Docker on YARN configuration properties

Enable Docker Containers

false (unselected)

Specifies if Docker containers in YARN are enabled.

Allowed Linux Runtimes

Specifies the runtimes that are allowed when LinuxContainerExecutor is used.

Sleep Delay Before SIGKILL

10 (ms)

Specifies the time in milliseconds between sending a SIGTERM and a SIGKILL signal to a running container.

Allowed Docker Container Networks

Specifies the networks that are allowed for Docker containers. Valid values are determined by Docker networks available from the docker network ls command.

Default Docker Container Network

Specifies which allowed network is used when launching Docker containers but no network is specifies in the request. This network must be added to yarn.nodemanager.runtime.linux.docker.allowed-container-network.

Allow Using Host PID Namespace for Docker Containers

false (unselected)

Specifies if Docker containers are allowed to use the host PID namespace.

Allow Privileged Docker Containers

false (unselected)

Specifies if applications are allowed to run in privileged containers. Privileged containers are granted the complete set of capabilities and are not subject to the limitations imposed by the device cgroup controller. Use with extreme care!

Allow Delayed Removal of Docker Containers

false (unselected)

Specifies if Debug Deletion Delay is used for Docker containers. Debug Deletion Delay is useful for troubleshooting Docker container related launch failures. For more information, see yarn.nodemanager.delete.debug-delay-sec.

ACL for Privileged Docker Containers

Empty

A comma-separated list that specifies the users who can request privileged Docker containers if privileged Docker containers are allowed.

Docker Capabilities

Specifies the capabilities assigned to Docker containers when they are launched. The values may not be case-sensitive from a docker perspective, but Cloudera recommends to keep them uppercase.

Enable User Remapping for Docker Containers

true

Specifies if Docker containers can run with the UID (User Identifier) and GID (Group Identifier) of the calling user.

User Remapping UID Threshold for Docker Containers

Specifies the minimum UID (User Identifier) for a remapped user. Users with UIDs lower than this minimum value are not allowed to launch Docker containers when user remapping (yarn.nodemanager.runtime.linux.docker.enable-userremapping.allowed) is enabled.

User Remapping GID Threshold for Docker Containers

Specifies the minimum GID (Group Identifier) for a remapped user. Users with GIDs lower then this minimum value are not allowed to launch Docker containers when user remapping (yarn.nodemanager.runtime.linux.docker.enable-userremapping.allowed) is enabled.

Default Read-Only Mounts for Docker Containers

Although, it is not visible on the UI, the NodeManager Local Directories and Cgroups root are always added to this list.

A list that specifies the default read-only mounts to be bind-mounted into all Docker containers that use DockerContainerRuntime. NodeManager Local Directories and Cgroups root are always added to this list. Ensure that any additional default read-only mounts are also added to the Allowed Read-Only Mounts list.

Default Read-Write Mounts for Docker Containers

Although, it is not visible on the UI, the NodeManager Local Directories and NodeManager Container Log Directories are always added to this list.

A list that specifies the default read-write mounts to be bind-mounted into all Docker containers that use DockerContainerRuntime. NodeManager Local Directories and NodeManager Container Log Directories are always added to this list. Ensure that any additional default read-write mounts are also added to the Allowed Read-Write Mounts list.

Allowed Read-Only Mounts for Docker Containers

Although, it is not visible on the UI, the NodeManager Local Directories and Cgroups root are always added to this list.

Specifies the directories that Docker containers are allowed to mount in read-only mode. NodeManager Local Directories and Cgroups root are always added to this list. Ensure that any additional default read-only mounts are also added here.

Allowed Read-Write Mounts for Docker Containers

Although, it is not visible on the UI, the NodeManager Local Directories and NodeManager Container Log Directories are always added to this list.

Specifies the directories that Docker containers are allowed to mount in read-write mode. NodeManager Local Directories and NodeManager Container Log Directories are always added to this list. Ensure that any additional default read-write mounts are also added here.

Default Tempfs Mounts for Docker Containers

Empty - no directories are allowed in tmpfs to be mounted.

Specifies the directories in tmpfs that Docker containers are allowed to mount. By default, no directories are allowed in tmpfs to be mounted.

Docker Binary Path

Specifies the path of the binary in the hosts that is used to launch Docker containers.

Allowed Devices for Docker Containers

Empty - no devices are allowed to be mounted.

Specifies the devices that Docker containers are allowed to mount.

Allowed Volume Drivers for Docker Containers

Empty - no volume drivers are allowed.

Specifies the volume drivers which are allowed to be used with Docker.

Enable No-new-privileges Flag for Docker Containers

false (unselected)

Specifies if the no-new-privileges flag for docker run is enabled. The no-new-privileges flag ensures that the process or its children processes do not gain any additional privileges.

Trusted Registries for Docker Containers

Empty - no registries are defined.

A list that specifies the trusted docker registries for running trusted Docker containers.