hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Badger (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (YARN-7430) User and Group mapping are incorrect in docker container
Date Thu, 09 Nov 2017 03:04:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-7430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16245139#comment-16245139
] 

Eric Badger edited comment on YARN-7430 at 11/9/17 3:03 AM:
------------------------------------------------------------

[~eyang], if the application is running as root inside of the container then all of the logs
that it writes as part of that application (syslog, stderr, stdout) will be owned by root.
When the NM tries to aggregate them, it won't have permission. It also won't be able to delete
them. So log aggregation will fail. Other than the fact that log aggregation failing is bad,
this will eventually cause the disks to fill up. 


was (Author: ebadger):
[~aceric], if the application is running as root inside of the container then all of the logs
that it writes as part of that application (syslog, stderr, stdout) will be owned by root.
When the NM tries to aggregate them, it won't have permission. It also won't be able to delete
them. So log aggregation will fail. Other than the fact that log aggregation failing is bad,
this will eventually cause the disks to fill up. 

> User and Group mapping are incorrect in docker container
> --------------------------------------------------------
>
>                 Key: YARN-7430
>                 URL: https://issues.apache.org/jira/browse/YARN-7430
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: security, yarn
>    Affects Versions: 2.9.0, 3.0.0
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Blocker
>         Attachments: YARN-7430.001.patch
>
>
> In YARN-4266, the recommendation was to use -u [uid]:[gid] numeric values to enforce
user and group for the running user.  In YARN-6623, this translated to --user=test --group-add=group1.
 The code no longer enforce group correctly for launched process.  
> In addition, the implementation in YARN-6623 requires the user and group information
to exist in container to translate username and group to uid/gid.  For users on LDAP, there
is no good way to populate container with user and group information. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message