[jira] [Commented] (YARN-4266) Allow whitelisted users to disable user re-mapping/squashing when launching docker containers

Fri, 16 Sep 2016 14:24:28 -0700 

    [ 
https://issues.apache.org/jira/browse/YARN-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15497423#comment-15497423
 ] 

Daniel Templeton commented on YARN-4266:
----------------------------------------

I don't really like either option.  3.1 is a no-go for security reasons.  3.2 
seems risky.  First, just running usermod isn't enough, as explained in 
https://muffinresearch.co.uk/linux-changing-uids-and-gids-for-user/  Second, 
how can you guarantee that the new UID isn't already in use in the container?  
Third, the reason we're having this discussion is because it's desirable to run 
a container without modification.   Modifying the container is not a valid 
alternative to modifying the container.  I think we still have some 
brainstorming to do.

> Allow whitelisted users to disable user re-mapping/squashing when launching 
> docker containers
> ---------------------------------------------------------------------------------------------
>
>                 Key: YARN-4266
>                 URL: https://issues.apache.org/jira/browse/YARN-4266
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: Sidharta Seethana
>            Assignee: Zhankun Tang
>         Attachments: 
> YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping.pdf
>
>
> Docker provides a mechanism (the --user switch) that enables us to specify 
> the user the container processes should run as. We use this mechanism today 
> when launching docker containers . In non-secure mode, we run the docker 
> container based on 
> `yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user` and in 
> secure mode, as the submitting user. However, this mechanism breaks down with 
> a large number of 'pre-created' images which don't necessarily have the users 
> available within the image. Examples of such images include shared images 
> that need to be used by multiple users. We need a way in which we can allow a 
> pre-defined set of users to run containers based on existing images, without 
> using the --user switch. There are some implications of disabling this user 
> squashing that we'll need to work through : log aggregation, artifact 
> deletion etc.,



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to