[ https://issues.apache.org/jira/browse/YARN-7446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16347382#comment-16347382 ]
Shane Kumpf commented on YARN-7446: ----------------------------------- Thanks for the explanation. I do agree that this model would require an extra step to get to root, which I'm not sure is a bad thing per se. "To grant root power or not to grant" is well put. :) One benefit of setting --user is that in "yarn-mode" logging and localization will just work. Of course, it does work with root as well, but that impacts clean up and log aggregation. Which begs the question, should --privileged disable/change what mounts are allowed since the root user can write files that can't be cleaned up? My vote would be no, as I believe it is too restrictive. I would vote we explore letting the NM clean up those files regardless as containers running as root will be needed. If we are going to flat out say that --privileged containers should always run as root, then we still need to set --user, but hard coded to 0:0. Otherwise, the running user is left up to the image. Here is an example that shows you aren't guaranteed to run as root by just removing --user Dockerfile {code:java} FROM centos RUN useradd http USER http CMD touch /tmp/file && ls -la /tmp/file{code} Note that the USER directive is specified in the image. No user: {code:java} [root@y7001 docker_image_user]# docker run usertest -rw-r--r--. 1 http http 0 Jan 31 18:35 /tmp/file{code} User set to root: {code:java} [root@y7001 docker_image_user]# docker run -u 0:0 --group-add 0 usertest -rw-r--r--. 1 root root 0 Jan 31 18:46 /tmp/file{code} > Docker container privileged mode and --user flag contradict each other > ---------------------------------------------------------------------- > > Key: YARN-7446 > URL: https://issues.apache.org/jira/browse/YARN-7446 > Project: Hadoop YARN > Issue Type: Sub-task > Affects Versions: 3.0.0 > Reporter: Eric Yang > Assignee: Eric Yang > Priority: Major > Attachments: YARN-7446.001.patch > > > In the current implementation, when privileged=true, --user flag is also > passed to docker for launching container. In reality, the container has no > way to use root privileges unless there is sticky bit or sudoers in the image > for the specified user to gain privileges again. To avoid duplication of > dropping and reacquire root privileges, we can reduce the duplication of > specifying both flag. When privileged mode is enabled, --user flag should be > omitted. When non-privileged mode is enabled, --user flag is supplied. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org