You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-issues@hadoop.apache.org by "Sidharta Seethana (JIRA)" <ji...@apache.org> on 2016/10/14 23:44:21 UTC

[jira] [Commented] (YARN-4266) Allow whitelisted users to disable user re-mapping/squashing when launching docker containers

    [ https://issues.apache.org/jira/browse/YARN-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15576903#comment-15576903 ] 

Sidharta Seethana commented on YARN-4266:
-----------------------------------------

Usermod seems to be of limited use. From usermod's man page : 

{code}
-u, --uid UID
           The new numerical value of the user's ID.

           This value must be unique, unless the -o option is used. The value must be non-negative.

           The user's mailbox, and any files which the user owns and which are located in the user's home directory will have the file user ID changed automatically.

           The ownership of files outside of the user's home directory must be fixed manually.

           No checks will be performed with regard to the UID_MIN, UID_MAX, SYS_UID_MIN, or SYS_UID_MAX from /etc/login.defs.
{code}

If nothing outside the user's home directory is updated, this is likely to break many images that use custom/non-root users ? 







> Allow whitelisted users to disable user re-mapping/squashing when launching docker containers
> ---------------------------------------------------------------------------------------------
>
>                 Key: YARN-4266
>                 URL: https://issues.apache.org/jira/browse/YARN-4266
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: Sidharta Seethana
>            Assignee: Zhankun Tang
>         Attachments: YARN-4266-branch-2.8.001.patch, YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping.pdf, YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping_v2.pdf, YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping_v3.pdf
>
>
> Docker provides a mechanism (the --user switch) that enables us to specify the user the container processes should run as. We use this mechanism today when launching docker containers . In non-secure mode, we run the docker container based on `yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user` and in secure mode, as the submitting user. However, this mechanism breaks down with a large number of 'pre-created' images which don't necessarily have the users available within the image. Examples of such images include shared images that need to be used by multiple users. We need a way in which we can allow a pre-defined set of users to run containers based on existing images, without using the --user switch. There are some implications of disabling this user squashing that we'll need to work through : log aggregation, artifact deletion etc.,



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org