[
https://issues.apache.org/jira/browse/YARN-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15901562#comment-15901562
]
Eric Badger commented on YARN-4266:
-----------------------------------
[~sidharta-s], I agree with your assessment. I don't see this "--user"
workaround to be the longterm solution, especially if the goal is to allow
users to supply their own arbitrary, untrusted images. As others have
identified previously in this jira, I believe that the real solution is to use
[user namespace
remapping|https://success.docker.com/KBase/Introduction_to_User_Namespaces_in_Docker_Engine],
which was introduced in Docker 1.10. However, that requires a more updated
kernel (3.10) than I think most of us are on, especially in production.
So, until then I think that allowing an arbitrary UID:GID (or even user:group)
to enter the container will be sufficient (disabled by default, as you
suggested). Though I believe that containers working in this way are under the
big assumption that the image is trusted and well-crafted, which is necessary
until we figure out the user remapping issue, resolve security concerns, etc.
> Allow whitelisted users to disable user re-mapping/squashing when launching
> docker containers
> ---------------------------------------------------------------------------------------------
>
> Key: YARN-4266
> URL: https://issues.apache.org/jira/browse/YARN-4266
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: Sidharta Seethana
> Assignee: Zhankun Tang
> Attachments: YARN-4266.001.patch,
> YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping.pdf,
> YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping_v2.pdf,
> YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping_v3.pdf,
> YARN-4266-branch-2.8.001.patch
>
>
> Docker provides a mechanism (the --user switch) that enables us to specify
> the user the container processes should run as. We use this mechanism today
> when launching docker containers . In non-secure mode, we run the docker
> container based on
> `yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user` and in
> secure mode, as the submitting user. However, this mechanism breaks down with
> a large number of 'pre-created' images which don't necessarily have the users
> available within the image. Examples of such images include shared images
> that need to be used by multiple users. We need a way in which we can allow a
> pre-defined set of users to run containers based on existing images, without
> using the --user switch. There are some implications of disabling this user
> squashing that we'll need to work through : log aggregation, artifact
> deletion etc.,
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
