[
https://issues.apache.org/jira/browse/YARN-7430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16244787#comment-16244787
]
Eric Yang commented on YARN-7430:
---------------------------------
[~shaneku...@gmail.com] . {quote}
I still believe there will be an issue if we do not specify --user. This causes
problems for launching the container. Please try running distributed shell or
similar using the Dockerfile I provided with --user removed, and you will see
the behavior, the container will fail to launch.
{quote}
Container fails for the right reason. User foo should not allow to execute
script owned by skumpf, unless skumpf granted permission to run the script.
{quote}
IIUC, --privileged == --user=root (or --user=0:0) in your view, correct? If so,
doing that would satisfy the condition here if we set the user to root for
privileged containers. I see some cases where that isn't necessary and I'm
unsure how it might impact log aggregation, but I think it could work.
{quote}
{{\-\-user=0:0}} does not mean privileged. It means the entry point is granted
with pseudo root privileges inside the container. There is no guarantee that
capability at host layer is granted. The {{\-\-privileged}} flag gives all
capabilities to the container, and it also lifts all the limitations enforced
by the device cgroup controller. In other words, the container can then do
almost everything that the host can do. This flag exists to allow special
use-cases, like running Docker within Docker. {{\-\-Privileged}} is more
destructive than pseudo root that should be handled carefully. System admin
usually does not allow a user with sudo privileges to change resource
utilization, hence I haven't seen a valid point to apply {{\-\-user}} flag on
{{\-\-privileged}} containers.
> User and Group mapping are incorrect in docker container
> --------------------------------------------------------
>
> Key: YARN-7430
> URL: https://issues.apache.org/jira/browse/YARN-7430
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: security, yarn
> Affects Versions: 2.9.0, 3.0.0
> Reporter: Eric Yang
> Assignee: Eric Yang
> Priority: Blocker
> Attachments: YARN-7430.001.patch
>
>
> In YARN-4266, the recommendation was to use -u [uid]:[gid] numeric values to
> enforce user and group for the running user. In YARN-6623, this translated
> to --user=test --group-add=group1. The code no longer enforce group
> correctly for launched process.
> In addition, the implementation in YARN-6623 requires the user and group
> information to exist in container to translate username and group to uid/gid.
> For users on LDAP, there is no good way to populate container with user and
> group information.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
