[
https://issues.apache.org/jira/browse/YARN-3852?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14637234#comment-14637234
]
Varun Vasudev commented on YARN-3852:
-------------------------------------
Sigh. My apologies [~ashahab] - I found one more issue. Docker containers are
launched as the correct user but the regular process containers are being run
as root.
I suspect the root cause is the call
{code}
exit_code = create_local_dirs(user, app_id, container_id,
work_dir, script_name, cred_file, local_dirs, log_dirs,
1, script_file_dest, cred_file_dest,
container_file_source, cred_file_source);
{code}
in launch_container_as_user. The effective_user argument is set to 1 when it
should be 0.
> Add docker container support to container-executor
> ---------------------------------------------------
>
> Key: YARN-3852
> URL: https://issues.apache.org/jira/browse/YARN-3852
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: Sidharta Seethana
> Assignee: Abin Shahab
> Attachments: YARN-3852-1.patch, YARN-3852-2.patch, YARN-3852.patch
>
>
> For security reasons, we need to ensure that access to the docker daemon and
> the ability to run docker containers is restricted to privileged users ( i.e
> users running applications should not have direct access to docker). In order
> to ensure the node manager can run docker commands, we need to add docker
> support to the container-executor binary.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
