YARN-6930. Admins should be able to explicitly enable specific LinuxContainerRuntime in the NodeManager. Contributed by Shane Kumpf

This commit is contained in:
Jason Lowe 2017-09-07 16:12:09 -05:00
parent f155ab7cfa
commit b0b535d9d5
10 changed files with 314 additions and 80 deletions

View File

@ -1470,6 +1470,23 @@ public static boolean isAclEnabled(Configuration conf) {
/** Prefix for runtime configuration constants. */ /** Prefix for runtime configuration constants. */
public static final String LINUX_CONTAINER_RUNTIME_PREFIX = NM_PREFIX + public static final String LINUX_CONTAINER_RUNTIME_PREFIX = NM_PREFIX +
"runtime.linux."; "runtime.linux.";
/**
* Comma separated list of runtimes that are allowed when using
* LinuxContainerExecutor. The allowed values are:
* <ul>
* <li>default</li>
* <li>docker</li>
* <li>javasandbox</li>
* </ul>
*/
public static final String LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES =
LINUX_CONTAINER_RUNTIME_PREFIX + "allowed-runtimes";
/** The default list of allowed runtimes when using LinuxContainerExecutor. */
public static final String[] DEFAULT_LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES
= {"default"};
public static final String DOCKER_CONTAINER_RUNTIME_PREFIX = public static final String DOCKER_CONTAINER_RUNTIME_PREFIX =
LINUX_CONTAINER_RUNTIME_PREFIX + "docker."; LINUX_CONTAINER_RUNTIME_PREFIX + "docker.";

View File

@ -1571,6 +1571,14 @@
<value>false</value> <value>false</value>
</property> </property>
<property>
<description>Comma separated list of runtimes that are allowed when using
LinuxContainerExecutor. The allowed values are default, docker, and
javasandbox.</description>
<name>yarn.nodemanager.runtime.linux.allowed-runtimes</name>
<value>default</value>
</property>
<property> <property>
<description>This configuration setting determines the capabilities <description>This configuration setting determines the capabilities
assigned to docker containers when they are launched. While these may not assigned to docker containers when they are launched. While these may not

View File

@ -51,6 +51,7 @@
import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container; import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.ContainerDiagnosticsUpdateEvent; import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.ContainerDiagnosticsUpdateEvent;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.launcher.ContainerLaunch; import org.apache.hadoop.yarn.server.nodemanager.containermanager.launcher.ContainerLaunch;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerExecutionException;
import org.apache.hadoop.yarn.server.nodemanager.executor.ContainerPrepareContext; import org.apache.hadoop.yarn.server.nodemanager.executor.ContainerPrepareContext;
import org.apache.hadoop.yarn.server.nodemanager.util.NodeManagerHardwareUtils; import org.apache.hadoop.yarn.server.nodemanager.util.NodeManagerHardwareUtils;
import org.apache.hadoop.yarn.server.nodemanager.executor.ContainerLivenessContext; import org.apache.hadoop.yarn.server.nodemanager.executor.ContainerLivenessContext;
@ -663,7 +664,8 @@ public void activateContainer(ContainerId containerId, Path pidFilePath) {
} }
// LinuxContainerExecutor overrides this method and behaves differently. // LinuxContainerExecutor overrides this method and behaves differently.
public String[] getIpAndHost(Container container) { public String[] getIpAndHost(Container container)
throws ContainerExecutionException {
return getLocalIpAndHost(container); return getLocalIpAndHost(container);
} }

View File

@ -625,7 +625,8 @@ private ContainerRuntimeContext buildContainerRuntimeContext(
} }
@Override @Override
public String[] getIpAndHost(Container container) { public String[] getIpAndHost(Container container)
throws ContainerExecutionException {
return linuxContainerRuntime.getIpAndHost(container); return linuxContainerRuntime.getIpAndHost(container);
} }

