YARN Only: The Linux Container Executor Program

The container-executor program, which is used on YARN only and supported on GNU/Linux only, runs the containers as the user who submitted the application. It requires all user accounts to be created on the cluster nodes where the containers are launched. It uses a setuid executable that is included in the Hadoop distribution. The NodeManager uses this executable to launch and kill containers. The setuid executable switches to the user who has submitted the application and launches or kills the containers. For maximum security, this executor sets up restricted permissions and user/group ownership of local files and directories used by the containers such as the shared objects, jars, intermediate files, log files, and so on. As a result, only the application owner and NodeManager can access any of the local files/directories including those localized as part of the distributed cache.

The container-executor program must have a very specific set of permissions and ownership in order to function correctly. In particular, it must:

  1. Be owned by root
  2. Be owned by a group that contains only the user running the YARN daemons
  3. Be setuid
  4. Be group readable and executable

This corresponds to the ownership root:yarn and the permissions 6050.

---Sr-s--- 1 root yarn 91886 2012-04-01 19:54 container-executor