Prabhu Joseph created YARN-9860:
-----------------------------------
Summary: Enable service mode for Docker containers on YARN
Key: YARN-9860
URL: https://issues.apache.org/jira/browse/YARN-9860
Project: Hadoop YARN
Issue Type: Improvement
Affects Versions: 3.3.0
Reporter: Prabhu Joseph
Assignee: Prabhu Joseph
This task is to add support to YARN for running Docker containers in "Service
Mode".
Service Mode - Run the container as defined by the image, but still allow for
injecting configuration.
Background:
Entrypoint mode helped - now able to use the ENV and ENTRYPOINT/CMD as
defined in the image. However, still requires modification to official images
due to user propagation
User propagation is problematic for running a secure cluster with sssd
Implementation:
Must be enabled via c-e.cfg (example: docker.service-mode.allowed=true)
Must be requested at runtime - (example:
YARN_CONTAINER_RUNTIME_DOCKER_SERVICE_MODE=true)
Entrypoint mode is default enabled for this mode (If Service Mode is
requested, YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE should be set to
true)
Writable log mount will not be added - stdout logging may still work
with entrypoint mode - remove the writable bind mounts
User and groups will not be propagated (now: docker run --user nobody
--group-add=nobody .... <image>, after: docker run .... <image>)
Read-only resources mounted at the file level, files get chmod 777,
parent directory only accessible by the run as user.
cc [[email protected]]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
