[
https://issues.apache.org/jira/browse/YARN-7446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16379403#comment-16379403
]
Billie Rinaldi commented on YARN-7446:
--------------------------------------
I am +1 for patch 004. I am thinking of committing this to trunk and then
marking YARN-7654 as a blocker for 3.2.0. After this patch is applied, there is
an issue with images that have a USER command specified in their Dockerfile. If
you try to run privileged containers for these images, the container will fail
because the user won't have permission to execute the launch_container.sh
script. This should no longer be an issue once we move away from having a
launch script for Docker containers.
> Docker container privileged mode and --user flag contradict each other
> ----------------------------------------------------------------------
>
> Key: YARN-7446
> URL: https://issues.apache.org/jira/browse/YARN-7446
> Project: Hadoop YARN
> Issue Type: Sub-task
> Affects Versions: 3.0.0
> Reporter: Eric Yang
> Assignee: Eric Yang
> Priority: Major
> Attachments: YARN-7446.001.patch, YARN-7446.002.patch,
> YARN-7446.003.patch, YARN-7446.004.patch
>
>
> In the current implementation, when privileged=true, --user flag is also
> passed to docker for launching container. In reality, the container has no
> way to use root privileges unless there is sticky bit or sudoers in the image
> for the specified user to gain privileges again. To avoid duplication of
> dropping and reacquire root privileges, we can reduce the duplication of
> specifying both flag. When privileged mode is enabled, --user flag should be
> omitted. When non-privileged mode is enabled, --user flag is supplied.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
