[
https://issues.apache.org/jira/browse/YARN-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16076756#comment-16076756
]
Eric Badger commented on YARN-4266:
-----------------------------------
[[email protected]], sorry for the delay. I've been sidetracked a little
bit. The patch that I have still has a few bugs, but I'd like to make sure that
we agree on the approach before I move forward with cleaning it up and posting
it here.
bq. The intent to YARN-5534 is provide a mount white list, so I believe that
should help here. The initial patch here could hard code the bind mount while
we test and provide feedback. Hopefully we can leverage YARN-5534 before this
is wrapped up.
Commented over on that jira. It would be good if we could get some traction
over there as it looks like that patch is pretty close to being done.
bq. I don't think this is a requirement for the initial version. We could do a
follow on effort to remove/reduce the need for the bind mounted socket for a
known list of AMs, assuming the behavior can be changed in those AMs.
This is true. I'm attempting to do my due diligence up front to see if there is
an avenue to get MRAppMaster to work without mounting /var/run/nscd. I've been
talking with [~daryn] offline who has done lots of work on UGI stuff and we're
looking into solutions. One solution that he suggested was going to back to our
original idea of doing the adduser/usermod hack during container startup. I
don't like this as much as it only allows you to put the one user in the
container and will fail any other user lookups. It also would never get
user/group updates which might be relevant for long-running containers. And on
top of that, it would be unnecessary in the face of bind-mounting
/var/run/nscd. However, it does get over the initial obstacle of not being able
to run without bind-mounting /var/run/nscd. Preferably, we can find a way to
make the --user switch work with MRAppMaster, but if not maybe this is the way
to go. Thoughts?
> Allow whitelisted users to disable user re-mapping/squashing when launching
> docker containers
> ---------------------------------------------------------------------------------------------
>
> Key: YARN-4266
> URL: https://issues.apache.org/jira/browse/YARN-4266
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: Sidharta Seethana
> Assignee: luhuichun
> Attachments: YARN-4266.001.patch, YARN-4266.001.patch,
> YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping.pdf,
> YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping_v2.pdf,
> YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping_v3.pdf,
> YARN-4266-branch-2.8.001.patch
>
>
> Docker provides a mechanism (the --user switch) that enables us to specify
> the user the container processes should run as. We use this mechanism today
> when launching docker containers . In non-secure mode, we run the docker
> container based on
> `yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user` and in
> secure mode, as the submitting user. However, this mechanism breaks down with
> a large number of 'pre-created' images which don't necessarily have the users
> available within the image. Examples of such images include shared images
> that need to be used by multiple users. We need a way in which we can allow a
> pre-defined set of users to run containers based on existing images, without
> using the --user switch. There are some implications of disabling this user
> squashing that we'll need to work through : log aggregation, artifact
> deletion etc.,
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
