[
https://issues.apache.org/jira/browse/YARN-5765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15665443#comment-15665443
]
Miklos Szegedi commented on YARN-5765:
--------------------------------------
Thank you, [~Naganarasimha] for the reply!
Just to finish this discusssion before you resolve this bug.
"What i want to understand is what impact would it have if we do it always ? As
we never run the container-executor.c binary with root user refer (set_user ->
check_user) and would it be sufficient to reset the umask after mkdir ?"
I was more concerned about any future changes, who will just call mkdirs
without knowing that it actually changes umask. Resetting the umask mitigates
possible side effects. All in all, if the umask change is chosen, I think it is
best to put it into create_container_directories.
"One more question is if we reset the umask after mkdir then will the container
logs created will be accessible to the NM because of restrictive rights ? would
be ideal to set default ACL for the folders created and reset the umask so that
files created by the user under these directories have the rightful
permissions?"
I think a more future proof approach to default acls and umask could be a
feature like the current bin/container-executor --checksetup, when specifying
the user and root dir tells the administrator, if the user/dir has the right
settings to run containers. It gives an advice what needs to be set if it does
not. This has a different philosophy, I admit.
Does this answer your questions?
> LinuxContainerExecutor creates appcache and its subdirectories with wrong
> group owner.
> --------------------------------------------------------------------------------------
>
> Key: YARN-5765
> URL: https://issues.apache.org/jira/browse/YARN-5765
> Project: Hadoop YARN
> Issue Type: Bug
> Affects Versions: 2.8.0, 3.0.0-alpha1
> Reporter: Haibo Chen
> Assignee: Naganarasimha G R
> Priority: Blocker
> Attachments: YARN-5765.001.patch
>
>
> LinuxContainerExecutor creates usercache/\{userId\}/appcache/\{appId\} with
> wrong group owner, causing Log aggregation and ShuffleHandler to fail because
> node manager process does not have permission to read the files under the
> directory.
> This can be easily reproduced by enabling LCE and submitting a MR example job
> as a user that does not belong to the same group that NM process belongs to.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
