user-specified strings should be included on the command line, to avoid special character attacks.

I agree with Sameer that we should have very tight permissions on the map output and task directories. One of the subcommands should probably be to move the outputs from somewhere like $task/output to somewhere like $tt/output/$job/$task.

Having a plugin that lets us switch between the current pure-java implementation that doesn't change user ids and a setuid implementation sounds reasonable. We should continue to support the non-user-switch by default for clusters run by a single non-root user.

It should be written in C, not Java to ensure it has enough access to the platform to actually be secure. In particular, it has to clear both real and effective user ids.

Yes, I had that in mind. Specifically, I was planning to do something like setuid(getpwnam(user_name)->pw_uid). Since this would be done by a program running as superuser (the setuid exe), it would clear both the real and effective uids.

I'd like to see the proposed list of commands for the setuid program.

Sure, I will work on that and post the list here. In order to be reasonably complete, I think I should have a version that's working. So, I will start prototyping on the lines I described above.

If you are interested in running pure Java apps under different rights, this could be done via a security manager. Every task would be started with an explicit security manager/policy that limited what it could do, file and network operations would be checked against the policy. This would be portable and easier to test. It also eliminates the need to run the TT as root, to keep the unix user database in sync with the hadoop user list, etc.

Also, I agree that authentication and authorization is a pre-requisite for this. It is being handled by the other tasks under the jira HADOOP-4487. Here, I am focussing only on the mechanisms to make tasks run as the users who submitted the jobs - a small part of the larger framework.

• Created a setuid C executable.
• This executable currently takes the following commands:
  • SETUP_DIRS <list of directories>:
    This command sets up task specific directories to be owned by the user. The general approach I followed for handling directory permissions is that the root directories, such as hadoop.tmp.dir/mapred/local/taskTracker/jobcache/jobid would be owned by the tasktracker daemon, which creates task directories under it when needed. Then the taskcontroller exe will change the ownership and permissions of the task directory and sub folders to the user.
  • RUN_TASK <path to a file containing the M/R task to execute>
    The file is a temp file created under the user's work directory itself - executable by the user
  • MOVE_FILES <source directory> <destination directory>
    This command is used to copy the intermediate output and task logs from the task directories to a system specific directory owned by the daemon. The servlets serving this data are modified to read from the system specific directory.
• These are called from the JvmManager class at appropriate places.

A couple of things came up when doing this:

• Task logs: Currently task logs can be viewed when the task is still executing. Further the task logs are read by the TaskLogServlet, which is running in the daemon context. We want the task logs to be owned by the user. I still need to figure out how to achieve this. Currently, I am only able to access task logs after they are done, by executing the MOVE_FILES command. Any ideas are welcome.

• JVM Reuse: Currently, I've only handled this with one JVM per task. Need to check the approach when JVM reuse is in the picture.

• Still need to work on cleanup and kill actions, as also distributed cache.

The code I have is very raw and needs lots of polishing even as a first draft. Will try to do so in a couple of days. Any comments on the approach so far ?

CREATE_TASK_DIR owen task_20080101_0001_m_000001_1
MOVE_TASK_OUTPUT owen task_20080101_0001_m_000001_1
REMOVE_TASK_DIR owen task_20080101_0001_m_000001_1

It would also be good to have the task tracker root directories in a separate config file that can be owned by root. My goal is to make this executable as limited as possible. It should also block root as the user. What I do not want to see is having this work:

MOVE_FILES root /tmp/foo /etc/passwd

Might it be possible to have a pool of low-privileged users, to remove the requirement that every user has an account on every machine? Or maybe that requirement's not that onerous, with PAM/LDAP?

... and then there is streaming.

I can think of instances where it might be useful to have generic accounts run stuff. In those instances, it is still much better to have that handled outside Hadoop. [Either through setuid scripts, roles, sudo, kinit a special keytab prior to job submit, whatever.] Let the OS/tool/ops team/whatever deal with the accounting in those situations.

