diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
index 71a7134..17f710f 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
@@ -1439,6 +1439,18 @@ public static boolean isAclEnabled(Configuration conf) {
/** Prefix for runtime configuration constants. */
public static final String LINUX_CONTAINER_RUNTIME_PREFIX = NM_PREFIX +
"runtime.linux.";
+
+ /**
+ * Comma separated list of runtimes that are allowed when using
+ * LinuxContainerExecutor.
+ */
+ public static final String LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES =
+ LINUX_CONTAINER_RUNTIME_PREFIX + "allowed-runtimes";
+
+ /** The default list of allowed runtimes when using LinuxContainerExecutor. */
+ public static final String[] DEFAULT_LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES
+ = { "DefaultLinuxContainerRuntime" };
+
public static final String DOCKER_CONTAINER_RUNTIME_PREFIX =
LINUX_CONTAINER_RUNTIME_PREFIX + "docker.";
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
index 95b8a88..68b1b99 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
@@ -1581,6 +1581,13 @@
+ Comma separated list of runtimes that are allowed when using
+ LinuxContainerExecutor.
+ yarn.nodemanager.runtime.linux.allowed-runtimes
+ DefaultLinuxContainerRuntime
+
+
+
This configuration setting determines the capabilities
assigned to docker containers when they are launched. While these may not
be case-sensitive from a docker perspective, it is best to keep these
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/ContainerExecutor.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/ContainerExecutor.java
index 0581878..57ab19c 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/ContainerExecutor.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/ContainerExecutor.java
@@ -51,6 +51,7 @@
import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.ContainerDiagnosticsUpdateEvent;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.launcher.ContainerLaunch;
+import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerExecutionException;
import org.apache.hadoop.yarn.server.nodemanager.executor.ContainerPrepareContext;
import org.apache.hadoop.yarn.server.nodemanager.util.NodeManagerHardwareUtils;
import org.apache.hadoop.yarn.server.nodemanager.executor.ContainerLivenessContext;
@@ -659,7 +660,8 @@ public void activateContainer(ContainerId containerId, Path pidFilePath) {
}
// LinuxContainerExecutor overrides this method and behaves differently.
- public String[] getIpAndHost(Container container) {
+ public String[] getIpAndHost(Container container)
+ throws ContainerExecutionException {
return getLocalIpAndHost(container);
}
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java
index b3e13b4..3e03dc6 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java
@@ -625,7 +625,8 @@ private ContainerRuntimeContext buildContainerRuntimeContext(
}
@Override
- public String[] getIpAndHost(Container container) {
+ public String[] getIpAndHost(Container container)
+ throws ContainerExecutionException {
return linuxContainerRuntime.getIpAndHost(container);
}
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DelegatingLinuxContainerRuntime.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DelegatingLinuxContainerRuntime.java
index 90b13a2..675a08a 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DelegatingLinuxContainerRuntime.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/DelegatingLinuxContainerRuntime.java
@@ -20,6 +20,7 @@
package org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime;
+import com.google.common.annotations.VisibleForTesting;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.classification.InterfaceAudience;
@@ -31,8 +32,13 @@
import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntime;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntimeContext;
+import java.util.Arrays;
+import java.util.List;
import java.util.Map;
+import static org.apache.hadoop.yarn.conf.YarnConfiguration.DEFAULT_LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES;
+import static org.apache.hadoop.yarn.conf.YarnConfiguration.LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES;
+
/**
* This class is a {@link ContainerRuntime} implementation that delegates all
* operations to a {@link DefaultLinuxContainerRuntime} instance, a
@@ -50,25 +56,35 @@
private DefaultLinuxContainerRuntime defaultLinuxContainerRuntime;
private DockerLinuxContainerRuntime dockerLinuxContainerRuntime;
private JavaSandboxLinuxContainerRuntime javaSandboxLinuxContainerRuntime;
+ private List allowedRuntimes;
@Override
public void initialize(Configuration conf)
throws ContainerExecutionException {
+ allowedRuntimes = Arrays.asList(
+ conf.getTrimmedStrings(LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES,
+ DEFAULT_LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES));
PrivilegedOperationExecutor privilegedOperationExecutor =
PrivilegedOperationExecutor.getInstance(conf);
