A container log is not part of the yarn service logs and will not be affected by any of the yarn settings. The container log looks like a log from an AM and that means that you most likely are looking at a problem of the AM web UI not being able to bind.
The AM web ui will bind to an ephemeral port which can not be limited to a set of ports. Make sure that you allow binding to any port on the NM's from your security groups in AWS.
It doesn't look like we have any restrictions on our NodeManager instances. We only have one outbound security rule in all our groups with the following permissions.
I'm having a similar issue but with a different stack trace. Were you able to resolve this problem?
We were finally able to resolve this issue.
For us, we were using classpath precedence override's to use our own classpath lib jars before cloudera's common lib directory. This resulted in an older version of guice being loaded for certain actions which caused the errors in the application logs.
We resolved this issue by resolving the dependency issue between our projects and cloudera's lib.