hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Billie Rinaldi (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-7446) Docker container privileged mode and --user flag contradict each other
Date Tue, 27 Feb 2018 22:32:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-7446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16379403#comment-16379403
] 

Billie Rinaldi commented on YARN-7446:
--------------------------------------

I am +1 for patch 004. I am thinking of committing this to trunk and then marking YARN-7654
as a blocker for 3.2.0. After this patch is applied, there is an issue with images that have
a USER command specified in their Dockerfile. If you try to run privileged containers for
these images, the container will fail because the user won't have permission to execute the
launch_container.sh script. This should no longer be an issue once we move away from having
a launch script for Docker containers.

> Docker container privileged mode and --user flag contradict each other
> ----------------------------------------------------------------------
>
>                 Key: YARN-7446
>                 URL: https://issues.apache.org/jira/browse/YARN-7446
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>    Affects Versions: 3.0.0
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Major
>         Attachments: YARN-7446.001.patch, YARN-7446.002.patch, YARN-7446.003.patch, YARN-7446.004.patch
>
>
> In the current implementation, when privileged=true, --user flag is also passed to docker
for launching container.  In reality, the container has no way to use root privileges unless
there is sticky bit or sudoers in the image for the specified user to gain privileges again.
 To avoid duplication of dropping and reacquire root privileges, we can reduce the duplication
of specifying both flag.  When privileged mode is enabled, --user flag should be omitted.
 When non-privileged mode is enabled, --user flag is supplied.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message