defaultLinuxContainerRuntime = new DefaultLinuxContainerRuntime(
privilegedOperationExecutor);
- defaultLinuxContainerRuntime.initialize(conf);
+ if (isRuntimeAllowed(defaultLinuxContainerRuntime)) {
+ defaultLinuxContainerRuntime.initialize(conf);
+ }
dockerLinuxContainerRuntime = new DockerLinuxContainerRuntime(
privilegedOperationExecutor);
- dockerLinuxContainerRuntime.initialize(conf);
+ if (isRuntimeAllowed(dockerLinuxContainerRuntime)) {
+ dockerLinuxContainerRuntime.initialize(conf);
+ }
javaSandboxLinuxContainerRuntime = new JavaSandboxLinuxContainerRuntime(
privilegedOperationExecutor);
- javaSandboxLinuxContainerRuntime.initialize(conf);
+ if (isRuntimeAllowed(javaSandboxLinuxContainerRuntime)) {
+ javaSandboxLinuxContainerRuntime.initialize(conf);
+ }
}
private LinuxContainerRuntime pickContainerRuntime(
- Map environment){
+ Map environment) throws ContainerExecutionException {
LinuxContainerRuntime runtime;
//Sandbox checked first to ensure DockerRuntime doesn't circumvent controls
if (javaSandboxLinuxContainerRuntime.isSandboxContainerRequested()){
@@ -80,6 +96,11 @@ private LinuxContainerRuntime pickContainerRuntime(
runtime = defaultLinuxContainerRuntime;
}
+ if (!isRuntimeAllowed(runtime)) {
+ throw new ContainerExecutionException("Requested runtime is not allowed: "
+ + runtime.getClass().getSimpleName());
+ }
+
if (LOG.isDebugEnabled()) {
LOG.debug("Using container runtime: " + runtime.getClass()
.getSimpleName());
@@ -88,7 +109,8 @@ private LinuxContainerRuntime pickContainerRuntime(
return runtime;
}
- private LinuxContainerRuntime pickContainerRuntime(Container container) {
+ private LinuxContainerRuntime pickContainerRuntime(Container container)
+ throws ContainerExecutionException {
return pickContainerRuntime(container.getLaunchContext().getEnvironment());
}
@@ -127,8 +149,14 @@ public void reapContainer(ContainerRuntimeContext ctx)
}
@Override
- public String[] getIpAndHost(Container container) {
+ public String[] getIpAndHost(Container container)
+ throws ContainerExecutionException {
LinuxContainerRuntime runtime = pickContainerRuntime(container);
return runtime.getIpAndHost(container);
}
+
+ @VisibleForTesting
+ protected boolean isRuntimeAllowed(LinuxContainerRuntime runtime) {
+ return allowedRuntimes.contains(runtime.getClass().getSimpleName());
+ }
}
\ No newline at end of file
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/monitor/ContainersMonitorImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/monitor/ContainersMonitorImpl.java
index 6ee60bd..a491e7e 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/monitor/ContainersMonitorImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/monitor/ContainersMonitorImpl.java
@@ -38,6 +38,7 @@
import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.ContainerImpl;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.ContainerKillEvent;
+import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerExecutionException;
import org.apache.hadoop.yarn.server.nodemanager.timelineservice.NMTimelinePublisher;
import org.apache.hadoop.yarn.server.nodemanager.util.NodeManagerHardwareUtils;
import org.apache.hadoop.yarn.util.ResourceCalculatorPlugin;
@@ -502,7 +503,8 @@ public void run() {
* @param entry process tree entry to fill in
*/
private void initializeProcessTrees(
- Entry entry) {
+ Entry entry)
+ throws ContainerExecutionException {
ContainerId containerId = entry.getKey();
ProcessTreeInfo ptInfo = entry.getValue();
String pId = ptInfo.getPID();
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/runtime/ContainerRuntime.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/runtime/ContainerRuntime.java
index b15690f..7caa0ed 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/runtime/ContainerRuntime.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/runtime/ContainerRuntime.java
@@ -77,6 +77,10 @@ void reapContainer(ContainerRuntimeContext ctx)
/**
* Return the host and ip of the container
+ *
+ * @param container the {@link Container}
+ * @throws ContainerExecutionException if an error occurs while getting the ip
+ * and hostname
*/
- String[] getIpAndHost(Container container);
+ String[] getIpAndHost(Container container) throws ContainerExecutionException;
}
\ No newline at end of file
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/TestDelegatingLinuxContainerRuntime.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/TestDelegatingLinuxContainerRuntime.java
new file mode 100644
index 0000000..cf08cb6
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/TestDelegatingLinuxContainerRuntime.java
@@ -0,0 +1,122 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.privileged.PrivilegedOperationExecutor;
+import org.junit.Before;
+import org.junit.Test;
+
+import static org.apache.hadoop.yarn.conf.YarnConfiguration.LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES;
+import static org.junit.Assert.*;
+
+/**
+ * Test container runtime delegation.
