Linux Container Executor
A setuid binary called
container-executor is part of the
hadoop-yarn package and is installed in
container-executor program, which is used on YARN
only and supported on GNU/Linux only, runs the containers as the user
who submitted the application. It requires all user accounts to be
created on the cluster hosts where the containers are launched. It uses
a setuid executable that is included in the Hadoop distribution. The
NodeManager uses this executable to launch and kill containers. The
setuid executable switches to the user who has submitted the application
and launches or kills the containers. For maximum security, this
executor sets up restricted permissions and user/group ownership of
local files and directories used by the containers such as the shared
objects, jars, intermediate files, and log files. As a result, only the
application owner and NodeManager can access any of the local
files/directories including those localized as part of the distributed
In a parcel deployment the
container-executor file is
located inside the parcel at
/usr/lib mount point, setuid should not be a
problem. However, the parcel could easily be located on a different
mount point. If you are using a parcel, make sure the mount point for
the parcel directory is without the nosuid option.
container-executor program must have a very
specific set of permissions and ownership to function correctly. In
particular, it must:
- Be owned by root.
- Be owned by a group that contains only the user running the YARN daemons.
- Be setuid.
- Be group readable and executable. This corresponds to the ownership
root:yarnand the permissions
---Sr-s--- 1 root yarn 91886 2012-04-01 19:54 container-executor