hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shane Kumpf (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-4266) Allow whitelisted users to disable user re-mapping/squashing when launching docker containers
Date Wed, 28 Jun 2017 12:16:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16066392#comment-16066392
] 

Shane Kumpf commented on YARN-4266:
-----------------------------------

Thanks for taking the time to answer my questions, [~ebadger]. I'm very interested in testing
out the patch when it is ready.

{quote}Yea I'm really not a fan either. I would strongly prefer a better, cleaner solution
to this problem if there is one.{quote}
The intent to YARN-5534 is provide a mount white list, so I believe that should help here.
The initial patch could hard code the bind mount while we test and provide feedback. Hopefully
we can leverage YARN-5534 before this is wrapped up.

{quote}I'm looking into this. I'm hoping that we can get around this so that we can optionally
add the bind mount, but not require it for the --user option. I have not yet tested other
AMs.{quote}
I don't think this is a requirement for the initial version. We could do a a follow on effort
to remove/reduce the need for the bind mounted socket for a known list of AMs, assuming the
behavior can be changed in those AMs.

> Allow whitelisted users to disable user re-mapping/squashing when launching docker containers
> ---------------------------------------------------------------------------------------------
>
>                 Key: YARN-4266
>                 URL: https://issues.apache.org/jira/browse/YARN-4266
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: Sidharta Seethana
>            Assignee: luhuichun
>         Attachments: YARN-4266.001.patch, YARN-4266.001.patch, YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping.pdf,
YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping_v2.pdf, YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping_v3.pdf,
YARN-4266-branch-2.8.001.patch
>
>
> Docker provides a mechanism (the --user switch) that enables us to specify the user the
container processes should run as. We use this mechanism today when launching docker containers
. In non-secure mode, we run the docker container based on `yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user`
and in secure mode, as the submitting user. However, this mechanism breaks down with a large
number of 'pre-created' images which don't necessarily have the users available within the
image. Examples of such images include shared images that need to be used by multiple users.
We need a way in which we can allow a pre-defined set of users to run containers based on
existing images, without using the --user switch. There are some implications of disabling
this user squashing that we'll need to work through : log aggregation, artifact deletion etc.,



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message