hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shane Kumpf (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-4266) Allow whitelisted users to disable user re-mapping/squashing when launching docker containers
Date Wed, 08 Mar 2017 16:49:38 GMT

    [ https://issues.apache.org/jira/browse/YARN-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15901534#comment-15901534
] 

Shane Kumpf commented on YARN-4266:
-----------------------------------

I took another look at the progress being made on user namespaces in Docker and as far as
I can tell, the story remains the same. I echo [~sidharta-s], it just doesn't appear there
is a solution here that will work for all container types. As [~templedf] pointed out, "Modifying
the container is not a valid  alternative to modifying the container", but we are limited
on options here. :)

As it appears the proposed solution will solve the problem for a class of container types,
I'm +1 on adding the UID/usermod approach as an optional solution. Note that this solution
won't help for official docker hub images such as postgres and apache without some sort of
setuid wrapper, so we'll need to continue to discuss how we handle those.

I do believe that {{docker logs}} is worth exploring as a means of reducing or eliminating
the writable bind mounted directories. We could explore read-only mounts for the various caches.
It seems the biggest hurdle there will be the secure tokens, but read-only may work here as
well. Anyone already thought about this far enough to have a story for the tokens? Should
we open a new ticket to discuss this approach?

> Allow whitelisted users to disable user re-mapping/squashing when launching docker containers
> ---------------------------------------------------------------------------------------------
>
>                 Key: YARN-4266
>                 URL: https://issues.apache.org/jira/browse/YARN-4266
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: Sidharta Seethana
>            Assignee: Zhankun Tang
>         Attachments: YARN-4266.001.patch, YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping.pdf,
YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping_v2.pdf, YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping_v3.pdf,
YARN-4266-branch-2.8.001.patch
>
>
> Docker provides a mechanism (the --user switch) that enables us to specify the user the
container processes should run as. We use this mechanism today when launching docker containers
. In non-secure mode, we run the docker container based on `yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user`
and in secure mode, as the submitting user. However, this mechanism breaks down with a large
number of 'pre-created' images which don't necessarily have the users available within the
image. Examples of such images include shared images that need to be used by multiple users.
We need a way in which we can allow a pre-defined set of users to run containers based on
existing images, without using the --user switch. There are some implications of disabling
this user squashing that we'll need to work through : log aggregation, artifact deletion etc.,



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message