CREATE_TASK_DIR owen task_20080101_0001_m_000001_1

Owen, sure this makes sense. Just one point is that I might need the job id along with the task id. But that's still within the same spirit.

I will also make the other changes you have suggested like blocking root user.

I've also added a CLEANUP_TASK_DIR command to the executable which is now able to cleanup the directories after task is completed. This is called from the CleanupQueue thread in task tracker.

A few comments from him that I am documenting here:

• Task directories under the tasktracker system or root directory to which files (such as intermediate outputs) are copied after task completion should be in the same disk as the original user's task directories. This is to prevent across disk copies.
• Regarding the problem of serving log outputs which I've mentioned here, we discussed one approach could be to have a command in the executable to read the data and return to the TaskLogServlet on demand. This would happen reasonably rarely and does not affect any other functionality. Hence it seems like the performance overhead can be ignored.
• Another comment was to reduce the number of times the executable is launched. For e.g. without JVM reuse, I can setup the directories, run the task, and then move the outputs with a single launch of the executable. This is possible because all actions are per task, and there is one JVM per task. Hence the lifecycle of the task fits well with the setuid changes.

With JVM reuse though, the last point becomes problematic. We can easily setup the directories and move the output before and after the task. However, that needs to be done with a separate launch of the executable - three times actually. The performance impact this would have (and would it offset the advantage of JVM reuse) is something to measure and see.

Also added a KILL_TASK command. This will look as follows:

KILL_TASK user_name job_id task_attempt_id

This will be called from JvmRunner.kill(), which in turn is called whenever a TT gets a kill task action. Since the JVM process is running as the job owner (different from the TT), we can't directly destroy the JVM process. Instead, what I've done is the following:

• Write a (hidden) .pid file into the task directory when a task is executed. This is owned by the job owner and not readable by anyone else. The pid file contains the JVM's pid.
• When the JVM needs to be killed, we call the taskcontroller executable with the job_id and task_id.
• The taskcontroller drops privileges to the job owner, then reads the pid file and gets the pid of the jvm.
• Then the taskcontroller issues a kill(pid, SIGTERM) to kill the jvm.

Any concerns with this approach ?

Currently other than distributed cache, all other aspects of the task life cycle are functioning. I'll probably upload a single writeup (as Arun had done for HADOOP-4348) that will capture all the information in comments above for easy reference.

And of course, follow that up with the first patch. smile

Some discussion is required for handling distributed cache (HADOOP-4493). Firstly, localized files from distributed cache are not localized per job. Since anything can be passed through distributed cache, I think it should support the same level of access control as the rest of the files. That is, they should be changed to be localized per job and subject to the same access control mechanisms we are using for the rest of the files - like output directories etc.

I don't think this is a big impact for users as they can't assume the cache to contain the files they want on the nodes where the task is running. However, from the system perspective, probably if a lot of users (say working on the same project that requires the same data files) want to share this but across multiple jobs, we would be copying only once per node, saving both space and time. If we modify this to be localized per job, we could lose that advantage, no ?

Any thoughts on this trade off ?

• Launch and kill tasks (this would involve RUN_TASK and KILL_TASK commands)
• Handle local data securely (this would involve SETUP_TASK and MOVE_TASK_OUTPUT and CLEANUP_TASK commands)
• Handle distributed cache.

In order to get a working launch and kill tasks patch though, the file and directory permissions will need to be opened up to allow access to all users. Each of the other patches will make it more secure.

Please note that we have discussed the approach of how we will address directory and file permissions (such as intermediate outputs) in this JIRA already. This proposal is only to make it simpler to get some incremental patches in. Would this work ? If yes, I will use this JIRA to handle the first of the three tasks, then use HADOOP-4491 and HADOOP-4493 for the others.

It would also be good to have the task tracker root directories in a separate config file that can be owned by root.

