[
https://issues.apache.org/jira/browse/YARN-5360?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15374621#comment-15374621
]
Sidharta Seethana commented on YARN-5360:
-----------------------------------------
To be honest, I am not in favor of going down the path of using ‘uid’s instead
of the actual username. Unix usernames are more readable and using the uid
instead of the unix username only ensures that the container can be launched
using that uid but does not guarantee that container/image will work correctly
using that uid. For example, launching a container as uid 99 (nobody in centos)
does not guarantee that an ubuntu container will work correctly when launched
with using uid 99. In general it is good practice to ensure that image being
launched is setup correctly for the user(s) that are used to launch the image.
We also need to consider if ‘run as user’ can be turned off for some users (see
YARN-4266).
About /etc/passwd being mounted incorrectly, I am not quite sure how that crept
in - [~ashahab] and I were working on initial patches for docker support and
this was moved over from DockerContainerExecutor ([~ashahab], know the
background behind this?). In any case, I don’t think we should be always
mounting /etc/passwd from the host (or at least we should make it a
cluster-wide option). Always mounting /etc/passwd would mean that any
additional users that are already in the image will be unavailable (examples
include images with users like apache, jenkins and so on that may not be
available on the cluster).
We also need to consider the implications of user namespaces/user remapping
that is supported by docker int recent versions (still a work in progress I
think).
Given all of these, I think switching to uids now would only make things more
complicated and behavior difficult to understand.
> Use UID instead of user name to build the Docker run command
> ------------------------------------------------------------
>
> Key: YARN-5360
> URL: https://issues.apache.org/jira/browse/YARN-5360
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: Zhankun Tang
> Assignee: Zhankun Tang
>
> There is *a dependency between job submitting user and the user in the Docker
> image* in LCE currently. For instance, in order to run the Docker container
> as yarn user, we can choose set the
> "yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user" to yarn
> and leave
> "yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users"
> default (true). Then LCE will choose yarn ( UID maybe 1001) as the user
> running jobs.
> LCE will mount the generated launch_container.sh (owned by the running job
> user) and /etc/passwd (*current the code is mounting to container's
> /etc/password, I think it's a mistake*) into the Docker container and
> utilizes "docker run --user=<run_as_user>" option to get it done internally.
> But I don't think mounting /etc/passwd to the container is a good choice. As
> far as I know, since Docker v1.8 (or maybe earlier), the Docker run command
> "--user=" option accepts UID and *when passing UID, the user does not have to
> exist in the container*. So we should use UID instead of user name to
> construct the Docker run command to eliminate the dependency that create the
> same user in the Docker image. This enables LCE the ability to launch any
> Docker container safely regardless what users in it.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