View File

@ -20,9 +20,11 @@
package org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime; package org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime;
import com.google.common.annotations.VisibleForTesting;
import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability; import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container; import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.privileged.PrivilegedOperationExecutor; import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.privileged.PrivilegedOperationExecutor;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerExecutionException; import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerExecutionException;
@ -31,6 +33,7 @@
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import java.util.EnumSet;
import java.util.Map; import java.util.Map;
/** /**
@ -50,34 +53,62 @@ public class DelegatingLinuxContainerRuntime implements LinuxContainerRuntime {
private DefaultLinuxContainerRuntime defaultLinuxContainerRuntime; private DefaultLinuxContainerRuntime defaultLinuxContainerRuntime;
private DockerLinuxContainerRuntime dockerLinuxContainerRuntime; private DockerLinuxContainerRuntime dockerLinuxContainerRuntime;
private JavaSandboxLinuxContainerRuntime javaSandboxLinuxContainerRuntime; private JavaSandboxLinuxContainerRuntime javaSandboxLinuxContainerRuntime;
private EnumSet<LinuxContainerRuntimeConstants.RuntimeType> allowedRuntimes =
EnumSet.noneOf(LinuxContainerRuntimeConstants.RuntimeType.class);
@Override @Override
public void initialize(Configuration conf) public void initialize(Configuration conf)
throws ContainerExecutionException { throws ContainerExecutionException {
PrivilegedOperationExecutor privilegedOperationExecutor = String[] configuredRuntimes = conf.getTrimmedStrings(
PrivilegedOperationExecutor.getInstance(conf); YarnConfiguration.LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES,
defaultLinuxContainerRuntime = new DefaultLinuxContainerRuntime( YarnConfiguration.DEFAULT_LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES);
privilegedOperationExecutor); for (String configuredRuntime : configuredRuntimes) {
defaultLinuxContainerRuntime.initialize(conf); try {
dockerLinuxContainerRuntime = new DockerLinuxContainerRuntime( allowedRuntimes.add(
privilegedOperationExecutor); LinuxContainerRuntimeConstants.RuntimeType.valueOf(
dockerLinuxContainerRuntime.initialize(conf); configuredRuntime.toUpperCase()));
javaSandboxLinuxContainerRuntime = new JavaSandboxLinuxContainerRuntime( } catch (IllegalArgumentException e) {
privilegedOperationExecutor); throw new ContainerExecutionException("Invalid runtime set in "
javaSandboxLinuxContainerRuntime.initialize(conf); + YarnConfiguration.LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES + " : "
+ configuredRuntime);
}
}
if (isRuntimeAllowed(
LinuxContainerRuntimeConstants.RuntimeType.JAVASANDBOX)) {
javaSandboxLinuxContainerRuntime = new JavaSandboxLinuxContainerRuntime(
PrivilegedOperationExecutor.getInstance(conf));
javaSandboxLinuxContainerRuntime.initialize(conf);
}
if (isRuntimeAllowed(
LinuxContainerRuntimeConstants.RuntimeType.DOCKER)) {
dockerLinuxContainerRuntime = new DockerLinuxContainerRuntime(
PrivilegedOperationExecutor.getInstance(conf));
dockerLinuxContainerRuntime.initialize(conf);
}
if (isRuntimeAllowed(
LinuxContainerRuntimeConstants.RuntimeType.DEFAULT)) {
defaultLinuxContainerRuntime = new DefaultLinuxContainerRuntime(
PrivilegedOperationExecutor.getInstance(conf));
defaultLinuxContainerRuntime.initialize(conf);
}
} }
private LinuxContainerRuntime pickContainerRuntime( @VisibleForTesting
Map<String, String> environment){ LinuxContainerRuntime pickContainerRuntime(
Map<String, String> environment) throws ContainerExecutionException {
LinuxContainerRuntime runtime; LinuxContainerRuntime runtime;
//Sandbox checked first to ensure DockerRuntime doesn't circumvent controls //Sandbox checked first to ensure DockerRuntime doesn't circumvent controls
if (javaSandboxLinuxContainerRuntime.isSandboxContainerRequested()){ if (javaSandboxLinuxContainerRuntime != null &&
runtime = javaSandboxLinuxContainerRuntime; javaSandboxLinuxContainerRuntime.isSandboxContainerRequested()){
} else if (DockerLinuxContainerRuntime runtime = javaSandboxLinuxContainerRuntime;
.isDockerContainerRequested(environment)){ } else if (dockerLinuxContainerRuntime != null &&
DockerLinuxContainerRuntime.isDockerContainerRequested(environment)){
runtime = dockerLinuxContainerRuntime; runtime = dockerLinuxContainerRuntime;
} else { } else if (defaultLinuxContainerRuntime != null &&
!DockerLinuxContainerRuntime.isDockerContainerRequested(environment)) {
runtime = defaultLinuxContainerRuntime; runtime = defaultLinuxContainerRuntime;
} else {
throw new ContainerExecutionException("Requested runtime not allowed.");
} }
if (LOG.isDebugEnabled()) { if (LOG.isDebugEnabled()) {
@ -88,7 +119,8 @@ private LinuxContainerRuntime pickContainerRuntime(
return runtime; return runtime;
} }
private LinuxContainerRuntime pickContainerRuntime(Container container) { private LinuxContainerRuntime pickContainerRuntime(Container container)
throws ContainerExecutionException {
return pickContainerRuntime(container.getLaunchContext().getEnvironment()); return pickContainerRuntime(container.getLaunchContext().getEnvironment());
} }
@ -127,8 +159,15 @@ public void reapContainer(ContainerRuntimeContext ctx)
} }
@Override @Override
public String[] getIpAndHost(Container container) { public String[] getIpAndHost(Container container)
throws ContainerExecutionException {
LinuxContainerRuntime runtime = pickContainerRuntime(container); LinuxContainerRuntime runtime = pickContainerRuntime(container);
return runtime.getIpAndHost(container); return runtime.getIpAndHost(container);
} }
@VisibleForTesting
boolean isRuntimeAllowed(
LinuxContainerRuntimeConstants.RuntimeType runtimeType) {
return allowedRuntimes.contains(runtimeType);
}
} }

