[
https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16942423#comment-16942423
]
Eric Yang commented on YARN-9860:
---------------------------------
Patch 002 uses System.getenv("USER") to determine the current running user.
This may grab the
yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user which is
different than the user that store files for public resource directory.
{code}
@@ -1640,12 +1675,14 @@ int get_docker_run_command(const char *command_file,
const struct configuration
privileged = get_configuration_value("privileged",
DOCKER_COMMAND_FILE_SECTION, &command_config);
if (privileged == NULL || strcmp(privileged, "false") == 0) {
- char *user_buffer = make_string("--user=%s", user);
- ret = add_to_args(args, user_buffer);
- free(user_buffer);
- if (ret != 0) {
- ret = BUFFER_TOO_SMALL;
- goto free_and_exit;
+ if (service_mode_enabled != 0) {
+ char *user_buffer = make_string("--user=%s", user);
+ ret = add_to_args(args, user_buffer);
+ free(user_buffer);
+ if (ret != 0) {
+ ret = BUFFER_TOO_SMALL;
+ goto free_and_exit;
+ }
}
no_new_privileges_enabled =
get_configuration_value("docker.no-new-privileges.enabled",
@@ -1725,9 +1762,11 @@ int get_docker_run_command(const char *command_file,
const struct configuration
goto free_and_exit;
}
{code}
I don't understand the reason to add --user= parameter only when service mode
is enabled. Need more clarity on what service mode is, and what it tries to do
with enabling application visibility. Is service mode trying to get a root
like container without giving actual root access?
> Enable service mode for Docker containers on YARN
> -------------------------------------------------
>
> Key: YARN-9860
> URL: https://issues.apache.org/jira/browse/YARN-9860
> Project: Hadoop YARN
> Issue Type: Improvement
> Affects Versions: 3.3.0
> Reporter: Prabhu Joseph
> Assignee: Prabhu Joseph
> Priority: Major
> Attachments: YARN-9860-001.patch, YARN-9860-002.patch
>
>
> This task is to add support to YARN for running Docker containers in "Service
> Mode".
> Service Mode - Run the container as defined by the image, but still allow for
> injecting configuration.
> Background:
> Entrypoint mode helped - now able to use the ENV and ENTRYPOINT/CMD as
> defined in the image. However, still requires modification to official images
> due to user propagation
> User propagation is problematic for running a secure cluster with sssd
>
> Implementation:
> Must be enabled via c-e.cfg (example: docker.service-mode.allowed=true)
> Must be requested at runtime - (example:
> YARN_CONTAINER_RUNTIME_DOCKER_SERVICE_MODE=true)
> Entrypoint mode is default enabled for this mode (If Service Mode is
> requested, YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE should be set
> to true)
> Writable log mount will not be added - stdout logging may still work
> with entrypoint mode - remove the writable bind mounts
> User and groups will not be propagated (now: docker run --user nobody
> --group-add=nobody .... <image>, after: docker run .... <image>)
> Read-only resources mounted at the file level, files get chmod 777,
> parent directory only accessible by the run as user.
> cc [[email protected]]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
