[
https://issues.apache.org/jira/browse/YARN-7430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16244498#comment-16244498
]
Shane Kumpf commented on YARN-7430:
-----------------------------------
I still believe there will be an issue if we do not specify --user. This causes
problems for launching the container. Please try running distributed shell or
similar using the Dockerfile I provided with --user removed, and you will see
the behavior, the container will fail to launch.
IIUC, {{\-\-privileged}} == {{\-\-user=root}} (or {{--user=0:0}}) in your view,
correct? If so, doing that would satisfy the condition here if we set the user
to root for privileged containers. I see some cases where that isn't necessary
and I'm unsure how it might impact log aggregation, but I think it could work.
> User and Group mapping are incorrect in docker container
> --------------------------------------------------------
>
> Key: YARN-7430
> URL: https://issues.apache.org/jira/browse/YARN-7430
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: security, yarn
> Affects Versions: 2.9.0, 3.0.0
> Reporter: Eric Yang
> Assignee: Eric Yang
> Priority: Blocker
> Attachments: YARN-7430.001.patch
>
>
> In YARN-4266, the recommendation was to use -u [uid]:[gid] numeric values to
> enforce user and group for the running user. In YARN-6623, this translated
> to --user=test --group-add=group1. The code no longer enforce group
> correctly for launched process.
> In addition, the implementation in YARN-6623 requires the user and group
> information to exist in container to translate username and group to uid/gid.
> For users on LDAP, there is no good way to populate container with user and
> group information.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
