[
https://issues.apache.org/jira/browse/YARN-5360?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15374547#comment-15374547
]
Zhankun Tang commented on YARN-5360:
------------------------------------
And one more thing we need to know is that this UID need not to exists in the
Docker image, see this example:
{panel}
root@zhankun-host:~/DockerDeepDive# chown zhankun:hadoop zhankun.sh
root@zhankun-host:~/DockerDeepDive# ls
demo.txt zhankun.sh
root@zhankun-host:~/DockerDeepDive# ll
total 16
drwxr-xr-x 2 root root 4096 7月 13 00:18 ./
drwx------ 25 root root 4096 7月 13 22:16 ../
-rw-r--r-- 1 root root 402 7月 13 00:17 demo.txt
-rwx------ 1 zhankun hadoop 34 7月 12 19:20 zhankun.sh*
root@zhankun-host:~/DockerDeepDive# cat /etc/passwd|grep zhankun
zhankun:x:1000:1000:zhankun,,,:/home/zhankun:/bin/bash
root@zhankun-host:~/DockerDeepDive# docker run -it --user=1000 --rm -v
/root/DockerDeepDive:/tmp/zhankun --workdir=/tmp/zhankun/ centos
/tmp/zhankun/zhankun.sh
I'm zhankun
uid=1000 gid=0(root) groups=0(root)
root@zhankun-host:~/DockerDeepDive#
{panel}
The centos doesn't have the zhankun user and the UID 1000 either, but above
example works. Just because 1000 is the owner of local host's "zhankun.sh"
> Use UID instead of user name to build the Docker run command
> ------------------------------------------------------------
>
> Key: YARN-5360
> URL: https://issues.apache.org/jira/browse/YARN-5360
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: Zhankun Tang
> Assignee: Zhankun Tang
>
> There is *a dependency between job submitting user and the user in the Docker
> image* in LCE currently. For instance, in order to run the Docker container
> as yarn user, we can choose set the
> "yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user" to yarn
> and leave
> "yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users"
> default (true). Then LCE will choose yarn ( UID maybe 1001) as the user
> running jobs.
> LCE will mount the generated launch_container.sh (owned by the running job
> user) and /etc/passwd (*current the code is mounting to container's
> /etc/password, I think it's a mistake*) into the Docker container and
> utilizes "docker run --user=<run_as_user>" option to get it done internally.
> But I don't think mounting /etc/passwd to the container is a good choice. As
> far as I know, since Docker v1.8 (or maybe earlier), the Docker run command
> "--user=" option accepts UID and *when passing UID, the user does not have to
> exist in the container*. So we should use UID instead of user name to
> construct the Docker run command to eliminate the dependency that create the
> same user in the Docker image. This enables LCE the ability to launch any
> Docker container safely regardless what users in it.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
