[
https://issues.apache.org/jira/browse/YARN-7446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16349008#comment-16349008
]
Eric Yang commented on YARN-7446:
---------------------------------
[[email protected]] It would be better to leave --user 0:0 out for some
reasons.
1. If a privileged user use --privileged and docker container has a defined a
service user. i.e. Hive. By remove --user 0:0, this allows a system
administrator, such as Eric to have "sudo" like behavior on YARN cluster (given
that sudoers check happens in YARN-7221). Although hive user is dropped to
normal privileges. This provides sudo like mechanism in a secure manner for
trusted docker images in YARN-7516.
2. If a privileged user made a mistake to run --privileged flag with normal
user container image. He will have ability to discover his mistakes.
3. If the image does not have a predefined user, then full root capability is
given.
With changes in YARN-7446, YARN-7221, and YARN-7516. These three JIRA provides
system administrator a way to run authorized executable on the system with
privileges in docker images. This is the same concept as sudoers list to
authorize users to run authorized binaries. The changes are to help the system
compliant with Linux security. I think it is better to avoid hard code --user
0:0 to make sure #1, and #2 corner cases are properly supported.
> Docker container privileged mode and --user flag contradict each other
> ----------------------------------------------------------------------
>
> Key: YARN-7446
> URL: https://issues.apache.org/jira/browse/YARN-7446
> Project: Hadoop YARN
> Issue Type: Sub-task
> Affects Versions: 3.0.0
> Reporter: Eric Yang
> Assignee: Eric Yang
> Priority: Major
> Attachments: YARN-7446.001.patch
>
>
> In the current implementation, when privileged=true, --user flag is also
> passed to docker for launching container. In reality, the container has no
> way to use root privileges unless there is sticky bit or sudoers in the image
> for the specified user to gain privileges again. To avoid duplication of
> dropping and reacquire root privileges, we can reduce the duplication of
> specifying both flag. When privileged mode is enabled, --user flag should be
> omitted. When non-privileged mode is enabled, --user flag is supplied.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