View File

@ -31,6 +31,15 @@ public final class LinuxContainerRuntimeConstants {
private LinuxContainerRuntimeConstants() { private LinuxContainerRuntimeConstants() {
} }
/**
* Linux container runtime types for {@link DelegatingLinuxContainerRuntime}.
*/
public enum RuntimeType {
DEFAULT,
DOCKER,
JAVASANDBOX;
}
public static final Attribute<Map> LOCALIZED_RESOURCES = Attribute public static final Attribute<Map> LOCALIZED_RESOURCES = Attribute
.attribute(Map.class, "localized_resources"); .attribute(Map.class, "localized_resources");
public static final Attribute<List> CONTAINER_LAUNCH_PREFIX_COMMANDS = public static final Attribute<List> CONTAINER_LAUNCH_PREFIX_COMMANDS =

View File

@ -38,6 +38,7 @@
import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container; import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.ContainerImpl; import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.ContainerImpl;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.ContainerKillEvent; import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.ContainerKillEvent;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerExecutionException;
import org.apache.hadoop.yarn.server.nodemanager.timelineservice.NMTimelinePublisher; import org.apache.hadoop.yarn.server.nodemanager.timelineservice.NMTimelinePublisher;
import org.apache.hadoop.yarn.server.nodemanager.util.NodeManagerHardwareUtils; import org.apache.hadoop.yarn.server.nodemanager.util.NodeManagerHardwareUtils;
import org.apache.hadoop.yarn.util.ResourceCalculatorPlugin; import org.apache.hadoop.yarn.util.ResourceCalculatorPlugin;
@ -502,7 +503,8 @@ public void run() {
* @param entry process tree entry to fill in * @param entry process tree entry to fill in
*/ */
private void initializeProcessTrees( private void initializeProcessTrees(
Entry<ContainerId, ProcessTreeInfo> entry) { Entry<ContainerId, ProcessTreeInfo> entry)
throws ContainerExecutionException {
ContainerId containerId = entry.getKey(); ContainerId containerId = entry.getKey();
ProcessTreeInfo ptInfo = entry.getValue(); ProcessTreeInfo ptInfo = entry.getValue();
String pId = ptInfo.getPID(); String pId = ptInfo.getPID();

View File

@ -77,6 +77,10 @@ void reapContainer(ContainerRuntimeContext ctx)
/** /**
* Return the host and ip of the container * Return the host and ip of the container
*
* @param container the {@link Container}
* @throws ContainerExecutionException if an error occurs while getting the ip
* and hostname
*/ */
String[] getIpAndHost(Container container); String[] getIpAndHost(Container container) throws ContainerExecutionException;
} }

