hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Badger (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-4266) Allow whitelisted users to disable user re-mapping/squashing when launching docker containers
Date Tue, 07 Mar 2017 17:43:38 GMT

    [ https://issues.apache.org/jira/browse/YARN-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15899828#comment-15899828

Eric Badger commented on YARN-4266:

[~tangzhankun], thanks for pointing that out. I hadn't seen that conversation. 

It seems that the major issue with using --user=UID:GID is that there is no username. But
is there any reason that we can't just add in an environment variable to the docker run command
that is set to the username and then run a usermod to change the username of the associated
UID? Usernames are just cosmetic and everything is done via UIDs, so I don't think it makes
sense to run the docker container based on a username. 

Something like:
{{docker run --user=2000 -e USERNAME=\*username crafted in code\*}}

And then in the container startup command (with the container running as root):
{{usermod -l $USERNAME $(getent passwd "1001" | cut -d: -f1) && su $USERNAME}}

There are probably more efficient ways to do this, but this is just a general idea and proof
of concept. 

The main problem that I can see with this method is if there is already a user in the image
associated with the UID of the user on the host. In that case, we would need to remap the
UID of the user in the image to something different before we could do the usermod (or else
we would have potential permissions issues inside the container). However, this would also
be easy to do. 

[~sidharta-s], [~templedf], [~vvasudev], [~zyluo], you were all very active on YARN-5360.
Do you have any thoughts on the approach above given my explanation?

> Allow whitelisted users to disable user re-mapping/squashing when launching docker containers
> ---------------------------------------------------------------------------------------------
>                 Key: YARN-4266
>                 URL: https://issues.apache.org/jira/browse/YARN-4266
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: Sidharta Seethana
>            Assignee: Zhankun Tang
>         Attachments: YARN-4266.001.patch, YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping.pdf,
YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping_v2.pdf, YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping_v3.pdf,
> Docker provides a mechanism (the --user switch) that enables us to specify the user the
container processes should run as. We use this mechanism today when launching docker containers
. In non-secure mode, we run the docker container based on `yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user`
and in secure mode, as the submitting user. However, this mechanism breaks down with a large
number of 'pre-created' images which don't necessarily have the users available within the
image. Examples of such images include shared images that need to be used by multiple users.
We need a way in which we can allow a pre-defined set of users to run containers based on
existing images, without using the --user switch. There are some implications of disabling
this user squashing that we'll need to work through : log aggregation, artifact deletion etc.,

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message