hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allen Wittenauer (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-3291) DockerContainerExecutor should run as a non-root user inside the container
Date Thu, 12 Mar 2015 23:55:39 GMT

    [ https://issues.apache.org/jira/browse/YARN-3291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14359645#comment-14359645
] 

Allen Wittenauer commented on YARN-3291:
----------------------------------------

How does everyone feel about this breaking compatibility with the docker bits that shipped
with 2.6?  Because this patch does exactly that.  I feel that replacing most of DCE with LCE
code is probably the correct direction, but it does really push the idea that this whole container
launcher code needs a major overhaul.

Other things:
{code}
+    List<String> commandStr = Lists.newArrayList("docker", "-H", dockerUrl, "run",
"--rm",
+            "--net", "host", "--name", containerIdStr, "--user", userName, "--workdir",
+            containerWorkDir.toUri().getPath(), "-v", "/etc/passwd:/etc/passwd:ro");
{code}

What happens if the user isn't in /etc/passwd? For example, user accounts are loaded via LDAP?

I'm inclined to think that it would be better over the long haul to keep one "launch container"
option in container-executor but provide a type of container to launch.  This makes it much
more extensible if someone wanted to, say, FreeBSD jails or Illumos zones or something else.

> DockerContainerExecutor should run as a non-root user inside the container
> --------------------------------------------------------------------------
>
>                 Key: YARN-3291
>                 URL: https://issues.apache.org/jira/browse/YARN-3291
>             Project: Hadoop YARN
>          Issue Type: Improvement
>            Reporter: Abin Shahab
>            Assignee: Abin Shahab
>         Attachments: YARN-3291.patch
>
>
> Currently DockerContainerExecutor runs container as root(inside the container). Outside
the container it runs as yarn. Inside the this can be run as the user which is not root.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message