yarn里面的资源分配器给了两种,分别是:DefaultContainerExecutor和LinuxContainerExecutor,这两个都继承ContainerExecutor
区别
- DefaultContainerExecutor不会做cpu的分配,只做内存的分配
- LinuxContainerExecutor可以做cpu的分配,即采用这种资源分配器才会有提交到yarn的任务才会有cpu隔离,这个资源配置器采用了cgroup来做cpu隔离
配置
yarn.nodemanager.container-executor.class
可配置的值如下
org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor
或者org.apache.hadoop.yarn.server.nodemanager.DefaultContainerExecutor
说明
如果集群没有开启安全,而这个时候采用了LinuxContainerExecutor资源分配器,那么这个时候如果提交任务到yarn,无论用哪个用户提交,都会将提交的用户重置为nobody
,但是呢,yarn一般会限制用户id小于1000的用户提交任务,而nobody是linux初始化的系统用户,默认的id一般都会小于1000,所以你提交任务肯定是会失败的,会有如下日志:
main : run as user is nobody
main : requested yarn user is panel-qa
Requested user nobody is not whitelisted and has id 99,which is below the minimum allowed 1000
关键代码如下:
String getRunAsUser(String user) {
if (UserGroupInformation.isSecurityEnabled() ||
!containerLimitUsers) {
return user;
} else {
return nonsecureLocalUser;
}
}
nonsecureLocalUser = conf.get(
YarnConfiguration.NM_NONSECURE_MODE_LOCAL_USER_KEY,
YarnConfiguration.DEFAULT_NM_NONSECURE_MODE_LOCAL_USER);
public static final String DEFAULT_NM_NONSECURE_MODE_LOCAL_USER = "nobody";
限制用户执行的是一段c的代码,如下:
if (user_info->pw_uid < min_uid && !is_whitelisted(user)) {
fprintf(LOGFILE, "Requested user %s is not whitelisted and has id %d,"
"which is below the minimum allowed %d\n", user, user_info->pw_uid, min_uid);
fflush(LOGFILE);
free(user_info);
return NULL;
}