[
https://issues.apache.org/jira/browse/YARN-7446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16377036#comment-16377036
]
Eric Badger commented on YARN-7446:
-----------------------------------
bq. I can't move the free to end of the function for both free statements in
this patch because there are other return conditions that could happen before
end of the function.
I suppose that's true. Some functions use a label for freeing all of the
allocated memory and some explicitly free each item before return. The
{{get_docker_run_command()}} function is pretty inconsistent here since it has
multiple places where it returns and doesn't free anything. This should
probably be fixed, but is outside of the scope of this JIRA.
+1 (non-binding) on the latest patch
> Docker container privileged mode and --user flag contradict each other
> ----------------------------------------------------------------------
>
> Key: YARN-7446
> URL: https://issues.apache.org/jira/browse/YARN-7446
> Project: Hadoop YARN
> Issue Type: Sub-task
> Affects Versions: 3.0.0
> Reporter: Eric Yang
> Assignee: Eric Yang
> Priority: Major
> Attachments: YARN-7446.001.patch, YARN-7446.002.patch,
> YARN-7446.003.patch, YARN-7446.004.patch
>
>
> In the current implementation, when privileged=true, --user flag is also
> passed to docker for launching container. In reality, the container has no
> way to use root privileges unless there is sticky bit or sudoers in the image
> for the specified user to gain privileges again. To avoid duplication of
> dropping and reacquire root privileges, we can reduce the duplication of
> specifying both flag. When privileged mode is enabled, --user flag should be
> omitted. When non-privileged mode is enabled, --user flag is supplied.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
