[ 
https://issues.apache.org/jira/browse/YARN-7446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16362853#comment-16362853
 ] 

Eric Badger commented on YARN-7446:
-----------------------------------

I don't see how that adds up though. The user is root, so they have all the 
privileges they need. If we're assuming that they need to be in a certain 
group, then how can we assume that they don't need the primary group? Is there 
a reason that they should have the additional groups but not the primary group? 
I think the answer is that if they need one, they need all. So we can either 
give them all or not give them any to be consistent.

> Docker container privileged mode and --user flag contradict each other
> ----------------------------------------------------------------------
>
>                 Key: YARN-7446
>                 URL: https://issues.apache.org/jira/browse/YARN-7446
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>    Affects Versions: 3.0.0
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Major
>         Attachments: YARN-7446.001.patch, YARN-7446.002.patch
>
>
> In the current implementation, when privileged=true, --user flag is also 
> passed to docker for launching container.  In reality, the container has no 
> way to use root privileges unless there is sticky bit or sudoers in the image 
> for the specified user to gain privileges again.  To avoid duplication of 
> dropping and reacquire root privileges, we can reduce the duplication of 
> specifying both flag.  When privileged mode is enabled, --user flag should be 
> omitted.  When non-privileged mode is enabled, --user flag is supplied.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to