View File

@ -0,0 +1,137 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntime;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntimeConstants;
import org.junit.Before;
import org.junit.Test;
import java.util.HashMap;
import java.util.Map;
import static org.junit.Assert.*;
/**
* Test container runtime delegation.
*/
public class TestDelegatingLinuxContainerRuntime {
private DelegatingLinuxContainerRuntime delegatingLinuxContainerRuntime;
private Configuration conf;
private Map<String, String> env = new HashMap<>();
@Before
public void setUp() throws Exception {
delegatingLinuxContainerRuntime = new DelegatingLinuxContainerRuntime();
conf = new Configuration();
env.clear();
}
@Test
public void testIsRuntimeAllowedDefault() throws Exception {
conf.set(YarnConfiguration.LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES,
YarnConfiguration.DEFAULT_LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES[0]);
System.out.println(conf.get(
YarnConfiguration.LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES));
delegatingLinuxContainerRuntime.initialize(conf);
assertTrue(delegatingLinuxContainerRuntime.isRuntimeAllowed(
LinuxContainerRuntimeConstants.RuntimeType.DEFAULT));
assertFalse(delegatingLinuxContainerRuntime.isRuntimeAllowed(
LinuxContainerRuntimeConstants.RuntimeType.DOCKER));
assertFalse(delegatingLinuxContainerRuntime.isRuntimeAllowed(
LinuxContainerRuntimeConstants.RuntimeType.JAVASANDBOX));
}
@Test
public void testIsRuntimeAllowedDocker() throws Exception {
conf.set(YarnConfiguration.LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES,
"docker");
delegatingLinuxContainerRuntime.initialize(conf);
assertTrue(delegatingLinuxContainerRuntime.isRuntimeAllowed(
LinuxContainerRuntimeConstants.RuntimeType.DOCKER));
assertFalse(delegatingLinuxContainerRuntime.isRuntimeAllowed(
LinuxContainerRuntimeConstants.RuntimeType.DEFAULT));
assertFalse(delegatingLinuxContainerRuntime.isRuntimeAllowed(
LinuxContainerRuntimeConstants.RuntimeType.JAVASANDBOX));
}
@Test
public void testIsRuntimeAllowedJavaSandbox() throws Exception {
conf.set(YarnConfiguration.LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES,
"javasandbox");
delegatingLinuxContainerRuntime.initialize(conf);
assertTrue(delegatingLinuxContainerRuntime.isRuntimeAllowed(
LinuxContainerRuntimeConstants.RuntimeType.JAVASANDBOX));
assertFalse(delegatingLinuxContainerRuntime.isRuntimeAllowed(
LinuxContainerRuntimeConstants.RuntimeType.DEFAULT));
assertFalse(delegatingLinuxContainerRuntime.isRuntimeAllowed(
LinuxContainerRuntimeConstants.RuntimeType.DOCKER));
}
@Test
public void testIsRuntimeAllowedMultiple() throws Exception {
conf.set(YarnConfiguration.LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES,
"docker,javasandbox");
delegatingLinuxContainerRuntime.initialize(conf);
assertTrue(delegatingLinuxContainerRuntime.isRuntimeAllowed(
LinuxContainerRuntimeConstants.RuntimeType.DOCKER));
assertTrue(delegatingLinuxContainerRuntime.isRuntimeAllowed(
LinuxContainerRuntimeConstants.RuntimeType.JAVASANDBOX));
assertFalse(delegatingLinuxContainerRuntime.isRuntimeAllowed(
LinuxContainerRuntimeConstants.RuntimeType.DEFAULT));
}
@Test
public void testIsRuntimeAllowedAll() throws Exception {
conf.set(YarnConfiguration.LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES,
"default,docker,javasandbox");
delegatingLinuxContainerRuntime.initialize(conf);
assertTrue(delegatingLinuxContainerRuntime.isRuntimeAllowed(
LinuxContainerRuntimeConstants.RuntimeType.DEFAULT));
assertTrue(delegatingLinuxContainerRuntime.isRuntimeAllowed(
LinuxContainerRuntimeConstants.RuntimeType.DOCKER));
assertTrue(delegatingLinuxContainerRuntime.isRuntimeAllowed(
LinuxContainerRuntimeConstants.RuntimeType.JAVASANDBOX));
}
@Test
public void testJavaSandboxNotAllowedButPermissive() throws Exception {
conf.set(YarnConfiguration.LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES,
"default,docker");
conf.set(YarnConfiguration.YARN_CONTAINER_SANDBOX, "permissive");
delegatingLinuxContainerRuntime.initialize(conf);
ContainerRuntime runtime =
delegatingLinuxContainerRuntime.pickContainerRuntime(env);
assertTrue(runtime instanceof DefaultLinuxContainerRuntime);
}
@Test
public void testJavaSandboxNotAllowedButPermissiveDockerRequested()
throws Exception {
env.put(ContainerRuntimeConstants.ENV_CONTAINER_TYPE, "docker");
conf.set(YarnConfiguration.LINUX_CONTAINER_RUNTIME_ALLOWED_RUNTIMES,
"default,docker");
conf.set(YarnConfiguration.YARN_CONTAINER_SANDBOX, "permissive");
delegatingLinuxContainerRuntime.initialize(conf);
ContainerRuntime runtime =
delegatingLinuxContainerRuntime.pickContainerRuntime(env);
assertTrue(runtime instanceof DockerLinuxContainerRuntime);
}
}