We are taking care of this point in the setuid executable. One question is to determine how the location of this secure config file will known to the executable. Following are our options:

Option 1: Read from the environment variable HADOOP_CONF_DIR
Option 2: Take a command line option to specify the location of the file.
Option 3: Have it as a build time configuration parameter, and encode into the executable (like for instance, pass it as an autoconf option).

Options 1 and 2 may allow users to launch the executable pointing to some custom path. Option 3 would completely avoid this, and make it more secure.

For the sake of deployment, I think the setuid executable should be built using a separate ant target, as it would need to be setup as owned by root etc. So, maybe it is easy to do Option 3 in that case. If we decide to go with one of the other two options, we should mandate additional checks to make sure that the configuration file is owned by the root user, as Owen mentioned.

Any comments ?

task-controller <user-name> <command-enum-value> <job-id> <task-id> <tasktracker-root>

As mentioned in comments above, this patch only handles launching and killing of tasks, and does not handle file and directory permissions securely. In fact, it opens up the permissions so that both the tasktracker and task can share files and directories. However, this change is only done when the feature is enabled, and does not affect the default Hadoop behavior. When HADOOP-4491 and other issues are fixed, secure permissions will be replaced.

The changes in the patch include:

• A TaskController class that defines abstract methods for launching and killing tasks
• A DefaultTaskController where a little code from JvmManager has been moved
• A LinuxTaskController which implements the methods by calling the setuid executable of HADOOP-4930.
• A new configuration variable mapred.task.tracker.task-controller to define the specific type of TaskController to use. Defaults to DefaultTaskController.

Tested this on a single node cluster, along with the setuid executable of HADOOP-4930. Will follow-up with testing on larger clusters.

I request a review for the same.

The previous patch only set relevant permissions on the task and log cache directories for all users, with the intent that tasks running as any user should be able to create and use other files and directories under them. This requirement still applies. However, there are other files and directories whose access needs to be adjusted too. The new patch addresses these changes:

• It sets permissions on the job related jar files and other directories allowing access to everyone.
• It sets read and execute permissions on directory paths until the task / job cache and log directories. For e.g. if a task cache directory is created under ${mapred.local.dir}/taskTracker/jobcache, all paths in this component are attempted to be given read and execute (and no write) access for all users. This is required for looking up paths and locating / reading files created by the tasktracker.

Both the changes above are required in future as well. Except then, the permission string would be more restrictive (disallowing access to group and others).

The previous patch was working because of a subtle behavior in setuid. On the systems where we tested, the umask was set such that read and execute permissions were provided to group by default. So, any of the job files created by the tasktracker had read and execute to the group to which the tasktracker user belonged. When the setuid executable switched users, it does not clear the supplementary group information of the launcher. Hence, the new process running as the job owner still had access to the groups to which the tasktracker belonged, and hence worked. Again, in HADOOP-4491, we propose to remove all access for the group ownership also, and hence this will not be an issue.

All changes made in the previous patch still hold good, except for minor refactoring.

This patch is now complete to the best of my knowledge. Please do offer your comments.

Some comments:

1. We should use mapred.local.dir instead of hadoop.tmp.dir in LinuxTaskController.
2. Use Path's methods instead of String manipulation for all path-related manipulations.
3. Pass mode, user/group to DistributedCache rather than rely on the newly introduced DistributedCache.isFreshlyLoaded which is then unnecessary.
4. Move setting up of JVM-specific files e.g. task's log directory to TaskController.launchJVM.

We should use mapred.local.dir instead of hadoop.tmp.dir in LinuxTaskController.

Done.

Use Path's methods instead of String manipulation for all path-related manipulations.

Done.

Pass mode, user/group to DistributedCache rather than rely on the newly introduced DistributedCache.isFreshlyLoaded which is then unnecessary.

Done. I've added a new overloaded API that passes the information to DistributedCache. Just to keep options open, I've defined a new public class DistributedCacheFileAccessInfo - a simple class that can be used to define permissions and ownership information for localized files in DistributedCache. Can you take a specific look at this, and let me know if this looks OK ?

