hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zhankun Tang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-5360) Use UID instead of user name to build the Docker run command
Date Wed, 13 Jul 2016 07:34:20 GMT

    [ https://issues.apache.org/jira/browse/YARN-5360?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15374529#comment-15374529
] 

Zhankun Tang commented on YARN-5360:
------------------------------------

[~vvasudev], thanks for the tip. Yes, if the running job user is nobody, this UID is different
between Ubuntu and centos. But I test this nobody user before, it works with UID 65534 even
in the centos:
{panel}
root@zhankun-host:~/DockerDeepDive# ll
total 16
drwxr-xr-x  2 root   root   4096  7月 13 00:18 ./
drwx------ 25 root   root   4096  7月 13 22:16 ../
-rw-r--r--  1 root   root    402  7月 13 00:17 demo.txt
-rwx------  1 nobody hadoop   34  7月 12 19:20 zhankun.sh*
root@zhankun-host:~/DockerDeepDive# cat /etc/passwd|grep nobody
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
root@zhankun-host:~/DockerDeepDive# docker run -it --rm --user=65534 -v /root/DockerDeepDive:/tmp/zhankun
centos /tmp/zhankun/zhankun.sh
I'm zhankun
uid=65534 gid=0(root) groups=0(root)
root@zhankun-host:~/DockerDeepDive# 
{panel} 

> Use UID instead of user name to build the Docker run command
> ------------------------------------------------------------
>
>                 Key: YARN-5360
>                 URL: https://issues.apache.org/jira/browse/YARN-5360
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: Zhankun Tang
>            Assignee: Zhankun Tang
>
> There is *a dependency between job submitting user and the user in the Docker image*
in LCE currently. For instance, in order to run the Docker container as yarn user, we can
choose set the "yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user" to yarn
and leave "yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users" default (true).
Then LCE will choose yarn ( UID maybe 1001) as the user running jobs.
> LCE will mount the generated launch_container.sh (owned by the running job user) and
/etc/passwd (*current the code is mounting to container's /etc/password, I think it's a mistake*)
into the Docker container and utilizes "docker run --user=<run_as_user>" option to get
it done internally.
> But I don't think mounting /etc/passwd to the container is a good choice. As far as I
know, since Docker v1.8 (or maybe earlier), the Docker run command "--user=" option accepts
UID and *when passing UID, the user does not have to exist in the container*. So we should
use UID instead of user name to construct the Docker run command to eliminate the dependency
that create the same user in the Docker image. This enables LCE the ability to launch any
Docker container safely regardless what users in it.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message