[
https://issues.apache.org/jira/browse/YARN-7446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16347382#comment-16347382
]
Shane Kumpf commented on YARN-7446:
-----------------------------------
Thanks for the explanation. I do agree that this model would require an extra
step to get to root, which I'm not sure is a bad thing per se. "To grant root
power or not to grant" is well put. :)
One benefit of setting --user is that in "yarn-mode" logging and localization
will just work. Of course, it does work with root as well, but that impacts
clean up and log aggregation. Which begs the question, should --privileged
disable/change what mounts are allowed since the root user can write files that
can't be cleaned up? My vote would be no, as I believe it is too restrictive. I
would vote we explore letting the NM clean up those files regardless as
containers running as root will be needed.
If we are going to flat out say that --privileged containers should always run
as root, then we still need to set --user, but hard coded to 0:0. Otherwise,
the running user is left up to the image. Here is an example that shows you
aren't guaranteed to run as root by just removing --user
Dockerfile
{code:java}
FROM centos
RUN useradd http
USER http
CMD touch /tmp/file && ls -la /tmp/file{code}
Note that the USER directive is specified in the image.
No user:
{code:java}
[root@y7001 docker_image_user]# docker run usertest
-rw-r--r--. 1 http http 0 Jan 31 18:35 /tmp/file{code}
User set to root:
{code:java}
[root@y7001 docker_image_user]# docker run -u 0:0 --group-add 0 usertest
-rw-r--r--. 1 root root 0 Jan 31 18:46 /tmp/file{code}
> Docker container privileged mode and --user flag contradict each other
> ----------------------------------------------------------------------
>
> Key: YARN-7446
> URL: https://issues.apache.org/jira/browse/YARN-7446
> Project: Hadoop YARN
> Issue Type: Sub-task
> Affects Versions: 3.0.0
> Reporter: Eric Yang
> Assignee: Eric Yang
> Priority: Major
> Attachments: YARN-7446.001.patch
>
>
> In the current implementation, when privileged=true, --user flag is also
> passed to docker for launching container. In reality, the container has no
> way to use root privileges unless there is sticky bit or sudoers in the image
> for the specified user to gain privileges again. To avoid duplication of
> dropping and reacquire root privileges, we can reduce the duplication of
> specifying both flag. When privileged mode is enabled, --user flag should be
> omitted. When non-privileged mode is enabled, --user flag is supplied.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