+ */
+public class TestDelegatingLinuxContainerRuntime {
+
+ private DefaultLinuxContainerRuntime defaultLinuxContainerRuntime;
+ private DockerLinuxContainerRuntime dockerLinuxContainerRuntime;
+ private JavaSandboxLinuxContainerRuntime javaSandboxLinuxContainerRuntime;
+ private Configuration conf = new Configuration();
+
+ @Before
+ public void setUp() throws Exception {
+ PrivilegedOperationExecutor privilegedOperationExecutor =
+ PrivilegedOperationExecutor.getInstance(conf);
+ // Default Runtime
+ defaultLinuxContainerRuntime = new DefaultLinuxContainerRuntime(
+ privilegedOperationExecutor);
+ defaultLinuxContainerRuntime.initialize(conf);
+ // Docker Runtime
+ dockerLinuxContainerRuntime = new DockerLinuxContainerRuntime(
+ privilegedOperationExecutor);
+ dockerLinuxContainerRuntime.initialize(conf);
+ // Java Sandbox Runtime
+ javaSandboxLinuxContainerRuntime = new JavaSandboxLinuxContainerRuntime(
+ privilegedOperationExecutor);
+ javaSandboxLinuxContainerRuntime.initialize(conf);
+ }
+
+ @Test
+ public void testIsRuntimeAllowedDefault() throws Exception {
+ DelegatingLinuxContainerRuntime delegatingLinuxContainerRuntime =
+ new DelegatingLinuxContainerRuntime();
+ delegatingLinuxContainerRuntime.initialize(conf);
+ assertTrue(delegatingLinuxContainerRuntime.isRuntimeAllowed(
+ defaultLinuxContainerRuntime));
+ assertFalse(delegatingLinuxContainerRuntime.isRuntimeAllowed(
+ dockerLinuxContainerRuntime));
+ assertFalse(delegatingLinuxContainerRuntime.isRuntimeAllowed(
+ javaSandboxLinuxContainerRuntime));
+ }
+
+ @Test
+ public void testIsRuntimeAllowedDocker() throws Exception {
+ conf.set(LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES,
+ "DockerLinuxContainerRuntime");
+ DelegatingLinuxContainerRuntime delegatingLinuxContainerRuntime =
+ new DelegatingLinuxContainerRuntime();
+ delegatingLinuxContainerRuntime.initialize(conf);
+ assertTrue(delegatingLinuxContainerRuntime.isRuntimeAllowed(
+ dockerLinuxContainerRuntime));
+ }
+
+ @Test
+ public void testIsRuntimeAllowedJavaSandbox() throws Exception {
+ conf.set(LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES,
+ "JavaSandboxLinuxContainerRuntime");
+ DelegatingLinuxContainerRuntime delegatingLinuxContainerRuntime =
+ new DelegatingLinuxContainerRuntime();
+ delegatingLinuxContainerRuntime.initialize(conf);
+ assertTrue(delegatingLinuxContainerRuntime.isRuntimeAllowed(
+ javaSandboxLinuxContainerRuntime));
+ }
+
+ @Test
+ public void testIsRuntimeAllowedNotDefault() throws Exception {
+ conf.set(LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES,
+ "DockerLinuxContainerRuntime,JavaSandboxLinuxContainerRuntime");
+ DelegatingLinuxContainerRuntime delegatingLinuxContainerRuntime =
+ new DelegatingLinuxContainerRuntime();
+ delegatingLinuxContainerRuntime.initialize(conf);
+ assertFalse(delegatingLinuxContainerRuntime.isRuntimeAllowed(
+ defaultLinuxContainerRuntime));
+ }
+
+ @Test
+ public void testIsRuntimeAllowedNotDocker() throws Exception {
+ conf.set(LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES,
+ "DefaultLinuxContainerRuntime,JavaSandboxLinuxContainerRuntime");
+ DelegatingLinuxContainerRuntime delegatingLinuxContainerRuntime =
+ new DelegatingLinuxContainerRuntime();
+ delegatingLinuxContainerRuntime.initialize(conf);
+ assertFalse(delegatingLinuxContainerRuntime.isRuntimeAllowed(
+ dockerLinuxContainerRuntime));
+ }
+
+ @Test
+ public void testIsRuntimeAllowedNotJavaSandbox() throws Exception {
+ conf.set(LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES,
+ "DefaultLinuxContainerRuntime,DockerLinuxContainerRuntime");
+ DelegatingLinuxContainerRuntime delegatingLinuxContainerRuntime =
+ new DelegatingLinuxContainerRuntime();
+ delegatingLinuxContainerRuntime.initialize(conf);
+ assertFalse(delegatingLinuxContainerRuntime.isRuntimeAllowed(
+ javaSandboxLinuxContainerRuntime));
+ }
+}
\ No newline at end of file
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md
index 4de0a6a..2e56d81 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md
@@ -71,68 +71,82 @@ request. For example:
The following properties should be set in yarn-site.xml:
```xml
-
- yarn.nodemanager.container-executor.class
- org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor
-
- This is the container executor setting that ensures that all applications
- are started with the LinuxContainerExecutor.
