[jira] [Commented] (YARN-7430) User and Group mapping are incorrect in docker container

Thu, 09 Nov 2017 09:01:41 -0800 

    [ 
https://issues.apache.org/jira/browse/YARN-7430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16246038#comment-16246038
 ] 

Eric Yang commented on YARN-7430:
---------------------------------

[~ebadger] My understanding is the container stderr, stdout are aggregated 
using sockets.  It depends on what is in the receiving end.  If the receiving 
end is log4j appender from the parent process, there is no permission problem 
for YARN to read the files.  In addition, systemd enabled system don't have 
traditional syslog.  The logs are managed by systemd daemon and output to 
stdout and stderr of container.  Hence, YARN's standard log aggregation 
practice works well without additional log aggregation.  The only logging that 
should be in place is capturing output from ENTRY_POINT, other processes in the 
container could be fairly random.  We don't need to spend effort on the random 
stuff, and let developer decide if they want to stream it directly to HDFS via 
NFS gateway.  There shouldn't be permission issue, if we wire stderr, stdout 
correctly from docker to container log.

> User and Group mapping are incorrect in docker container
> --------------------------------------------------------
>
>                 Key: YARN-7430
>                 URL: https://issues.apache.org/jira/browse/YARN-7430
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: security, yarn
>    Affects Versions: 2.9.0, 3.0.0
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Blocker
>         Attachments: YARN-7430.001.patch
>
>
> In YARN-4266, the recommendation was to use -u [uid]:[gid] numeric values to 
> enforce user and group for the running user.  In YARN-6623, this translated 
> to --user=test --group-add=group1.  The code no longer enforce group 
> correctly for launched process.  
> In addition, the implementation in YARN-6623 requires the user and group 
> information to exist in container to translate username and group to uid/gid. 
>  For users on LDAP, there is no good way to populate container with user and 
> group information. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to