[
https://issues.apache.org/jira/browse/YARN-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16170762#comment-16170762
]
Jason Lowe commented on YARN-4266:
----------------------------------
Apologies for arriving late on this. Comments on the 003 patch:
These comments don't match the code:
{code}
/** Set user remapping lower uid limit to 1000 by default */
public static final int DEFAULT_NM_DOCKER_USER_REMAPPING_UID_THRESHOLD = 1;
[...]
/** Set user remapping lower gid limit to 100 by default */
public static final int DEFAULT_NM_DOCKER_USER_REMAPPING_GID_THRESHOLD = 1;
{code}
Should we handle ExitCodeException or other types of exceptions that might
happen (e.g.: "no such user" type of errors) explicitly when running the {{id}}
command so we can provide a better debug experience, or is the exception
message enough info to debug issues?
Also I found it odd that getUserIdInfo and getGroupIdInfo take a parameter for
the {{id}} command but these methods are highly dependent upon the "right"
parameter being passed in order to function properly. They are each only
called in one place, and IMHO there's no reason to make this parameterized
given the parsing code _needs_ the corresponding parameter to be correct. We
should just remove the parameter and have it passed directly.
> Allow users to enter containers as UID:GID pair instead of by username
> ----------------------------------------------------------------------
>
> Key: YARN-4266
> URL: https://issues.apache.org/jira/browse/YARN-4266
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: Sidharta Seethana
> Assignee: luhuichun
> Attachments: YARN-4266.001.patch, YARN-4266.001.patch,
> YARN-4266.002.patch, YARN-4266.003.patch,
> YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping.pdf,
> YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping_v2.pdf,
> YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping_v3.pdf,
> YARN-4266-branch-2.8.001.patch
>
>
> Docker provides a mechanism (the --user switch) that enables us to specify
> the user the container processes should run as. We use this mechanism today
> when launching docker containers . In non-secure mode, we run the docker
> container based on
> `yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user` and in
> secure mode, as the submitting user. However, this mechanism breaks down with
> a large number of 'pre-created' images which don't necessarily have the users
> available within the image. Examples of such images include shared images
> that need to be used by multiple users. We need a way in which we can allow a
> pre-defined set of users to run containers based on existing images, without
> using the --user switch. There are some implications of disabling this user
> squashing that we'll need to work through : log aggregation, artifact
> deletion etc.,
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
