[jira] [Commented] (YARN-8241) MRAppMaster fails when using UID:GID pair within docker container

Wed, 02 May 2018 15:53:47 -0700 

    [ 
https://issues.apache.org/jira/browse/YARN-8241?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16461706#comment-16461706
 ] 

Eric Yang commented on YARN-8241:
---------------------------------

There are two possible solutions for this problem:

Option 1) Automatically detect existence of sssd or nscd socket, and bind-mount 
the socket into container.

*Pros*
 Simple to implement. [Online 
tutorial|https://jhrozek.wordpress.com/2015/03/31/authenticating-a-docker-container-against-hosts-unix-accounts/]
 covers how to do this.
*Cons*
 The image must be built with sssd client or nscd libraries for pam to work in 
addition to Kerberos setup.

Option 2) Fix UserGroupInformation logic to map to Kerberos subject principal 
name instead of Unix Principal name. This will allow high level java code to 
work without username and group name.

*Pros*
 Less dependencies. Krb5.conf and keytab are only requirement for this ti work.
 *Cons*
 Works for Hadoop related java code, does not work with non-Hadoop workload.

> MRAppMaster fails when using UID:GID pair within docker container
> -----------------------------------------------------------------
>
>                 Key: YARN-8241
>                 URL: https://issues.apache.org/jira/browse/YARN-8241
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Eric Badger
>            Priority: Major
>              Labels: Docker
>
> As mentioned in [this 
> comment|https://issues.apache.org/jira/browse/YARN-4266?focusedCommentId=16063931&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-16063931],
>  the MRAppMaster fails for docker containers if there is no additional user 
> lookup strategy (e.g. bind-mounting /var/run/nscd or /etc/passwd). We need a 
> better solution so that users can still run even if they are not known inside 
> of the container by name



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to