Linux Container Executor

A setuid binary called container-executor is part of the hadoop-yarn package and is installed in /var/lib/hadoop-yarn/bin/container-executor.

This container-executor program, which is used on YARN only and supported on GNU/Linux only, runs the containers as the user who submitted the application. It requires all user accounts to be created on the cluster hosts where the containers are launched. It uses a setuid executable that is included in the Hadoop distribution. The NodeManager uses this executable to launch and stop containers. The setuid executable switches to the user who has submitted the application and launches or stops the containers. For maximum security, this executor sets up restricted permissions and user/group ownership of local files and directories used by the containers such as the shared objects, jars, intermediate files, and log files. As a result, only the application owner and NodeManager can access any of the local files/directories including those localized as part of the distributed cache.

Parcel Deployments

In a parcel deployment the container-executor file is located inside the parcel at /opt/cloudera/parcels/CDH/lib/hadoop-yarn/bin/container-executor. For the /var/lib mount point, setuid should not be a problem. However, the parcel could easily be located on a different mount point. If you are using a parcel, ensure that the mount point for the parcel directory is without the -nosuid and -noexec options.

The container-executor program must have a very specific set of permissions and ownership to function correctly. In particular, it must:

  1. Be owned by root.
  2. Be owned by a group that contains only the user running the YARN daemons.
  3. Be setuid.
  4. Be group readable and executable. This corresponds to the ownership root:yarn and the permissions 6050.
    ---Sr-s--- 1 root yarn 91886 2012-04-01 19:54 container-executor