Move setting up of JVM-specific files e.g. task's log directory to TaskController.launchJVM

I've not done this one alone. It was not very clear what information is necessary at launch time. For e.g. if there are some localized files under the task cache directory that need to be loaded at launch time, we'll need permissions for these also. In general, it seemed a little risky to launch the JVM without giving full access to all jars etc, even if the Task will start running later only. So, I've left this as is. I think the main concern here was about the special check I had in JvmManager where I was avoiding setting the permissions again when getting the task to launch. This seems a simple enough check, and I've documented the rationale in code. Can you verify this again, and let me know your thoughts ?

The test-patch results are showing a -1 on release audit which I've written to core-dev about. I am not sure why a -1 is coming, will continue to debug that. There's also a -1 on tests. It is difficult to write unit tests for this patch since it requires support for multiple users.

There are a lot of log statements in the patch which should be removed before commit. I am attaching this with the hope that someone can take a look at the changes. Arun ?

test-patch gives following output:

[exec] -1 overall.
[exec]
[exec] +1 @author. The patch does not contain any @author tags.
[exec]
[exec] -1 tests included. The patch doesn't appear to include any new or modified tests.
[exec] Please justify why no tests are needed for this patch.
[exec]
[exec] +1 javadoc. The javadoc tool did not generate any warning messages.
[exec]
[exec] +1 javac. The applied patch does not increase the total number of javac compiler warnings.
[exec]
[exec] +1 findbugs. The patch does not introduce any new Findbugs warnings.
[exec]
[exec] +1 Eclipse classpath. The patch retains Eclipse classpath integrity.
[exec]
[exec] -1 release audit. The applied patch generated 823 release audit warnings (more than the trunk's current 820 warnings).

The -1 on release audit is because jdiff has generated some changes to public classes and packages (DistributedCache, FileUtil and the filecache package). The release audit seems to be flagging these new jdiff changed files as warnings. I've cross checked the ASF license header is included for all new files I've put up.

The -1 on tests is as explained above.

There's no change in functionality to the last patch I uploaded. Only a merge.

However, the default path (covered by the DefaultTaskController) is not affected, and hence there will be no regression. I am proposing that apart from this, if other things are fine, we should commit HADOOP-4490 and then in a follow up JIRA fix the changes with respect to HADOOP-4759. Otherwise I am seeing that HADOOP-4490 is becoming a moving target (smile). Does this make sense ?

http://issues.apache.org/jira/secure/attachment/12399627/HADOOP-4490.patch

+1 @author. The patch does not contain any @author tags.

-1 tests included. The patch doesn't appear to include any new or modified tests.
Please justify why no tests are needed for this patch.

+1 javadoc. The javadoc tool did not generate any warning messages.

+1 javac. The applied patch does not increase the total number of javac compiler warnings.

+1 findbugs. The patch does not introduce any new Findbugs warnings.

+1 Eclipse classpath. The patch retains Eclipse classpath integrity.

-1 release audit. The applied patch generated 821 release audit warnings (more than the trunk's current 819 warnings).

+1 core tests. The patch passed core unit tests.

-1 contrib tests. The patch failed contrib unit tests.

Test results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch/3806/testReport/
Release audit warnings: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch/3806/artifact/trunk/current/releaseAuditDiffWarnings.txt
Findbugs warnings: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch/3806/artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
Checkstyle results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch/3806/artifact/trunk/build/test/checkstyle-errors.html
Console output: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch/3806/console

This message is automatically generated.

I thought ant test runs contrib tests as well, which is why I missed these on the first patch.

http://issues.apache.org/jira/secure/attachment/12399725/HADOOP-4490.patch

+1 @author. The patch does not contain any @author tags.

-1 tests included. The patch doesn't appear to include any new or modified tests.
Please justify why no tests are needed for this patch.

