[
https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16944743#comment-16944743
]
Prabhu Joseph commented on YARN-9860:
-------------------------------------
Thanks [~eyang] and [[email protected]] for reviewing. Have addressed the
review comments in [^YARN-9860-006.patch] .
1. Have refactored the docker-util.c with is_feature_enabled(). Tested with
Native Service Job, Service Mode enable and disable works fine.
2. Ragarding System.getenv("USER"), have verified that the USER environment
variable of container points to the actual user submitted the job irrespective
of value
of yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user.
Containers
are run as per the config, but still the staging, log directories are of job
user.
{code}
container-executor <user> <yarn-user>
when yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user =
nobody
/HADOOP/hadoop-3.3.0-SNAPSHOT/bin/container-executor nobody ambari-qa
{code}
> Enable service mode for Docker containers on YARN
> -------------------------------------------------
>
> Key: YARN-9860
> URL: https://issues.apache.org/jira/browse/YARN-9860
> Project: Hadoop YARN
> Issue Type: Improvement
> Affects Versions: 3.3.0
> Reporter: Prabhu Joseph
> Assignee: Prabhu Joseph
> Priority: Major
> Attachments: YARN-9860-001.patch, YARN-9860-002.patch,
> YARN-9860-003.patch, YARN-9860-004.patch, YARN-9860-005.patch,
> YARN-9860-006.patch
>
>
> This task is to add support to YARN for running Docker containers in "Service
> Mode".
> Service Mode - Run the container as defined by the image, but still allow for
> injecting configuration.
> Background:
> Entrypoint mode helped - now able to use the ENV and ENTRYPOINT/CMD as
> defined in the image. However, still requires modification to official images
> due to user propagation
> User propagation is problematic for running a secure cluster with sssd
>
> Implementation:
> Must be enabled via c-e.cfg (example: docker.service-mode.allowed=true)
> Must be requested at runtime - (example:
> YARN_CONTAINER_RUNTIME_DOCKER_SERVICE_MODE=true)
> Entrypoint mode is default enabled for this mode (If Service Mode is
> requested, YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE should be set
> to true)
> Writable log mount will not be added - stdout logging may still work
> with entrypoint mode - remove the writable bind mounts
> User and groups will not be propagated (now: docker run --user nobody
> --group-add=nobody .... <image>, after: docker run .... <image>)
> Read-only resources mounted at the file level, files get chmod 777,
> parent directory only accessible by the run as user.
> cc [[email protected]]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
