[
https://issues.apache.org/jira/browse/YARN-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16135750#comment-16135750
]
Eric Yang edited comment on YARN-4266 at 8/21/17 8:40 PM:
----------------------------------------------------------
[~ebadger] I think the idea is correct to use -u=$(id -u $(whoami)):$(id -g
$(whoami)) to evaluate the running user inside container. Could you provide an
updated patch that fixes the style check?
The proposal by Eric Badger is the right approach to manage process owner
inside container. However, the proposed change doesn't seem to be related to
title of this JIRA.
was (Author: eyang):
[~ebadger] I think the idea is correct to use -u=$(id -u $(whoami)):$(id -g
$(whoami)) to evaluate the running user inside container. Could you provide an
updated patch that fixes the style check?
> Allow whitelisted users to disable user re-mapping/squashing when launching
> docker containers
> ---------------------------------------------------------------------------------------------
>
> Key: YARN-4266
> URL: https://issues.apache.org/jira/browse/YARN-4266
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: Sidharta Seethana
> Assignee: luhuichun
> Attachments: YARN-4266.001.patch, YARN-4266.001.patch,
> YARN-4266.002.patch,
> YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping.pdf,
> YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping_v2.pdf,
> YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping_v3.pdf,
> YARN-4266-branch-2.8.001.patch
>
>
> Docker provides a mechanism (the --user switch) that enables us to specify
> the user the container processes should run as. We use this mechanism today
> when launching docker containers . In non-secure mode, we run the docker
> container based on
> `yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user` and in
> secure mode, as the submitting user. However, this mechanism breaks down with
> a large number of 'pre-created' images which don't necessarily have the users
> available within the image. Examples of such images include shared images
> that need to be used by multiple users. We need a way in which we can allow a
> pre-defined set of users to run containers based on existing images, without
> using the --user switch. There are some implications of disabling this user
> squashing that we'll need to work through : log aggregation, artifact
> deletion etc.,
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