+1 javadoc. The javadoc tool did not generate any warning messages.

+1 javac. The applied patch does not increase the total number of javac compiler warnings.

+1 findbugs. The patch does not introduce any new Findbugs warnings.

+1 Eclipse classpath. The patch retains Eclipse classpath integrity.

+1 release audit. The applied patch does not increase the total number of release audit warnings.

+1 core tests. The patch passed core unit tests.

-1 contrib tests. The patch failed contrib unit tests.

Test results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch/3812/testReport/
Findbugs warnings: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch/3812/artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
Checkstyle results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch/3812/artifact/trunk/build/test/checkstyle-errors.html
Console output: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch/3812/console

This message is automatically generated.

1. We agree that DistributedCacheFileAccessInfo isn't necessary. We'll wait for HADOOP-4493 to fix access control to the DistributedCache, until which we will just allow requisite access to all files in the cache (755).
2. FileUtil.setPermissionsForPathComponents and opening of permissions to mapred.local.dir via LinuxTaskController.setConf bother me. I see 4 different hooks we that we need to provide for setup/cleanup:
   • per-tracker (i.e. at TaskTracker initialization e.g. setting up mapred.local.dir)
   • per-job (job jars)
   • per-jvm (task log files)
   • per-task
     Of course we might not need all the cleanup hooks.
3. The TaskController itself should be stateless, the above hooks should be plugged into at appropriate places e.g. TaskTracker.localizeJob should call TaskController.initializeJob rather than having LinuxTaskController maintaining state as in the patch.

I had a discussion with Sreekanth about the changes, and we are proposing the following:

• Introduce a TaskTracker.initializeSystemDirs. This will create $mapred.local.dir/taskTracker/jobCache/, $mapred.local.dir/taskTracker/archives, and $hadoop.log.dir/userlogs on all relevant disks.
  Currently, as per Arun's comments, we'll have this API in TaskTracker, which will be called at Tracker initialization time. If it is felt that this should be per TaskController, then we can easily move this to the TaskController API. I think this may need 777 on the $mapred.local.dir/taskTracker/jobCache/ directory currently because the files would be created both by the task and the tracker - for e.g. the task could create the output directories on a new disk which has yet not been touched by the tracker.

• Introduce a TaskController.initializeJob. This will be called from TaskTracker.localizeJob, with the jobid as parameter. This will set up the access for $mapred.local.dir/taskTracker/jobCache/jobid directories on all disks which have been touched by localization.

• Modify TaskController.launchTaskJVM to set up permissions for the log dir and the pid dir associated with that task. This will remove the call to initializeTask from the JvmManager.runChild API

• Modify TaskController.initializeTask to set up permissions for the log dir, pid dir, and task cache dir for the task. There is no need to set up things for the job, because it's been done in initializeJob already. We will need to repeat the permission setting for the log dir and pid dir.

• Modify DistributedCache.localizeCache to set up permissions for the localized files. We propose to recursively set up 755 permissions (hardcoded) for all files under the $mapred.local.dir/taskTracker/archive/ directory for now. This might repeatedly set up permissions for files that are already correctly setup. However, it will keep things simple. If there's a performance issue, it is easy to address it, by setting it only for the files being localized, and by walking up its parent paths. Please let me know if this seems a bad choice.

The above changes will mean we can remove:

• DistributedCacheFileAccessInfo
• FileUtil.setPermissionsForPathComponents
• TaskController.cleanup
• The runningJobs state maintained by LinuxTaskController.

Arun, does this tie in with your expectations ?

If it is felt that this should be per TaskController, then we can easily move this to the TaskController API.

On second thoughts - I'd go there right-away, since it means that we don't need to open it up to 777 for mapred.local.dir if the DefaultTaskController is in effect.

Introduce a TaskController.initializeJob [...]

+1

Modify TaskController.launchTaskJVM to set up permissions [...]

