[
https://issues.apache.org/jira/browse/YARN-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15900256#comment-15900256
]
Sidharta Seethana commented on YARN-4266:
-----------------------------------------
Based on the discussions in this JIRA and on YARN-5360, it looks like all we
have are less than ideal choices. Like I mentioned on YARN-5360, using the uid
has readability issues and it still wouldn’t guarantee that an image would work
correctly. In my opinion, we shouldn’t be adding *more* requirements on images
- the whole objective of this jira was to remove a requirement where possible
({{--user}}). launch_container.sh already uses bash, ln, cp, chmod, ls, find.
To this list we are considering adding usermod, su, getent and so on. In
addition to this we are considering making (expensive) changes to a container
prior to launching the application process - usermod only changes the files in
a user’s home directory and even then we still have no way of predicting how
long this operation would take - making application (process) launch time
unpredictable. IMO, This is not the direction we should be going in.
In the interest of making some progress, perhaps we could add support for
optionally using {{--user=<uid>:<foo>}}(turned off by default). A subset of
images that wouldn’t otherwise work, would be usable because of this change -
for example : images that don’t have the user being specified (say foo) but
would otherwise work with an arbitrary user (i.e the values supplied in
{{--user=<uid_of_foo>:<gid_of_foo>}} don’t matter).
I might have said this on other JIRAs and I’ll repeat here : docker containers
and applications using them are just one category of workloads that are going
to be run on a production YARN cluster. While we would like to use as much of
the power and flexibility that docker provides, we have to do this with due
consideration given to existing YARN/hadoop paradigms - security model
(users/groups/permissions), localization, log aggregation and so on.
> Allow whitelisted users to disable user re-mapping/squashing when launching
> docker containers
> ---------------------------------------------------------------------------------------------
>
> Key: YARN-4266
> URL: https://issues.apache.org/jira/browse/YARN-4266
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: Sidharta Seethana
> Assignee: Zhankun Tang
> Attachments: YARN-4266.001.patch,
> YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping.pdf,
> YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping_v2.pdf,
> YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping_v3.pdf,
> YARN-4266-branch-2.8.001.patch
>
>
> Docker provides a mechanism (the --user switch) that enables us to specify
> the user the container processes should run as. We use this mechanism today
> when launching docker containers . In non-secure mode, we run the docker
> container based on
> `yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user` and in
> secure mode, as the submitting user. However, this mechanism breaks down with
> a large number of 'pre-created' images which don't necessarily have the users
> available within the image. Examples of such images include shared images
> that need to be used by multiple users. We need a way in which we can allow a
> pre-defined set of users to run containers based on existing images, without
> using the --user switch. There are some implications of disabling this user
> squashing that we'll need to work through : log aggregation, artifact
> deletion etc.,
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
