hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Badger (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (YARN-4266) Allow users to enter containers as UID:GID pair instead of by username
Date Tue, 19 Sep 2017 20:32:01 GMT

     [ https://issues.apache.org/jira/browse/YARN-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Eric Badger updated YARN-4266:
------------------------------
    Attachment: YARN-4266.005.patch

Thanks for the review, [~jlowe]

bq. The YarnConfigurationFields and TestDockerContainerRuntime failures are related.
Fixed the tests

bq. On a related noted, my RHEL7 box TestDockerContainerRuntime fails because my user account
is in group wheel. I could see this test failing for others similarly. Do we really want to
limit it to gid>=100 by default? If so, we may want to account for this in the unit test
and adjust the threshold setting appropriately so we're not failing on the wrong thing in
the test.
I think making the uid and gid lower limits 1 and 1 should be ok. This makes everything open
from the start, but allows admins to define limits if they want certain levels of users not
to be allowed to run containers. So setting the uid and gid to 1 and 1. 

bq. Nit: In DockerLinuxContainerRuntime it would be nice if it was consistent with the treatment
of other YarnConfiguration constants. Other uses just qualify them with YarnConfiguration
rather than import them directly.
Fixed

> Allow users to enter containers as UID:GID pair instead of by username
> ----------------------------------------------------------------------
>
>                 Key: YARN-4266
>                 URL: https://issues.apache.org/jira/browse/YARN-4266
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: Sidharta Seethana
>            Assignee: luhuichun
>         Attachments: YARN-4266.001.patch, YARN-4266.001.patch, YARN-4266.002.patch, YARN-4266.003.patch,
YARN-4266.004.patch, YARN-4266.005.patch, YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping.pdf,
YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping_v2.pdf, YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping_v3.pdf,
YARN-4266-branch-2.8.001.patch
>
>
> Docker provides a mechanism (the --user switch) that enables us to specify the user the
container processes should run as. We use this mechanism today when launching docker containers
. In non-secure mode, we run the docker container based on `yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user`
and in secure mode, as the submitting user. However, this mechanism breaks down with a large
number of 'pre-created' images which don't necessarily have the users available within the
image. Examples of such images include shared images that need to be used by multiple users.
We need a way in which we can allow a pre-defined set of users to run containers based on
existing images, without using the --user switch. There are some implications of disabling
this user squashing that we'll need to work through : log aggregation, artifact deletion etc.,



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message