[
https://issues.apache.org/jira/browse/YARN-3291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14359645#comment-14359645
]
Allen Wittenauer commented on YARN-3291:
----------------------------------------
How does everyone feel about this breaking compatibility with the docker bits
that shipped with 2.6? Because this patch does exactly that. I feel that
replacing most of DCE with LCE code is probably the correct direction, but it
does really push the idea that this whole container launcher code needs a major
overhaul.
Other things:
{code}
+ List<String> commandStr = Lists.newArrayList("docker", "-H", dockerUrl,
"run", "--rm",
+ "--net", "host", "--name", containerIdStr, "--user", userName,
"--workdir",
+ containerWorkDir.toUri().getPath(), "-v",
"/etc/passwd:/etc/passwd:ro");
{code}
What happens if the user isn't in /etc/passwd? For example, user accounts are
loaded via LDAP?
I'm inclined to think that it would be better over the long haul to keep one
"launch container" option in container-executor but provide a type of container
to launch. This makes it much more extensible if someone wanted to, say,
FreeBSD jails or Illumos zones or something else.
> DockerContainerExecutor should run as a non-root user inside the container
> --------------------------------------------------------------------------
>
> Key: YARN-3291
> URL: https://issues.apache.org/jira/browse/YARN-3291
> Project: Hadoop YARN
> Issue Type: Improvement
> Reporter: Abin Shahab
> Assignee: Abin Shahab
> Attachments: YARN-3291.patch
>
>
> Currently DockerContainerExecutor runs container as root(inside the
> container). Outside the container it runs as yarn. Inside the this can be run
> as the user which is not root.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
