[jira] [Comment Edited] (YARN-7430) User and Group mapping are incorrect in docker container

Tue, 07 Nov 2017 13:24:15 -0800 

    [ 
https://issues.apache.org/jira/browse/YARN-7430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16242862#comment-16242862
 ] 

Shane Kumpf edited comment on YARN-7430 at 11/7/17 9:07 PM:
------------------------------------------------------------

{quote}
Privileged container does not need to have --user flag. They are contradiction 
to each other in general. 
{quote}
Hey [~eyang], I'm not sure that's the case. Without the user related flag, 
privileged or not, the process in the container will run as whatever user was 
specified in the image. This leads to permission denied related issues with the 
localized resources and launch scripts.


was (Author: [email protected]):
{quote}
Privileged container does not need to have --user flag. They are contradiction 
to each other in general. 
{quote}
Hey [~eyang], I'm not sure that's the case. Without the user related the flag, 
privileged or not, the process in the container will run as whatever user was 
specified in the image. This leads to permission denied related issues with the 
localized resources and launch scripts.

> User and Group mapping are incorrect in docker container
> --------------------------------------------------------
>
>                 Key: YARN-7430
>                 URL: https://issues.apache.org/jira/browse/YARN-7430
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: security, yarn
>    Affects Versions: 2.9.0, 3.0.0
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Blocker
>         Attachments: YARN-7430.001.patch
>
>
> In YARN-4266, the recommendation was to use -u [uid]:[gid] numeric values to 
> enforce user and group for the running user.  In YARN-6623, this translated 
> to --user=test --group-add=group1.  The code no longer enforce group 
> correctly for launched process.  
> In addition, the implementation in YARN-6623 requires the user and group 
> information to exist in container to translate username and group to uid/gid. 
>  For users on LDAP, there is no good way to populate container with user and 
> group information. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to