No if you look inside the code of container-executor. It checks and
constantly re-writes the permissions;
/**
* Ensure that the given path and all of the parent directories
* are created * with the desired permissions.*
*/
int mkdirs(const char* path, mode_t perm) {
struct stat sb;
New runs re-write all permissions when any folder is created! so user abc
will recrete the tree.
On Mon, Jan 12, 2026 at 10:42 PM Balaji Radhakrishnan <
[email protected]> wrote:
> Hello Edward,
>
> I think you should be able to give write permissions 'rx' to group
> manually.
>
> Thanks
> R Balaji
>
> Get Outlook for Android <https://aka.ms/AAb9ysg>
> ------------------------------
> *From:* Edward Capriolo <[email protected]>
> *Sent:* Tuesday, January 13, 2026 2:47:18 AM
> *To:* [email protected] <[email protected]>
> *Subject:* Re: Question on linux-container-executor
>
> src/main/native/container-executor/test/test-container-executor.c
>
> void create_nm_roots(char ** nm_roots) {
>
> char** nm_root;
>
> for(nm_root=nm_roots; *nm_root != NULL; ++nm_root) {
>
> if (mkdir(*nm_root, 0755) != 0) {
>
> printf("FAIL: Can't create directory %s - %s\n", *nm_root,
>
> strerror(errno));
>
> exit(1);
>
> }
>
> char buffer[100000];
>
>
> * sprintf(buffer, "%s/usercache", *nm_root);
> if (mkdir(buffer, 0755) != 0) { *
>
> printf("FAIL: Can't create directory %s - %s\n", buffer,
>
> strerror(errno));
>
> exit(1);
>
> }
>
> }
>
> }
>
>
> The test here is creating 755 which on the surface seems to differ with
> what I am seeing.
>
> On Mon, Jan 12, 2026 at 3:53 PM Edward Capriolo <[email protected]>
> wrote:
>
> Hello. I am trying to run linux-container-executor in a setup without
> kerberos. I want to see it "change user" and run a map reduce job.
>
> I have a fork of linux-container-executor with some gratuitous println:
>
> main : command provided 0
> 2026-01-12T19:51:25.467740715Z main : run as user is auser
> 2026-01-12T19:51:25.467750476Z main : requested yarn user is auser
> 2026-01-12T19:51:25.467760225Z main : validate_container_id
> 2026-01-12T19:51:25.467771148Z main : huh
> 2026-01-12T19:51:25.467784131Z validated command: INITIALIZE_CONTAINER
> 2026-01-12T19:51:25.467795274Z init : set_user
> 2026-01-12T19:51:25.467805332Z maybe free_user
> 2026-01-12T19:51:25.467815142Z going to check user
> 2026-01-12T19:51:25.467824798Z min id
> 2026-01-12T19:51:25.467833618Z min id 1000
> 2026-01-12T19:51:25.467842685Z Get user info
> 2026-01-12T19:51:25.467851066Z init : set_user done
> 2026-01-12T19:51:25.467860879Z initialize_app(
> 2026-01-12T19:51:25.467871118Z create user dirs
> 2026-01-12T19:51:25.467881131Z initialize_user.
> 2026-01-12T19:51:25.467890384Z created
> 2026-01-12T19:51:25.467900435Z create_log_dirs().
> 2026-01-12T19:51:25.467911090Z create container log
> 2026-01-12T19:51:25.467920790Z create_container_log_dirs
> 2026-01-12T19:51:25.467931683Z open_file_as_nm.
> 2026-01-12T19:51:25.467941717Z change_user
> 2026-01-12T19:51:25.467952667Z change_user.
> *2026-01-12T19:51:25.467962032Z Can't create directory
> /yarn-root/nm-local-dir/usercache/auser/appcache - Permission denied*
> 2026-01-12T19:51:25.467973350Z Did not create any app directories
>
> I am creating users like this:
>
> RUN addgroup -S hadoop
> RUN addgroup -S hdfs && adduser -S -G hdfs -H -D hdfs
> RUN addgroup -S yarn && adduser -S -G yarn -H -D yarn
> RUN addgroup yarn hadoop
> RUN addgroup -S auser && adduser -S -G auser -H -D auser
>
> I am launching a wordcount as "auser" like so:
>
>
> https://github.com/edwardcapriolo/edgy-ansible/blob/main/imaging/hadoop/compositions/ha_rm_zk_pki_tls/enter_auser.sh
>
> This is what teh directory inside the node manager looks like:
>
> nm1:/yarn-root/nm-local-dir/usercache# rm -rf auser/
> nm1:/yarn-root/nm-local-dir/usercache# ld -lahd /yarn-root/
> nm1:/yarn-root/nm-local-dir/usercache# ls -lahd /yarn-root/
> drwxr-xr-x 1 yarn root 24 Jan 12 19:32 /yarn-root/
> nm1:/yarn-root/nm-local-dir/usercache# ls -lahd /yarn-root/nm-local-dir/
> drwxr-xr-x 1 yarn hadoop 54 Jan 12 19:32
> /yarn-root/nm-local-dir/
> nm1:/yarn-root/nm-local-dir/usercache# ls -lahd /yarn-root/nm-local-dir/
> filecache/ nmPrivate/ usercache/
> nm1:/yarn-root/nm-local-dir/usercache# ls -lahd
> /yarn-root/nm-local-dir/usercache/
> drwxr-sr-x 1 yarn hadoop 10 Jan 12 20:38
> /yarn-root/nm-local-dir/usercache/
> nm1:/yarn-root/nm-local-dir/usercache# ls -lahd
> /yarn-root/nm-local-dir/usercache/auser/
> drwxr-s--- 1 auser hadoop 0 Jan 12 20:38
> /yarn-root/nm-local-dir/usercache/auser/
>
> My node manager is running as yarn
> nm1:/$ ps -ef | grep yarn
> 1 yarn 0:20 /usr/bin/java -Dproc_nodemanager
>
> nm1:/$ id -u yarn
> 101
> nm1:/$ id -g yarn
> 103
> nm1:/$ id -G yarn
> 103 101
> nm1:/$ id -G yarn -n
> yarn hadoop
>
> nm1:/$ umask
> 0022
>
> I am guessing that the issue is
>
> drwxr-s--- 1 auser hadoop 0 Jan 12 20:38 auser
>
> Ths directory gets owned by auser/hadoop but the group write is off?
>
> My yarn config is here:
>
> https://github.com/edwardcapriolo/edgy-ansible/blob/main/imaging/hadoop/compositions/ha_rm_zk_pki_tls/hd_conf/yarn-site.xml#L126
>
> Also manually changing it it just gets put back
>
> nm1:/yarn-root/nm-local-dir/usercache# chmod g+w auser/
> nm1:/yarn-root/nm-local-dir/usercache# ls -lah
> total 0
> drwxr-sr-x 1 yarn hadoop 10 Jan 12 20:38 .
> drwxr-xr-x 1 yarn hadoop 54 Jan 12 19:32 ..
> drwxrws--- 1 auser hadoop 0 Jan 12 20:38 auser
> nm1:/yarn-root/nm-local-dir/usercache# ls -lah
> total 0
> drwxr-sr-x 1 yarn hadoop 10 Jan 12 20:38 .
> drwxr-xr-x 1 yarn hadoop 54 Jan 12 19:32 ..
> drwxr-s--- 1 auser hadoop 0 Jan 12 20:38 auser
>
> Any help would be appreciated.Thanks!
>
>
>
>
>
