[jira] [Comment Edited] (YARN-7430) User and Group mapping are incorrect in docker container

Wed, 08 Nov 2017 19:04:23 -0800 

    [ 
https://issues.apache.org/jira/browse/YARN-7430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16245139#comment-16245139
 ] 

Eric Badger edited comment on YARN-7430 at 11/9/17 3:03 AM:
------------------------------------------------------------

[~eyang], if the application is running as root inside of the container then 
all of the logs that it writes as part of that application (syslog, stderr, 
stdout) will be owned by root. When the NM tries to aggregate them, it won't 
have permission. It also won't be able to delete them. So log aggregation will 
fail. Other than the fact that log aggregation failing is bad, this will 
eventually cause the disks to fill up. 


was (Author: ebadger):
[~aceric], if the application is running as root inside of the container then 
all of the logs that it writes as part of that application (syslog, stderr, 
stdout) will be owned by root. When the NM tries to aggregate them, it won't 
have permission. It also won't be able to delete them. So log aggregation will 
fail. Other than the fact that log aggregation failing is bad, this will 
eventually cause the disks to fill up. 

> User and Group mapping are incorrect in docker container
> --------------------------------------------------------
>
>                 Key: YARN-7430
>                 URL: https://issues.apache.org/jira/browse/YARN-7430
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: security, yarn
>    Affects Versions: 2.9.0, 3.0.0
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Blocker
>         Attachments: YARN-7430.001.patch
>
>
> In YARN-4266, the recommendation was to use -u [uid]:[gid] numeric values to 
> enforce user and group for the running user.  In YARN-6623, this translated 
> to --user=test --group-add=group1.  The code no longer enforce group 
> correctly for launched process.  
> In addition, the implementation in YARN-6623 requires the user and group 
> information to exist in container to translate username and group to uid/gid. 
>  For users on LDAP, there is no good way to populate container with user and 
> group information. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to