-
-
-
-
- yarn.nodemanager.linux-container-executor.group
- hadoop
-
- The POSIX group of the NodeManager. It should match the setting in
- "container-executor.cfg". This configuration is required for validating
- the secure access of the container-executor binary.
-
-
-
-
- yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users
- false
-
- Whether all applications should be run as the NodeManager process' owner.
- When false, applications are launched instead as the application owner.
-
-
-
-
- yarn.nodemanager.runtime.linux.docker.allowed-container-networks
- host,none,bridge
-
- Optional. A comma-separated set of networks allowed when launching
- containers. Valid values are determined by Docker networks available from
- `docker network ls`
-
-
-
-
- The network used when launching Docker containers when no
- network is specified in the request. This network must be one of the
- (configurable) set of allowed container networks.
- yarn.nodemanager.runtime.linux.docker.default-container-network
- host
-
-
-
- yarn.nodemanager.runtime.linux.docker.privileged-containers.allowed
- false
-
- Optional. Whether applications are allowed to run in privileged containers.
-
-
-
-
- yarn.nodemanager.runtime.linux.docker.privileged-containers.acl
-
-
- Optional. A comma-separated list of users who are allowed to request
- privileged contains if privileged containers are allowed.
-
-
+
+
+ yarn.nodemanager.container-executor.class
+ org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor
+
+ This is the container executor setting that ensures that all applications
+ are started with the LinuxContainerExecutor.
+
+
+
+
+ yarn.nodemanager.linux-container-executor.group
+ hadoop
+
+ The POSIX group of the NodeManager. It should match the setting in
+ "container-executor.cfg". This configuration is required for validating
+ the secure access of the container-executor binary.
+
+
+
+
+ yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users
+ false
+
+ Whether all applications should be run as the NodeManager process' owner.
+ When false, applications are launched instead as the application owner.
+
+
+
+
+ yarn.nodemanager.runtime.linux.allowed-runtimes
+ DefaultLinuxContainerRuntime,DockerLinuxContainerRuntime
+
+ Comma separated list of runtimes that are allowed when using
+ LinuxContainerExecutor.
+
+
+
+
+ yarn.nodemanager.runtime.linux.docker.allowed-container-networks
+ host,none,bridge
+
+ Optional. A comma-separated set of networks allowed when launching
+ containers. Valid values are determined by Docker networks available from
+ `docker network ls`
+
+
+
+
+ yarn.nodemanager.runtime.linux.docker.default-container-network
+ host
+
+ The network used when launching Docker containers when no
+ network is specified in the request. This network must be one of the
+ (configurable) set of allowed container networks.
+
+
+
+
+ yarn.nodemanager.runtime.linux.docker.privileged-containers.allowed
+ false
+
+ Optional. Whether applications are allowed to run in privileged
+ containers.
+
+
+
+
+ yarn.nodemanager.runtime.linux.docker.privileged-containers.acl
+
+
+ Optional. A comma-separated list of users who are allowed to request
+ privileged contains if privileged containers are allowed.
+
+
+
```
In addition, a container-executer.cfg file must exist and contain settings for