[jira] [Commented] (YARN-9860) Enable service mode for Docker containers on YARN

[Eric Yang (Jira)]

    [ 
https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16947170#comment-16947170
 ] 

Eric Yang commented on YARN-9860:
---------------------------------

[~Prabhu Joseph] Thanks for point out the user error.  The user principal name 
was misconfigured on my cluster to cause the error.  There is clear message 
about the error in application master log file.  I tested service mode=true and 
false.  Both cases are working as expected and keytab file localization is set 
with proper permission.  Please include instructions for enabling service mode 
in DockerContainers.md.  Thanks again.

> Enable service mode for Docker containers on YARN
> -------------------------------------------------
>
>                 Key: YARN-9860
>                 URL: https://issues.apache.org/jira/browse/YARN-9860
>             Project: Hadoop YARN
>          Issue Type: Improvement
>    Affects Versions: 3.3.0
>            Reporter: Prabhu Joseph
>            Assignee: Prabhu Joseph
>            Priority: Major
>         Attachments: YARN-9860-001.patch, YARN-9860-002.patch, 
> YARN-9860-003.patch, YARN-9860-004.patch, YARN-9860-005.patch, 
> YARN-9860-006.patch, YARN-9860-007.patch
>
>
> This task is to add support to YARN for running Docker containers in "Service 
> Mode". 
> Service Mode - Run the container as defined by the image, but still allow for 
> injecting configuration. 
> Background:
>       Entrypoint mode helped - now able to use the ENV and ENTRYPOINT/CMD as 
> defined in the image. However, still requires modification to official images 
> due to user propagation
> User propagation is problematic for running a secure cluster with sssd
>       
> Implementation:
>       Must be enabled via c-e.cfg (example: docker.service-mode.allowed=true)
>       Must be requested at runtime - (example: 
> YARN_CONTAINER_RUNTIME_DOCKER_SERVICE_MODE=true)
>       Entrypoint mode is default enabled for this mode (If Service Mode is 
> requested, YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE should be set 
> to true)
>       Writable log mount will not be added - stdout logging may still work 
> with entrypoint mode - remove the writable bind mounts
>       User and groups will not be propagated (now: docker run --user nobody 
> --group-add=nobody .... <image>, after: docker run .... <image>)
>       Read-only resources mounted at the file level, files get chmod 777, 
> parent directory only accessible by the run as user.
> cc [~shaneku...@gmail.com]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org