hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Badger (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-7446) Docker container privileged mode and --user flag contradict each other
Date Mon, 26 Feb 2018 15:30:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-7446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16377036#comment-16377036
] 

Eric Badger commented on YARN-7446:
-----------------------------------

bq. I can't move the free to end of the function for both free statements in this patch because
there are other return conditions that could happen before end of the function. 
I suppose that's true. Some functions use a label for freeing all of the allocated memory
and some explicitly free each item before  return. The {{get_docker_run_command()}} function
is pretty inconsistent here since it has multiple places where it returns and doesn't free
anything. This should probably be fixed, but is outside of the scope of this JIRA. 

+1 (non-binding) on the latest patch


> Docker container privileged mode and --user flag contradict each other
> ----------------------------------------------------------------------
>
>                 Key: YARN-7446
>                 URL: https://issues.apache.org/jira/browse/YARN-7446
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>    Affects Versions: 3.0.0
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Major
>         Attachments: YARN-7446.001.patch, YARN-7446.002.patch, YARN-7446.003.patch, YARN-7446.004.patch
>
>
> In the current implementation, when privileged=true, --user flag is also passed to docker
for launching container.  In reality, the container has no way to use root privileges unless
there is sticky bit or sudoers in the image for the specified user to gain privileges again.
 To avoid duplication of dropping and reacquire root privileges, we can reduce the duplication
of specifying both flag.  When privileged mode is enabled, --user flag should be omitted.
 When non-privileged mode is enabled, --user flag is supplied.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message