+1

Modify TaskController.initializeTask to set up permissions for [...]

+1

Modify DistributedCache.localizeCache to set up permissions for the localized files. [...]

+1

Again, thanks for debugging this issue !

• No seperate permissions being set for pid directories, as they are not being used in the current trunk.
• Assumption that path to jobcache directory, log directory the user who runs task would have read and execute permission along the path.

The relevant piece of code is this:

private ShellCommandExecutor buildTaskControllerExecutor(TaskCommands command, 
                                            String userName, 
                                            List<String> cmdArgs, JvmEnv env) 
                                              throws IOException {

      ...
      if (env != null) {
       shExec = new ShellCommandExecutor(taskControllerCmd,
            env.workDir, env.env);
      }else {
        shExec = new ShellCommandExecutor(taskControllerCmd);
      }
    }

Setting env.workDir will set the working directory to that particular task attempt directory which may no longer exist. I get the following error when this happens:

2009-03-13 10:39:52,750 WARN org.apache.hadoop.mapred.LinuxTaskController: IOException in killing task: Cannot run program "/path/to/bin/task-controller" (in directory "/path/to/mapred-local/taskTracker/jobcache/job_200903130908_0051/attempt_200903130908_0051_m_001012_1000/work"): java.io.IOException: error=2, No such file or directory

Found a problem while this patch was being tested. When a TT was being re-inited by JT after it's lost for some time, TT got the following NPE and it crashed completely.

2009-03-22 22:22:36,155 ERROR org.apache.hadoop.mapred.TaskTracker: Can not start task tracker because java.lang.NullPointerException
        at org.apache.hadoop.mapred.LinuxTaskController.buildTaskCommandArgs(LinuxTaskController.java:183)
        at org.apache.hadoop.mapred.LinuxTaskController.killTaskJVM(LinuxTaskController.java:237)
        at org.apache.hadoop.mapred.JvmManager$JvmManagerForType$JvmRunner.kill(JvmManager.java:401)
        at org.apache.hadoop.mapred.JvmManager$JvmManagerForType.stop(JvmManager.java:211)
        at org.apache.hadoop.mapred.JvmManager.stop(JvmManager.java:61)
        at org.apache.hadoop.mapred.TaskTracker.close(TaskTracker.java:925)
        at org.apache.hadoop.mapred.TaskTracker.run(TaskTracker.java:1815)
        at org.apache.hadoop.mapred.TaskTracker.main(TaskTracker.java:2899)

• Merged the patch with the trunk.
• Added documentation to the cluster_setup page. Created a subsection in Site configuration to list task controller configuration after real world cluster configuration. Attaching the cluster setup document pdf for checking output and text of documentation.

• Use getLocalJobDir in LinuxTaskController.localizeJob
• Whenever mkdir or mkdirs fails, we should continue from loops.
• Changes in TaskRunner seem unnecessary.
• Changes in DistributedCache to pass the baseDir seems unnecessary. Note that localizeCache already takes a CacheStatus object that has the baseDir.
• This comment is not incorporated: "Modify TaskController.launchTaskJVM to set up permissions for the log dir and the pid dir associated with that task. This will remove the call to initializeTask from the JvmManager.runChild API." I think this can be done by calling setup*FileAccess from launchTaskJVM
• localizeJob can be called initializeJob
• In setupTaskCacheFileAccess, we are setting permissions recursively from the job directory. But this is what we do in LinuxTaskController.localizeJob. So we should be setting permissions from the taskCacheDirectory only.
• writeCommand should ideally check for existence of file before it tries to change permissions in the finally clause.
• JvmManagerForType.getTaskForJvm() - "Incase of JVM reuse, tasks returned previously launched" - some grammatical mistake here.
• In the kill part, I think it will be nice to add a info level log message when we are not doing the kill - both in JVM manager and in LinuxTaskController.
• TaskLog.getLogDir() - Make this getUserLogDir(), and the javadoc need not mention TaskControllers. It should be a generic documentation that it returns the base location for the user logs.
• mapred-defaults.xml should have the config variable for the task controller along with documentation.

