hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shane Kumpf (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-4266) Allow whitelisted users to disable user re-mapping/squashing when launching docker containers
Date Tue, 22 Nov 2016 15:39:59 GMT

    [ https://issues.apache.org/jira/browse/YARN-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15687059#comment-15687059

Shane Kumpf commented on YARN-4266:

Thanks for the design document and discussion on the approaches, [~tangzhankun]! I think we
can agree that there are challenges with all of the proposed approaches, but it seems an ideal
approach may not exist today. As you and others have called out; 3.1 has security implications,
3.2 could introduce significant overhead, 3.3 depends on docker logs which is error prone
and handling of tokens is an unknown.

Given these approaches, on the surface, 3.3 seems like the least invasive wrt container changes.
Eliminating the writable bind mounts may also make security easier to grok. Getting the token
into the container doesn't seem all that difficult to address. How do others feel about 3.3?

Not to hijack, but on a related note, I still believe user namespace remapping will be our
future solution here. User namespace remapping would allow us to map the root user in the
container, to the run as user on the host, eliminating many of the issues. I revisited this
feature this morning in hopes it had evolved in the last couple of releases of Docker, but
unfortunately it hasn't. The current user namespace remapping feature in docker can only be
applied to a single user and is set at the daemon level, which will not work for us in both
non-secure and secure modes. I believe it would currently be possible to support user namespace
remapping for non-secure mode, but not both. Many issues are opened on the docker github requesting
per container user namespace remapping, but the sharing of image layers makes this non-trivial
to add. I really don't like the idea of varying approaches for secure and non-secure mode,
but I would be happy to work on this approach for non-secure containers if others feel it
is worth pursuing.

> Allow whitelisted users to disable user re-mapping/squashing when launching docker containers
> ---------------------------------------------------------------------------------------------
>                 Key: YARN-4266
>                 URL: https://issues.apache.org/jira/browse/YARN-4266
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: Sidharta Seethana
>            Assignee: Zhankun Tang
>         Attachments: YARN-4266-branch-2.8.001.patch, YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping.pdf,
YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping_v2.pdf, YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping_v3.pdf
> Docker provides a mechanism (the --user switch) that enables us to specify the user the
container processes should run as. We use this mechanism today when launching docker containers
. In non-secure mode, we run the docker container based on `yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user`
and in secure mode, as the submitting user. However, this mechanism breaks down with a large
number of 'pre-created' images which don't necessarily have the users available within the
image. Examples of such images include shared images that need to be used by multiple users.
We need a way in which we can allow a pre-defined set of users to run containers based on
existing images, without using the --user switch. There are some implications of disabling
this user squashing that we'll need to work through : log aggregation, artifact deletion etc.,

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message