Linux Container Executor
A setuid binary called
container-executor is part of the
hadoop-yarn package and is installed in
container-executor program, which is used
on YARN only and supported on GNU/Linux only, runs the containers as the user who submitted
the application. It requires all user accounts to be created on the cluster hosts where the
containers are launched. It uses a setuid executable that is included in the Hadoop
distribution. The NodeManager uses this executable to launch and stop containers. The setuid
executable switches to the user who has submitted the application and launches or stops the
containers. For maximum security, this executor sets up restricted permissions and user/group
ownership of local files and directories used by the containers such as the shared objects,
jars, intermediate files, and log files. As a result, only the application owner and
NodeManager can access any of the local files/directories including those localized as part of
the distributed cache.
In a parcel deployment the
container-executor file is
located inside the parcel at
/usr/lib mount point, setuid should not be a
problem. However, the parcel could easily be located on a different
mount point. If you are using a parcel, make sure the mount point for
the parcel directory is without the nosuid option.
container-executor program must have a very
specific set of permissions and ownership to function correctly. In
particular, it must:
- Be owned by root.
- Be owned by a group that contains only the user running the YARN daemons.
- Be setuid.
- Be group readable and executable. This corresponds to the ownership
root:yarnand the permissions
---Sr-s--- 1 root yarn 91886 2012-04-01 19:54 container-executor