[
https://issues.apache.org/jira/browse/YARN-5360?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15381601#comment-15381601
]
Zhongyue Luo commented on YARN-5360:
------------------------------------
[~sidharta-s]"In general it is good practice to ensure that image being
launched is setup correctly for the user(s) that are used to launch the image."
I think this is inconsistent with Docker's motto to "build, ship and run".
There is no point of using Docker if the user has to use every image as a base
to add the correct user. I guess the attempt to mount /etc/passwd was also
intended to avoid users needing to customize every Docker image they launch.
Using the "--userns-remap" option is also not portable.
I also agree that mounting /etc/passwd on the container could be intrusive
therefore [~tangzhankun] seems to be suggesting using UIDs instead of username.
The fact is that /etc/passwd is being incorrectly mounted therefore this should
be resolved one way or another. Options seems to be 1) correctly mount
/etc/passwd as originally intended or 2) remove /etc/passwd mount and pass UID
in the --user option. Any other solution seems too big of a change that it
should have its own ticket. Thoughts?
> Use UID instead of user name to build the Docker run command
> ------------------------------------------------------------
>
> Key: YARN-5360
> URL: https://issues.apache.org/jira/browse/YARN-5360
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: Zhankun Tang
> Assignee: Zhankun Tang
>
> There is *a dependency between job submitting user and the user in the Docker
> image* in LCE currently. For instance, in order to run the Docker container
> as yarn user, we can choose set the
> "yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user" to yarn
> and leave
> "yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users"
> default (true). Then LCE will choose yarn ( UID maybe 1001) as the user
> running jobs.
> LCE will mount the generated launch_container.sh (owned by the running job
> user) and /etc/passwd (*current the code is mounting to container's
> /etc/password, I think it's a mistake*) into the Docker container and
> utilizes "docker run --user=<run_as_user>" option to get it done internally.
> But I don't think mounting /etc/passwd to the container is a good choice. As
> far as I know, since Docker v1.8 (or maybe earlier), the Docker run command
> "--user=" option accepts UID and *when passing UID, the user does not have to
> exist in the container*. So we should use UID instead of user name to
> construct the Docker run command to eliminate the dependency that create the
> same user in the Docker image. This enables LCE the ability to launch any
> Docker container safely regardless what users in it.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
