[
https://issues.apache.org/jira/browse/YARN-5360?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15374529#comment-15374529
]
Zhankun Tang commented on YARN-5360:
------------------------------------
[~vvasudev], thanks for the tip. Yes, if the running job user is nobody, this
UID is different between Ubuntu and centos. But I test this nobody user before,
it works with UID 65534 even in the centos:
{panel}
root@zhankun-host:~/DockerDeepDive# ll
total 16
drwxr-xr-x 2 root root 4096 7月 13 00:18 ./
drwx------ 25 root root 4096 7月 13 22:16 ../
-rw-r--r-- 1 root root 402 7月 13 00:17 demo.txt
-rwx------ 1 nobody hadoop 34 7月 12 19:20 zhankun.sh*
root@zhankun-host:~/DockerDeepDive# cat /etc/passwd|grep nobody
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
root@zhankun-host:~/DockerDeepDive# docker run -it --rm --user=65534 -v
/root/DockerDeepDive:/tmp/zhankun centos /tmp/zhankun/zhankun.sh
I'm zhankun
uid=65534 gid=0(root) groups=0(root)
root@zhankun-host:~/DockerDeepDive#
{panel}
> Use UID instead of user name to build the Docker run command
> ------------------------------------------------------------
>
> Key: YARN-5360
> URL: https://issues.apache.org/jira/browse/YARN-5360
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: Zhankun Tang
> Assignee: Zhankun Tang
>
> There is *a dependency between job submitting user and the user in the Docker
> image* in LCE currently. For instance, in order to run the Docker container
> as yarn user, we can choose set the
> "yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user" to yarn
> and leave
> "yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users"
> default (true). Then LCE will choose yarn ( UID maybe 1001) as the user
> running jobs.
> LCE will mount the generated launch_container.sh (owned by the running job
> user) and /etc/passwd (*current the code is mounting to container's
> /etc/password, I think it's a mistake*) into the Docker container and
> utilizes "docker run --user=<run_as_user>" option to get it done internally.
> But I don't think mounting /etc/passwd to the container is a good choice. As
> far as I know, since Docker v1.8 (or maybe earlier), the Docker run command
> "--user=" option accepts UID and *when passing UID, the user does not have to
> exist in the container*. So we should use UID instead of user name to
> construct the Docker run command to eliminate the dependency that create the
> same user in the Docker image. This enables LCE the ability to launch any
> Docker container safely regardless what users in it.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
