You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-issues@hadoop.apache.org by "Prabhu Joseph (Jira)" <ji...@apache.org> on 2019/09/27 09:39:00 UTC

[jira] [Updated] (YARN-9860) Enable service mode for Docker containers on YARN

     [ https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Prabhu Joseph updated YARN-9860:
--------------------------------
    Attachment: YARN-9860-001.patch

> Enable service mode for Docker containers on YARN
> -------------------------------------------------
>
>                 Key: YARN-9860
>                 URL: https://issues.apache.org/jira/browse/YARN-9860
>             Project: Hadoop YARN
>          Issue Type: Improvement
>    Affects Versions: 3.3.0
>            Reporter: Prabhu Joseph
>            Assignee: Prabhu Joseph
>            Priority: Major
>         Attachments: YARN-9860-001.patch
>
>
> This task is to add support to YARN for running Docker containers in "Service Mode". 
> Service Mode - Run the container as defined by the image, but still allow for injecting configuration. 
> Background:
> 	Entrypoint mode helped - now able to use the ENV and ENTRYPOINT/CMD as defined in the image. However, still requires modification to official images due to user propagation
> User propagation is problematic for running a secure cluster with sssd
> 	
> Implementation:
> 	Must be enabled via c-e.cfg (example: docker.service-mode.allowed=true)
> 	Must be requested at runtime - (example: YARN_CONTAINER_RUNTIME_DOCKER_SERVICE_MODE=true)
> 	Entrypoint mode is default enabled for this mode (If Service Mode is requested, YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE should be set to true)
> 	Writable log mount will not be added - stdout logging may still work with entrypoint mode - remove the writable bind mounts
> 	User and groups will not be propagated (now: docker run --user nobody --group-add=nobody .... <image>, after: docker run .... <image>)
> 	Read-only resources mounted at the file level, files get chmod 777, parent directory only accessible by the run as user.
> cc [~shanekumpf@gmail.com]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org