[jira] [Commented] (YARN-7430) User and Group mapping are incorrect in docker container

Fri, 10 Nov 2017 10:50:23 -0800 

    [ 
https://issues.apache.org/jira/browse/YARN-7430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16247903#comment-16247903
 ] 

Eric Badger commented on YARN-7430:
-----------------------------------

bq. Eric Badger My understanding is the container stderr, stdout are aggregated 
using sockets. 
I don't believe that is true? I'm referring to YARN containers, not docker 
containers in this case. YARN tasks will write their logs to the directory 
specified by {{yarn.nodemanager.log-dirs}}. These are directories that we bind 
mount into the docker container so that we can write the logs. If the user 
inside of the docker container is root, then it will write these log files as 
root. Then when the node manager attempts to do log aggregation, it will fail. 
The directories won't be accessible and so it won't be able to upload the logs 
to HDFS. Then it will also fail to delete them, causing disks to fill up. 

> User and Group mapping are incorrect in docker container
> --------------------------------------------------------
>
>                 Key: YARN-7430
>                 URL: https://issues.apache.org/jira/browse/YARN-7430
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: security, yarn
>    Affects Versions: 2.9.0, 3.0.0
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Blocker
>         Attachments: YARN-7430.001.patch
>
>
> In YARN-4266, the recommendation was to use -u [uid]:[gid] numeric values to 
> enforce user and group for the running user.  In YARN-6623, this translated 
> to --user=test --group-add=group1.  The code no longer enforce group 
> correctly for launched process.  
> In addition, the implementation in YARN-6623 requires the user and group 
> information to exist in container to translate username and group to uid/gid. 
>  For users on LDAP, there is no good way to populate container with user and 
> group information. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to