You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "Zhankun Tang (JIRA)" <ji...@apache.org> on 2016/07/13 07:51:20 UTC
[jira] [Comment Edited] (YARN-5360) Use UID instead of user name to
build the Docker run command
[ https://issues.apache.org/jira/browse/YARN-5360?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15374547#comment-15374547 ]
Zhankun Tang edited comment on YARN-5360 at 7/13/16 7:51 AM:
-------------------------------------------------------------
And one more thing we need to know is that this UID need not to exists in the Docker image, see this example:
{panel}
root@zhankun-host:~/DockerDeepDive# chown zhankun:hadoop zhankun.sh
root@zhankun-host:~/DockerDeepDive# ls
demo.txt zhankun.sh
root@zhankun-host:~/DockerDeepDive# ll
total 16
drwxr-xr-x 2 root root 4096 7月 13 00:18 ./
drwx------ 25 root root 4096 7月 13 22:16 ../
-rw-r--r-- 1 root root 402 7月 13 00:17 demo.txt
-rwx------ 1 zhankun hadoop 34 7月 12 19:20 zhankun.sh*
root@zhankun-host:~/DockerDeepDive# cat /etc/passwd|grep zhankun
zhankun:x:1000:1000:zhankun,,,:/home/zhankun:/bin/bash
root@zhankun-host:~/DockerDeepDive# docker run -it --user=1000 --rm -v /root/DockerDeepDive:/tmp/zhankun --workdir=/tmp/zhankun/ centos /tmp/zhankun/zhankun.sh
I'm zhankun
uid=1000 gid=0(root) groups=0(root)
root@zhankun-host:~/DockerDeepDive# docker run -it --user=1001 --rm -v /root/DockerDeepDive:/tmp/zhankun --workdir=/tmp/zhankun/ centos /tmp/zhankun/zhankun.sh
/bin/bash: /tmp/zhankun/zhankun.sh: Permission denied
root@zhankun-host:~/DockerDeepDive#
{panel}
The centos doesn't have the zhankun user and the UID 1000 either, but above example works. Just because 1000 is the owner of local host's "zhankun.sh"
was (Author: tangzhankun):
And one more thing we need to know is that this UID need not to exists in the Docker image, see this example:
{panel}
root@zhankun-host:~/DockerDeepDive# chown zhankun:hadoop zhankun.sh
root@zhankun-host:~/DockerDeepDive# ls
demo.txt zhankun.sh
root@zhankun-host:~/DockerDeepDive# ll
total 16
drwxr-xr-x 2 root root 4096 7月 13 00:18 ./
drwx------ 25 root root 4096 7月 13 22:16 ../
-rw-r--r-- 1 root root 402 7月 13 00:17 demo.txt
-rwx------ 1 zhankun hadoop 34 7月 12 19:20 zhankun.sh*
root@zhankun-host:~/DockerDeepDive# cat /etc/passwd|grep zhankun
zhankun:x:1000:1000:zhankun,,,:/home/zhankun:/bin/bash
root@zhankun-host:~/DockerDeepDive# docker run -it --user=1000 --rm -v /root/DockerDeepDive:/tmp/zhankun --workdir=/tmp/zhankun/ centos /tmp/zhankun/zhankun.sh
I'm zhankun
uid=1000 gid=0(root) groups=0(root)
root@zhankun-host:~/DockerDeepDive#
{panel}
The centos doesn't have the zhankun user and the UID 1000 either, but above example works. Just because 1000 is the owner of local host's "zhankun.sh"
> Use UID instead of user name to build the Docker run command
> ------------------------------------------------------------
>
> Key: YARN-5360
> URL: https://issues.apache.org/jira/browse/YARN-5360
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: Zhankun Tang
> Assignee: Zhankun Tang
>
> There is *a dependency between job submitting user and the user in the Docker image* in LCE currently. For instance, in order to run the Docker container as yarn user, we can choose set the "yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user" to yarn and leave "yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users" default (true). Then LCE will choose yarn ( UID maybe 1001) as the user running jobs.
> LCE will mount the generated launch_container.sh (owned by the running job user) and /etc/passwd (*current the code is mounting to container's /etc/password, I think it's a mistake*) into the Docker container and utilizes "docker run --user=<run_as_user>" option to get it done internally.
> But I don't think mounting /etc/passwd to the container is a good choice. As far as I know, since Docker v1.8 (or maybe earlier), the Docker run command "--user=" option accepts UID and *when passing UID, the user does not have to exist in the container*. So we should use UID instead of user name to construct the Docker run command to eliminate the dependency that create the same user in the Docker image. This enables LCE the ability to launch any Docker container safely regardless what users in it.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org