[SPARK-9645] [yarn] [core] Allow shuffle service to read shuffle files. #7966
Conversation
Spark should not mess with the permissions of directories created by the cluster manager. Here, by setting the block manager dir permissions to 700, the shuffle service (running as the YARN user) wouldn't be able to serve shuffle files created by applications.
|
FYI @dragos since you may need to check what Mesos does, since that line was part of your change in SPARK-6287. |
| @@ -133,7 +133,6 @@ private[spark] class DiskBlockManager(blockManager: BlockManager, conf: SparkCon | |||
| Utils.getConfiguredLocalDirs(conf).flatMap { rootDir => | |||
| try { | |||
| val localDir = Utils.createDirectory(rootDir, "blockmgr") | |||
| Utils.chmod700(localDir) | |||
There was a problem hiding this comment.
Does this introduce security problems?
There was a problem hiding this comment.
No. The cluster manager is responsible for securing the app's directory (in YARN, only the app owner and the YARN group can read it; in standalone, only the user running the standalone service can; not sure about Mesos, which is why the Mesos code might need to be fixed separately).
There was a problem hiding this comment.
Actually standalone seems to be missing the chmod call; I'll just add that to this change.
|
Good catch! |
|
Test build #39894 has finished for PR 7966 at commit
|
|
Test build #39887 has finished for PR 7966 at commit
|
|
pyspark tests look really flaky lately. |
|
retest this please |
|
Test build #238 has finished for PR 7966 at commit
|
|
Not just pyspark tests... retest this please |
|
Mesos also chown the sandbox directory for you, but I'm not sure where this Utils.getConfiguredLocalDirs directories are going to be created. |
|
Test build #39917 has finished for PR 7966 at commit
|
|
Test build #39919 has finished for PR 7966 at commit
|
|
Unless someone has a different opinion, I'm gonna merge this because it's a serious regression. Mesos can be fixed separately if needed. |
|
@tnachen can you investigate? This is potentially a blocker for 1.5. |
|
@andrewor14 I just took a look and I see that it's creating a local directory that's not part of Mesos sandbox. I think we should definitely fix it so it creates in the sandbox in another ticket so it the temporary data will also be managed by Mesos and can be removed with mesos when the task is gone. Anyhow, it seems like you also need to manage the permission on the folder with Mesos since it's outside of Mesos, which means the chmod still applies for Mesos. |
I'm a little confused about what you wrote, especially the last part. Which chmod are you talking about? If Mesos creates directories for the application, it should tell the Spark application how to find them, and Spark should use that information. See how standalone does (the lines I touched in this PR, plus |
|
Yes Mesos creates a directory for each task it runs. And if you run any application with Mesos your current directory should be in that directory, or else it's accessed by looking at MESOS_SANDBOX env variable. |
What permission changes? The one I'm removing? That's the part I'm confused about. I'm removing this chmod because it breaks YARN secure mode. To use MESOS_SANDBOX you should change the code in Utils.scala that figures out the application's scratch directories (getConfiguredLocalDirs). Standalone does not need this chmod in DiskBlockManager, because the standalone cluster manager secures the app's directory (well, it should have been doing that, but it seems that it stopped doing that at some point and so I restored the functionality in this change). So it sounds to me like there might be a fix needed for Mesos, but since I have no access to a Mesos cluster for testing, please open a new bug to track it. |
|
Ah got it I thought the chmod is needed but just removed for YARN since YARN manages the directory. |
|
Ok, sounds like we have an agreement on how to move forward, so I'll merge this. |
Spark should not mess with the permissions of directories created by the cluster manager. Here, by setting the block manager dir permissions to 700, the shuffle service (running as the YARN user) wouldn't be able to serve shuffle files created by applications. Also, the code to protect the local app dir was missing in standalone's Worker; that has been now added. Since all processes run as the same user in standalone, `chmod 700` should not cause problems. Author: Marcelo Vanzin <vanzin@cloudera.com> Closes #7966 from vanzin/SPARK-9645 and squashes the following commits: 6e07b31 [Marcelo Vanzin] Protect the app dir in standalone mode. 384ba6a [Marcelo Vanzin] [SPARK-9645] [yarn] [core] Allow shuffle service to read shuffle files. (cherry picked from commit e234ea1) Signed-off-by: Marcelo Vanzin <vanzin@cloudera.com>
|
You shouldn't assume those directories are under the Mesos sandbox. They are user configurable (in the Hadoop world there would be several of them on different disks to allow parallel reads/writes). Also, shuffle files live there so you can't delete them when the executor exits, or dynamic allocation will break and Spark won't find them anymore. This is the bug that @tnachen reported first on the PR to add dynamic allocation on Mesos. That chmod was simply following what was done before, so I'm surprised there's any regression in Yarn. As far as I could tell at the time, Yarn mode took a different code path. Maybe some changes merged later unified some logic? Given that standalone mode now also allows dynamic allocation... |
Maybe that's how it works in mesos, and in such case, you should figure out how to fix it (in Mesos or in Spark). Yes, in YARN you can configure multiple of these directories but (i) Spark handles that just fine and (ii) YARN creates per-application directories, where the shuffle files are written. When containers (= executors) go away, those directories still remain. They're only deleted after the app finished. Nothing has changed here at all. You had to add this chmod, which means that you intentionally tried to change the behavior. And that broke existing code. |
Spark should not mess with the permissions of directories created
by the cluster manager. Here, by setting the block manager dir
permissions to 700, the shuffle service (running as the YARN user)
wouldn't be able to serve shuffle files created by applications.
Also, the code to protect the local app dir was missing in standalone's
Worker; that has been now added. Since all processes run as the same
user in standalone,
chmod 700should not cause problems.