You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "Eric Yang (JIRA)" <ji...@apache.org> on 2018/10/19 21:40:00 UTC
[jira] [Comment Edited] (YARN-8922) Fix test-container-executor
[ https://issues.apache.org/jira/browse/YARN-8922?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16657472#comment-16657472 ]
Eric Yang edited comment on YARN-8922 at 10/19/18 9:39 PM:
-----------------------------------------------------------
The code base may have years of evolution that made some mode of operations irreverent. There are two modes that container-executor operates on:
In none secure mode
yarn user = yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user (nobody)
user = user who submitted the app.
In secure mode
yarn user = yarn (or the user who runs node manager)
user = user who submitted the app
When unit test running as normal user, the non-secure mode is exercised. Additional tests will be triggered for secure mode validations, if unit test is running as root user.
I think delete /tmp/test-container-executor after test-container-executor completed, is probably the good enough option to solve the unit tests problem. However, 755 must be enforced for yarn local dir to prevent security problem, and /tmp/test-container-executor seems like a prefix of yarn local dir. Without enforcing 755, it is a security hole as well.
was (Author: eyang):
The code base may have years of evolution that made some mode of operations irreverent. There are two modes that container-executor operates on:
In none secure mode
yarn user = yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user (nobody)
user = user who submitted the app.
In secure mode
yarn user = yarn (or the user who runs node manager)
user = user who submitted the app
When unit test running as normal user, the non-secure mode is exercised. Additional tests will be triggered for secure mode validations, if unit test is running as root user.
I think delete /tmp/test-container-executor after test-container-executor completed, is probably the better option to solve the unit tests problem.
> Fix test-container-executor
> ---------------------------
>
> Key: YARN-8922
> URL: https://issues.apache.org/jira/browse/YARN-8922
> Project: Hadoop YARN
> Issue Type: Bug
> Components: test
> Affects Versions: 3.3.0
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Priority: Major
> Attachments: YARN-8922.001.patch
>
>
> YARN-8448 attempted to fix the {{test-container-executor}} C test to be able to run as root. The test claims that it should be possible to run as root; in fact, there are some tests that only run if you use root.
> One of the fixes was to change the permissions of the test's config dir to 0777 from 0755. The problem was that the directory was owned by root, but then other users would need to write files/directories under it, which would fail with 0755. YARN-8448 fixed this by making it 0777. However, this breaks running cetest because it expects the directory to be 0755, and it's run afterwards.
> The proper fix for all this is to leave the directory at 0755, but to make sure it's owned by the "nodemanager" user. Confusingly, in {{test-container-executor}}, that appears to be the {{username}} and not the {{yarn_username}} (i.e. {{username}} is the user running the NM while {{yarn_username}} is just some user running a Yarn app).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org