hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allen Wittenauer (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-3291) DockerContainerExecutor should run as a non-root user inside the container
Date Thu, 12 Mar 2015 23:55:39 GMT

    [ https://issues.apache.org/jira/browse/YARN-3291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14359645#comment-14359645

Allen Wittenauer commented on YARN-3291:

How does everyone feel about this breaking compatibility with the docker bits that shipped
with 2.6?  Because this patch does exactly that.  I feel that replacing most of DCE with LCE
code is probably the correct direction, but it does really push the idea that this whole container
launcher code needs a major overhaul.

Other things:
+    List<String> commandStr = Lists.newArrayList("docker", "-H", dockerUrl, "run",
+            "--net", "host", "--name", containerIdStr, "--user", userName, "--workdir",
+            containerWorkDir.toUri().getPath(), "-v", "/etc/passwd:/etc/passwd:ro");

What happens if the user isn't in /etc/passwd? For example, user accounts are loaded via LDAP?

I'm inclined to think that it would be better over the long haul to keep one "launch container"
option in container-executor but provide a type of container to launch.  This makes it much
more extensible if someone wanted to, say, FreeBSD jails or Illumos zones or something else.

> DockerContainerExecutor should run as a non-root user inside the container
> --------------------------------------------------------------------------
>                 Key: YARN-3291
>                 URL: https://issues.apache.org/jira/browse/YARN-3291
>             Project: Hadoop YARN
>          Issue Type: Improvement
>            Reporter: Abin Shahab
>            Assignee: Abin Shahab
>         Attachments: YARN-3291.patch
> Currently DockerContainerExecutor runs container as root(inside the container). Outside
the container it runs as yarn. Inside the this can be run as the user which is not root.

This message was sent by Atlassian JIRA

View raw message