hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zhankun Tang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-5360) Use UID instead of user name to build the Docker run command
Date Wed, 13 Jul 2016 06:35:20 GMT

    [ https://issues.apache.org/jira/browse/YARN-5360?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15374454#comment-15374454

Zhankun Tang commented on YARN-5360:

*The root cause is that there is a wrong file name in the DockerLinuxContainerRuntime.java*
 .addMountLocation("/etc/passwd", "/etc/password:ro");
Ok. So mount /etc/passwd is working. And now let's compare the "/etc/passwd" way and the "UID"
way.This mounting approach is invasive to the original Docker image and can lead to user confusion
and frustration. So I still recommend that we use "UID". Any comments?

> Use UID instead of user name to build the Docker run command
> ------------------------------------------------------------
>                 Key: YARN-5360
>                 URL: https://issues.apache.org/jira/browse/YARN-5360
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: Zhankun Tang
>            Assignee: Zhankun Tang
> There is *a dependency between job submitting user and the user in the Docker image*
in LCE currently. For instance, in order to run the Docker container as yarn user, we can
choose set the "yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user" to yarn
and leave "yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users" default (true).
Then LCE will choose yarn ( UID maybe 1001) as the user running jobs.
> But because LCE will mount the generated launch_container.sh (owned by the running job
user) into the Docker container and utilizes "docker run --user=<run_as_user>" option
to get it done internally, we also need to create a *same user name* in the Docker image with
the *same UID* as the running job user. Otherwise LCE will fail to launch container or report
unable to find user. This burdens the Docker image creator with YARN dependency.
> Luckily this can be solved through Docker. As far as I know, since Docker v1.8 (or maybe
earlier), the Docker run command "--user=" option accepts UID and *when passing UID, the user
does not have to exist in the container*. So we should use UID instead of user name to construct
the Docker run command to eliminate the dependency that create the same user in the Docker
image. This enables LCE the ability to launch any Docker container safely regardless what
users in it.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message