hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Varun Vasudev (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-3852) Add docker container support to container-executor
Date Wed, 22 Jul 2015 17:28:05 GMT

    [ https://issues.apache.org/jira/browse/YARN-3852?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14637234#comment-14637234

Varun Vasudev commented on YARN-3852:

Sigh. My apologies [~ashahab] - I found one more issue. Docker containers are launched as
the correct user but the regular process containers are being run as root.

I suspect the root cause is the call
exit_code = create_local_dirs(user, app_id, container_id,
    work_dir, script_name, cred_file, local_dirs, log_dirs,
    1, script_file_dest, cred_file_dest,
    container_file_source, cred_file_source);
in launch_container_as_user. The effective_user argument is set to 1 when it should be 0.

> Add docker container support to container-executor 
> ---------------------------------------------------
>                 Key: YARN-3852
>                 URL: https://issues.apache.org/jira/browse/YARN-3852
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: Sidharta Seethana
>            Assignee: Abin Shahab
>         Attachments: YARN-3852-1.patch, YARN-3852-2.patch, YARN-3852.patch
> For security reasons, we need to ensure that access to the docker daemon and the ability
to run docker containers is restricted to privileged users ( i.e users running applications
should not have direct access to docker). In order to ensure the node manager can run docker
commands, we need to add docker support to the container-executor binary.

This message was sent by Atlassian JIRA

View raw message