[jira] [Comment Edited] (YARN-5360) Use UID instead of user name to build the Docker run command

Zhankun Tang (JIRA) Wed, 13 Jul 2016 00:51:43 -0700

    [ 
https://issues.apache.org/jira/browse/YARN-5360?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15374547#comment-15374547
 ]


Zhankun Tang edited comment on YARN-5360 at 7/13/16 7:51 AM:
-------------------------------------------------------------

And one more thing we need to know is that this UID need not to exists in the 
Docker image, see this example:
{panel}
root@zhankun-host:~/DockerDeepDive# chown zhankun:hadoop zhankun.sh 
root@zhankun-host:~/DockerDeepDive# ls
demo.txt  zhankun.sh
root@zhankun-host:~/DockerDeepDive# ll
total 16
drwxr-xr-x  2 root    root   4096  7月 13 00:18 ./
drwx------ 25 root    root   4096  7月 13 22:16 ../
-rw-r--r--  1 root    root    402  7月 13 00:17 demo.txt
-rwx------  1 zhankun hadoop   34  7月 12 19:20 zhankun.sh*
root@zhankun-host:~/DockerDeepDive# cat /etc/passwd|grep zhankun
zhankun:x:1000:1000:zhankun,,,:/home/zhankun:/bin/bash
root@zhankun-host:~/DockerDeepDive# docker run -it --user=1000 --rm -v 
/root/DockerDeepDive:/tmp/zhankun  --workdir=/tmp/zhankun/ centos 
/tmp/zhankun/zhankun.sh
I'm zhankun
uid=1000 gid=0(root) groups=0(root)
root@zhankun-host:~/DockerDeepDive# docker run -it --user=1001 --rm -v 
/root/DockerDeepDive:/tmp/zhankun  --workdir=/tmp/zhankun/ centos 
/tmp/zhankun/zhankun.sh
/bin/bash: /tmp/zhankun/zhankun.sh: Permission denied
root@zhankun-host:~/DockerDeepDive#
{panel}

The centos doesn't have the zhankun user and the UID 1000 either, but above 
example works. Just because 1000 is the owner of local host's "zhankun.sh"


was (Author: tangzhankun):
And one more thing we need to know is that this UID need not to exists in the 
Docker image, see this example:
{panel}
root@zhankun-host:~/DockerDeepDive# chown zhankun:hadoop zhankun.sh 
root@zhankun-host:~/DockerDeepDive# ls
demo.txt  zhankun.sh
root@zhankun-host:~/DockerDeepDive# ll
total 16
drwxr-xr-x  2 root    root   4096  7月 13 00:18 ./
drwx------ 25 root    root   4096  7月 13 22:16 ../
-rw-r--r--  1 root    root    402  7月 13 00:17 demo.txt
-rwx------  1 zhankun hadoop   34  7月 12 19:20 zhankun.sh*
root@zhankun-host:~/DockerDeepDive# cat /etc/passwd|grep zhankun
zhankun:x:1000:1000:zhankun,,,:/home/zhankun:/bin/bash
root@zhankun-host:~/DockerDeepDive# docker run -it --user=1000 --rm -v 
/root/DockerDeepDive:/tmp/zhankun  --workdir=/tmp/zhankun/ centos 
/tmp/zhankun/zhankun.sh
I'm zhankun
uid=1000 gid=0(root) groups=0(root)
root@zhankun-host:~/DockerDeepDive#
{panel}

The centos doesn't have the zhankun user and the UID 1000 either, but above 
example works. Just because 1000 is the owner of local host's "zhankun.sh"

> Use UID instead of user name to build the Docker run command
> ------------------------------------------------------------
>
>                 Key: YARN-5360
>                 URL: https://issues.apache.org/jira/browse/YARN-5360
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: Zhankun Tang
>            Assignee: Zhankun Tang
>
> There is *a dependency between job submitting user and the user in the Docker 
> image* in LCE currently. For instance, in order to run the Docker container 
> as yarn user, we can choose set the 
> "yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user" to yarn 
> and leave 
> "yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users" 
> default (true). Then LCE will choose yarn ( UID maybe 1001) as the user 
> running jobs.
> LCE will mount the generated launch_container.sh (owned by the running job 
> user) and /etc/passwd (*current the code is mounting to container's 
> /etc/password, I think it's a mistake*) into the Docker container and 
> utilizes "docker run --user=<run_as_user>" option to get it done internally.
> But I don't think mounting /etc/passwd to the container is a good choice. As 
> far as I know, since Docker v1.8 (or maybe earlier), the Docker run command 
> "--user=" option accepts UID and *when passing UID, the user does not have to 
> exist in the container*. So we should use UID instead of user name to 
> construct the Docker run command to eliminate the dependency that create the 
> same user in the Docker image. This enables LCE the ability to launch any 
> Docker container safely regardless what users in it.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

[jira] [Comment Edited] (YARN-5360) Use UID instead of user name to build the Docker run command

Reply via email to