View File

@ -71,68 +71,83 @@ request. For example:
The following properties should be set in yarn-site.xml: The following properties should be set in yarn-site.xml:
```xml ```xml
<property> <configuration>
<name>yarn.nodemanager.container-executor.class</name> <property>
<value>org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor</value> <name>yarn.nodemanager.container-executor.class</name>
<description> <value>org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor</value>
This is the container executor setting that ensures that all applications <description>
are started with the LinuxContainerExecutor. This is the container executor setting that ensures that all applications
</description> are started with the LinuxContainerExecutor.
</property> </description>
</property>
<property> <property>
<name>yarn.nodemanager.linux-container-executor.group</name> <name>yarn.nodemanager.linux-container-executor.group</name>
<value>hadoop</value> <value>hadoop</value>
<description> <description>
The POSIX group of the NodeManager. It should match the setting in The POSIX group of the NodeManager. It should match the setting in
"container-executor.cfg". This configuration is required for validating "container-executor.cfg". This configuration is required for validating
the secure access of the container-executor binary. the secure access of the container-executor binary.
</description> </description>
</property> </property>
<property> <property>
<name>yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users</name> <name>yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users</name>
<value>false</value> <value>false</value>
<description> <description>
Whether all applications should be run as the NodeManager process' owner. Whether all applications should be run as the NodeManager process' owner.
When false, applications are launched instead as the application owner. When false, applications are launched instead as the application owner.
</description> </description>
</property> </property>
<property> <property>
<name>yarn.nodemanager.runtime.linux.docker.allowed-container-networks</name> <name>yarn.nodemanager.runtime.linux.allowed-runtimes</name>
<value>host,none,bridge</value> <value>default,docker</value>
<description> <description>
Optional. A comma-separated set of networks allowed when launching Comma separated list of runtimes that are allowed when using
containers. Valid values are determined by Docker networks available from LinuxContainerExecutor. The allowed values are default, docker, and
`docker network ls` javasandbox.
</description> </description>
</property> </property>
<property> <property>
<description>The network used when launching Docker containers when no <name>yarn.nodemanager.runtime.linux.docker.allowed-container-networks</name>
network is specified in the request. This network must be one of the <value>host,none,bridge</value>
(configurable) set of allowed container networks.</description> <description>
<name>yarn.nodemanager.runtime.linux.docker.default-container-network</name> Optional. A comma-separated set of networks allowed when launching
<value>host</value> containers. Valid values are determined by Docker networks available from
</property> `docker network ls`
</description>
</property>
<property> <property>
<name>yarn.nodemanager.runtime.linux.docker.privileged-containers.allowed</name> <name>yarn.nodemanager.runtime.linux.docker.default-container-network</name>
<value>false</value> <value>host</value>
<description> <description>
Optional. Whether applications are allowed to run in privileged containers. The network used when launching Docker containers when no
</description> network is specified in the request. This network must be one of the
</property> (configurable) set of allowed container networks.
</description>
</property>
<property> <property>
<name>yarn.nodemanager.runtime.linux.docker.privileged-containers.acl</name> <name>yarn.nodemanager.runtime.linux.docker.privileged-containers.allowed</name>
<value></value> <value>false</value>
<description> <description>
Optional. A comma-separated list of users who are allowed to request Optional. Whether applications are allowed to run in privileged
privileged contains if privileged containers are allowed. containers.
</description> </description>
</property> </property>
<property>
<name>yarn.nodemanager.runtime.linux.docker.privileged-containers.acl</name>
<value></value>
<description>
Optional. A comma-separated list of users who are allowed to request
privileged contains if privileged containers are allowed.
</description>
</property>
</configuration>
``` ```
In addition, a container-executer.cfg file must exist and contain settings for In addition, a container-executer.cfg file must exist and contain settings for