Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 40295200BAF for ; Mon, 17 Oct 2016 06:45:01 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 3ED4D160AF8; Mon, 17 Oct 2016 04:45:01 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 845C5160AD0 for ; Mon, 17 Oct 2016 06:45:00 +0200 (CEST) Received: (qmail 38615 invoked by uid 500); 17 Oct 2016 04:44:58 -0000 Mailing-List: contact yarn-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list yarn-issues@hadoop.apache.org Received: (qmail 38579 invoked by uid 99); 17 Oct 2016 04:44:58 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 17 Oct 2016 04:44:58 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id 6B06A2C4C78 for ; Mon, 17 Oct 2016 04:44:58 +0000 (UTC) Date: Mon, 17 Oct 2016 04:44:58 +0000 (UTC) From: "Zhankun Tang (JIRA)" To: yarn-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (YARN-4266) Allow whitelisted users to disable user re-mapping/squashing when launching docker containers MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Mon, 17 Oct 2016 04:45:01 -0000 [ https://issues.apache.org/jira/browse/YARN-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15581196#comment-15581196 ] Zhankun Tang commented on YARN-4266: ------------------------------------ [~sidharta-s] Although we can alleviate it by "find / -user -exec chown -h {} \;", I'm afraid this will cost overhead if nothing outside the user's home directory needs ownership changes. Or we can just remind end user about this limitation if we don't want this overhead > Allow whitelisted users to disable user re-mapping/squashing when launching docker containers > --------------------------------------------------------------------------------------------- > > Key: YARN-4266 > URL: https://issues.apache.org/jira/browse/YARN-4266 > Project: Hadoop YARN > Issue Type: Sub-task > Components: yarn > Reporter: Sidharta Seethana > Assignee: Zhankun Tang > Attachments: YARN-4266-branch-2.8.001.patch, YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping.pdf, YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping_v2.pdf, YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping_v3.pdf > > > Docker provides a mechanism (the --user switch) that enables us to specify the user the container processes should run as. We use this mechanism today when launching docker containers . In non-secure mode, we run the docker container based on `yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user` and in secure mode, as the submitting user. However, this mechanism breaks down with a large number of 'pre-created' images which don't necessarily have the users available within the image. Examples of such images include shared images that need to be used by multiple users. We need a way in which we can allow a pre-defined set of users to run containers based on existing images, without using the --user switch. There are some implications of disabling this user squashing that we'll need to work through : log aggregation, artifact deletion etc., -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org For additional commands, e-mail: yarn-issues-help@hadoop.apache.org