[
https://issues.apache.org/jira/browse/YARN-5360?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15374454#comment-15374454
]
Zhankun Tang commented on YARN-5360:
------------------------------------
*The root cause is that there is a wrong file name in the
DockerLinuxContainerRuntime.java*
{panel}
.addMountLocation("/etc/passwd", "/etc/password:ro");
{panel}
Ok. So mount /etc/passwd is working. And now let's compare the "/etc/passwd"
way and the "UID" way.This mounting approach is invasive to the original Docker
image and can lead to user confusion and frustration. So I still recommend that
we use "UID". Any comments?
> Use UID instead of user name to build the Docker run command
> ------------------------------------------------------------
>
> Key: YARN-5360
> URL: https://issues.apache.org/jira/browse/YARN-5360
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: Zhankun Tang
> Assignee: Zhankun Tang
>
> There is *a dependency between job submitting user and the user in the Docker
> image* in LCE currently. For instance, in order to run the Docker container
> as yarn user, we can choose set the
> "yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user" to yarn
> and leave
> "yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users"
> default (true). Then LCE will choose yarn ( UID maybe 1001) as the user
> running jobs.
> But because LCE will mount the generated launch_container.sh (owned by the
> running job user) into the Docker container and utilizes "docker run
> --user=<run_as_user>" option to get it done internally, we also need to
> create a *same user name* in the Docker image with the *same UID* as the
> running job user. Otherwise LCE will fail to launch container or report
> unable to find user. This burdens the Docker image creator with YARN
> dependency.
> Luckily this can be solved through Docker. As far as I know, since Docker
> v1.8 (or maybe earlier), the Docker run command "--user=" option accepts UID
> and *when passing UID, the user does not have to exist in the container*. So
> we should use UID instead of user name to construct the Docker run command to
> eliminate the dependency that create the same user in the Docker image. This
> enables LCE the ability to launch any Docker container safely regardless what
> users in it.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