Comments on documentation:

• I think we should first describe the use case for the Task controllers are trying to solve - as in the requirement to run tasks as a job owners.
• It would be nice to give a little description of how the LinuxTaskController works - just saying something like we use a setuid executable, the tasktracker uses this exe to launch and kill tasks.
• We should definitely mention that until other JIRAs like H-4491 etc are fixed, we open up permissions on the intermediate, localized and log files in the Linux TaskController case.
• making the executable a setuid exe is a deployment step. It is currently added as a build step.
• The path to the taskcontroller cfg - mention that this should be the path on the cluster nodes where the deployment of the taskcontroller.cfg file will happen
• We should also mention that the LinuxTaskController is currently supported only on Linux. (though it sounds obvious)
• Should we mention about permissions regarding mapred.local.dir and hadoop.log.dir (should be 777 and path leading up to them be 755) ?

• Removing an unused variable in JVM Manager.

http://issues.apache.org/jira/secure/attachment/12404914/hadoop-4490-9.patch

+1 @author. The patch does not contain any @author tags.

-1 tests included. The patch doesn't appear to include any new or modified tests.
Please justify why no tests are needed for this patch.

+1 javadoc. The javadoc tool did not generate any warning messages.

+1 javac. The applied patch does not increase the total number of javac compiler warnings.

+1 findbugs. The patch does not introduce any new Findbugs warnings.

+1 Eclipse classpath. The patch retains Eclipse classpath integrity.

+1 release audit. The applied patch does not increase the total number of release audit warnings.

+1 core tests. The patch passed core unit tests.

-1 contrib tests. The patch failed contrib unit tests.

Test results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-vesta.apache.org/166/testReport/
Findbugs warnings: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-vesta.apache.org/166/artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
Checkstyle results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-vesta.apache.org/166/artifact/trunk/build/test/checkstyle-errors.html
Console output: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-vesta.apache.org/166/console

This message is automatically generated.

Reverting to previous version of patch.

• Changed FileUtil.chmod() to use ShellCommandExecutor instead of building process directly and executing the same.

• FileUtil now uses ShellCommandExecutor for chmod operations. It supresses the IOException thrown while doing chmod and logs it if debug enabled.
• Check before TaskController.initializeTask() in JvmManager.getTaskForJVM() to see to that there is no double initalization of same task being done.

Check before TaskController.initializeTask() in JvmManager.getTaskForJVM() to see to that there is no double initalization of same task being done.

I think we should move the call to initializeTask into JvmRunner.runChild(). This way it is more explicit why the check is required.

Other than this +1. Please make this PA.

     [exec] 
     [exec] -1 overall.  
     [exec] 
     [exec]     +1 @author.  The patch does not contain any @author tags.
     [exec] 
     [exec]     -1 tests included.  The patch doesn't appear to include any new or modified tests.
     [exec]                         Please justify why no tests are needed for this patch.
     [exec] 
     [exec]     +1 javadoc.  The javadoc tool did not generate any warning messages.
     [exec] 
     [exec]     +1 javac.  The applied patch does not increase the total number of javac compiler warnings.
     [exec] 
     [exec]     +1 findbugs.  The patch does not introduce any new Findbugs warnings.
     [exec] 
     [exec]     +1 Eclipse classpath. The patch retains Eclipse classpath integrity.
     [exec] 
     [exec]     -1 release audit.  The applied patch generated 652 release audit warnings (more than the trunk's current 651 warnings).
     [exec] 
     [exec] 

All core and contrib tests passed on the local machine except TestQueueCapacities which is being handled in seperate JIRA.

This patch has been tested extensively manually, and a version of this patch is also deployed in production environment for a while now. There is a plan to develop unit tests as a followup.

Given these, I am committing this patch, as it is blocking some other jiras in M/R.