Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-732

YARN support for container isolation on Windows

    XMLWordPrintableJSON

    Details

    • Type: New Feature
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: trunk-win
    • Fix Version/s: None
    • Component/s: nodemanager
    • Labels:

      Description

      There is no ContainerExecutor on windows that can launch containers in a manner that creates:
      1) container isolation
      2) container execution with reduced rights
      I am working on patches that will add the ability to launch containers in a process with a reduced access token.
      Update: After examining several approaches I have settled on launching the task as a domain user. I have attached the current winutils diff which is a work in progress.
      Work remaining:

      • Create isolated desktop for task processes.
      • Set integrity of spawned processed to low.

        Attachments

        1. winutils.diff
          39 kB
          Kyle Leckie

          Issue Links

          incorporates

          Improvement - An improvement or enhancement to an existing feature or task. YARN-2198 Remove the need to run NodeManager as privileged account for Windows Secure Container Executor

          • Major - Major loss of function.
          • Closed
          is related to

          New Feature - A new feature of the product, which has yet to be developed. HADOOP-9533 Centralized Hadoop SSO/Token Server

          • Major - Major loss of function.
          • Open

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                kyleckie Kyle Leckie
              • Votes:
                0 Vote for this issue
                Watchers:
                13 Start watching this issue

                Dates

                • Created:
                  Updated: