[
https://issues.apache.org/jira/browse/YARN-5360?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Zhankun Tang updated YARN-5360:
-------------------------------
Description:
There is *a dependency between job submitting user and the user in the Docker
image* in LCE currently. For instance, in order to run the Docker container as
yarn user, we can choose set the
"yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user" to yarn
and leave
"yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users" default
(true). Then LCE will choose yarn ( UID maybe 1001) as the user running jobs.
LCE will mount the generated launch_container.sh (owned by the running job
user) and /etc/passwd (current the code is mounting to container's
/etc/password, I think it's a mistake) into the Docker container and utilizes
"docker run --user=<run_as_user>" option to get it done internally.
But I don't think mounting /etc/passwd to the container is a good choice. As
far as I know, since Docker v1.8 (or maybe earlier), the Docker run command
"--user=" option accepts UID and *when passing UID, the user does not have to
exist in the container*. So we should use UID instead of user name to construct
the Docker run command to eliminate the dependency that create the same user in
the Docker image. This enables LCE the ability to launch any Docker container
safely regardless what users in it.
was:
There is *a dependency between job submitting user and the user in the Docker
image* in LCE currently. For instance, in order to run the Docker container as
yarn user, we can choose set the
"yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user" to yarn
and leave
"yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users" default
(true). Then LCE will choose yarn ( UID maybe 1001) as the user running jobs.
But because LCE will mount the generated launch_container.sh (owned by the
running job user) into the Docker container and utilizes "docker run
--user=<run_as_user>" option to get it done internally, we also need to create
a *same user name* in the Docker image with the *same UID* as the running job
user. Otherwise LCE will fail to launch container or report unable to find
user. This burdens the Docker image creator with YARN dependency.
Luckily this can be solved through Docker. As far as I know, since Docker v1.8
(or maybe earlier), the Docker run command "--user=" option accepts UID and
*when passing UID, the user does not have to exist in the container*. So we
should use UID instead of user name to construct the Docker run command to
eliminate the dependency that create the same user in the Docker image. This
enables LCE the ability to launch any Docker container safely regardless what
users in it.
> Use UID instead of user name to build the Docker run command
> ------------------------------------------------------------
>
> Key: YARN-5360
> URL: https://issues.apache.org/jira/browse/YARN-5360
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: Zhankun Tang
> Assignee: Zhankun Tang
>
> There is *a dependency between job submitting user and the user in the Docker
> image* in LCE currently. For instance, in order to run the Docker container
> as yarn user, we can choose set the
> "yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user" to yarn
> and leave
> "yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users"
> default (true). Then LCE will choose yarn ( UID maybe 1001) as the user
> running jobs.
> LCE will mount the generated launch_container.sh (owned by the running job
> user) and /etc/passwd (current the code is mounting to container's
> /etc/password, I think it's a mistake) into the Docker container and utilizes
> "docker run --user=<run_as_user>" option to get it done internally.
> But I don't think mounting /etc/passwd to the container is a good choice. As
> far as I know, since Docker v1.8 (or maybe earlier), the Docker run command
> "--user=" option accepts UID and *when passing UID, the user does not have to
> exist in the container*. So we should use UID instead of user name to
> construct the Docker run command to eliminate the dependency that create the
> same user in the Docker image. This enables LCE the ability to launch any
> Docker container safely regardless what users in it.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
