Github user rvesse commented on a diff in the pull request:
https://github.com/apache/spark/pull/23017#discussion_r233560448
--- Diff:
resource-managers/kubernetes/docker/src/main/dockerfiles/spark/entrypoint.sh ---
@@ -30,6 +30,10 @@ set -e
# If there is no passwd entry for the container UID, attempt to create one
if [ -z "$uidentry" ] ; then
if [ -w /etc/passwd ] ; then
+ # TODO Should we allow providing an environment variable to set
the desired username?
--- End diff --
@vanzin Well I am mostly following advice via @skonto from
https://docs.okd.io/latest/creating_images/guidelines.html#use-uid which says:
> For an image to support running as an arbitrary user, directories and
files that may be written to by processes in the image should be owned by the
root group and be read/writable by that group. Files to be executed should also
have group execute permissions.
>
>Adding the following to your Dockerfile sets the directory and file
permissions to allow users in the root group to access them in the built image:
> ...
>Because the container user is always a member of the root group, the
container user can read and write these files. The root group does not have any
special permissions (unlike the root user) so there are no security concerns
with this arrangement. In addition, the processes running in the container must
not listen on privileged ports (ports below 1024), since they are not running
as a privileged user.
Which is also where this code snippet/pattern originates from the folks who
originally developed the container images for Spark on K8S
---
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
