[jira] [Updated] (YARN-9117) Container shell does not work when using yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user is set

[Eric Yang (JIRA)]

     [ 
https://issues.apache.org/jira/browse/YARN-9117?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Eric Yang updated YARN-9117:
----------------------------
    Description: If YARN is configured with 
yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user to restrict 
YARN workload to run as a specific user only.  Container shell does not support 
this configuration because the workdir directory is owned by local-user.  The 
container shell is intended to launch a bash process owned by the application 
owner.  When bash process owner and current working directory are mismatched.  
The child process will terminate immediately due to no permission to WORKDIR.  
It is probably best to report this configuration as not supported rather than 
allowing application owner to gain all privileges of local-user.  (was: If YARN 
is configured with 
yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user to restrict 
YARN workload to run as a specific user only.  Container shell does not support 
this configuration because the workdir directory is owned by local-user.  The 
container shell is intended to launch a bash process owned by the application 
owner.  When bash process owner and current working directory are mismatched.  
The child process will terminate immediately.  It is probably best to report 
this configuration as not supported rather than allowing application owner to 
gain all privileges of local-user.)

> Container shell does not work when using 
> yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user is set
> -------------------------------------------------------------------------------------------------------------------
>
>                 Key: YARN-9117
>                 URL: https://issues.apache.org/jira/browse/YARN-9117
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>    Affects Versions: 3.3.0
>            Reporter: Eric Yang
>            Priority: Major
>
> If YARN is configured with 
> yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user to 
> restrict YARN workload to run as a specific user only.  Container shell does 
> not support this configuration because the workdir directory is owned by 
> local-user.  The container shell is intended to launch a bash process owned 
> by the application owner.  When bash process owner and current working 
> directory are mismatched.  The child process will terminate immediately due 
> to no permission to WORKDIR.  It is probably best to report this 
> configuration as not supported rather than allowing application owner to gain 
> all privileges of local-user.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org