[
https://issues.apache.org/jira/browse/YARN-7446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16372112#comment-16372112
]
Eric Yang commented on YARN-7446:
---------------------------------
YARN-7654 will change the launcher script invocation to be external of docker
container instead of running launcher script inside docker container. Until
that work is completed, it is not safe to run privileged container because data
written to yarn localizer directory might contain root user files. This will
prevent localized directory from clean up. YARN-7654 might not be completed in
3.1 release. Hence, removing this JIAR as blocker for 3.1 release.
> Docker container privileged mode and --user flag contradict each other
> ----------------------------------------------------------------------
>
> Key: YARN-7446
> URL: https://issues.apache.org/jira/browse/YARN-7446
> Project: Hadoop YARN
> Issue Type: Sub-task
> Affects Versions: 3.0.0
> Reporter: Eric Yang
> Assignee: Eric Yang
> Priority: Blocker
> Attachments: YARN-7446.001.patch, YARN-7446.002.patch,
> YARN-7446.003.patch
>
>
> In the current implementation, when privileged=true, --user flag is also
> passed to docker for launching container. In reality, the container has no
> way to use root privileges unless there is sticky bit or sudoers in the image
> for the specified user to gain privileges again. To avoid duplication of
> dropping and reacquire root privileges, we can reduce the duplication of
> specifying both flag. When privileged mode is enabled, --user flag should be
> omitted. When non-privileged mode is enabled, --user flag is supplied.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
