[ https://issues.apache.org/jira/browse/YARN-5360?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15374547#comment-15374547 ]
Zhankun Tang edited comment on YARN-5360 at 7/13/16 7:51 AM: ------------------------------------------------------------- And one more thing we need to know is that this UID need not to exists in the Docker image, see this example: {panel} root@zhankun-host:~/DockerDeepDive# chown zhankun:hadoop zhankun.sh root@zhankun-host:~/DockerDeepDive# ls demo.txt zhankun.sh root@zhankun-host:~/DockerDeepDive# ll total 16 drwxr-xr-x 2 root root 4096 7月 13 00:18 ./ drwx------ 25 root root 4096 7月 13 22:16 ../ -rw-r--r-- 1 root root 402 7月 13 00:17 demo.txt -rwx------ 1 zhankun hadoop 34 7月 12 19:20 zhankun.sh* root@zhankun-host:~/DockerDeepDive# cat /etc/passwd|grep zhankun zhankun:x:1000:1000:zhankun,,,:/home/zhankun:/bin/bash root@zhankun-host:~/DockerDeepDive# docker run -it --user=1000 --rm -v /root/DockerDeepDive:/tmp/zhankun --workdir=/tmp/zhankun/ centos /tmp/zhankun/zhankun.sh I'm zhankun uid=1000 gid=0(root) groups=0(root) root@zhankun-host:~/DockerDeepDive# docker run -it --user=1001 --rm -v /root/DockerDeepDive:/tmp/zhankun --workdir=/tmp/zhankun/ centos /tmp/zhankun/zhankun.sh /bin/bash: /tmp/zhankun/zhankun.sh: Permission denied root@zhankun-host:~/DockerDeepDive# {panel} The centos doesn't have the zhankun user and the UID 1000 either, but above example works. Just because 1000 is the owner of local host's "zhankun.sh" was (Author: tangzhankun): And one more thing we need to know is that this UID need not to exists in the Docker image, see this example: {panel} root@zhankun-host:~/DockerDeepDive# chown zhankun:hadoop zhankun.sh root@zhankun-host:~/DockerDeepDive# ls demo.txt zhankun.sh root@zhankun-host:~/DockerDeepDive# ll total 16 drwxr-xr-x 2 root root 4096 7月 13 00:18 ./ drwx------ 25 root root 4096 7月 13 22:16 ../ -rw-r--r-- 1 root root 402 7月 13 00:17 demo.txt -rwx------ 1 zhankun hadoop 34 7月 12 19:20 zhankun.sh* root@zhankun-host:~/DockerDeepDive# cat /etc/passwd|grep zhankun zhankun:x:1000:1000:zhankun,,,:/home/zhankun:/bin/bash root@zhankun-host:~/DockerDeepDive# docker run -it --user=1000 --rm -v /root/DockerDeepDive:/tmp/zhankun --workdir=/tmp/zhankun/ centos /tmp/zhankun/zhankun.sh I'm zhankun uid=1000 gid=0(root) groups=0(root) root@zhankun-host:~/DockerDeepDive# {panel} The centos doesn't have the zhankun user and the UID 1000 either, but above example works. Just because 1000 is the owner of local host's "zhankun.sh" > Use UID instead of user name to build the Docker run command > ------------------------------------------------------------ > > Key: YARN-5360 > URL: https://issues.apache.org/jira/browse/YARN-5360 > Project: Hadoop YARN > Issue Type: Sub-task > Components: yarn > Reporter: Zhankun Tang > Assignee: Zhankun Tang > > There is *a dependency between job submitting user and the user in the Docker > image* in LCE currently. For instance, in order to run the Docker container > as yarn user, we can choose set the > "yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user" to yarn > and leave > "yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users" > default (true). Then LCE will choose yarn ( UID maybe 1001) as the user > running jobs. > LCE will mount the generated launch_container.sh (owned by the running job > user) and /etc/passwd (*current the code is mounting to container's > /etc/password, I think it's a mistake*) into the Docker container and > utilizes "docker run --user=<run_as_user>" option to get it done internally. > But I don't think mounting /etc/passwd to the container is a good choice. As > far as I know, since Docker v1.8 (or maybe earlier), the Docker run command > "--user=" option accepts UID and *when passing UID, the user does not have to > exist in the container*. So we should use UID instead of user name to > construct the Docker run command to eliminate the dependency that create the > same user in the Docker image. This enables LCE the ability to launch any > Docker container safely regardless what users in it. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org