hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Badger (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-7430) User and Group mapping are incorrect in docker container
Date Mon, 13 Nov 2017 16:38:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-7430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16249796#comment-16249796

Eric Badger commented on YARN-7430:

bq. This will redirect docker output by the shell script. It depends on who spawned the shell,
and the resulting log output would be owned by the user who spawned the shell. Root user can
potentially end up with a file owned by root user, which you stated that can not be cleaned
Right, but that's only for stuff written to stdout/stderr. What about the logs written via
log4j or some other logging plugin? These won't be written out to stdout/stderr and will instead
most likely be written to a file. This file will be owned by whomever is running the process,
which would be root in the case of a root docker container. Now it's possible that we could
leverage the container-executor to do log aggregation and clean up the logs on the node, but
that would require extra changes. The only other argument I can see here is that anything
written by a root container should be cleaned up properly by that root user, since no other
users should be able to touch it. 

> User and Group mapping are incorrect in docker container
> --------------------------------------------------------
>                 Key: YARN-7430
>                 URL: https://issues.apache.org/jira/browse/YARN-7430
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: security, yarn
>    Affects Versions: 2.9.0, 3.0.0
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Blocker
>         Attachments: YARN-7430.001.patch
> In YARN-4266, the recommendation was to use -u [uid]:[gid] numeric values to enforce
user and group for the running user.  In YARN-6623, this translated to --user=test --group-add=group1.
 The code no longer enforce group correctly for launched process.  
> In addition, the implementation in YARN-6623 requires the user and group information
to exist in container to translate username and group to uid/gid.  For users on LDAP, there
is no good way to populate container with user and group information. 

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message