From yarn-issues-return-137502-archive-asf-public=cust-asf.ponee.io@hadoop.apache.org Wed Feb 7 19:48:08 2018 Return-Path: X-Original-To: archive-asf-public@eu.ponee.io Delivered-To: archive-asf-public@eu.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by mx-eu-01.ponee.io (Postfix) with ESMTP id 3EE9C18065B for ; Wed, 7 Feb 2018 19:48:08 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 2EA73160C5B; Wed, 7 Feb 2018 18:48:08 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 75E67160C3A for ; Wed, 7 Feb 2018 19:48:07 +0100 (CET) Received: (qmail 51444 invoked by uid 500); 7 Feb 2018 18:48:06 -0000 Mailing-List: contact yarn-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list yarn-issues@hadoop.apache.org Received: (qmail 51433 invoked by uid 99); 7 Feb 2018 18:48:06 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 07 Feb 2018 18:48:06 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 22E89C0189 for ; Wed, 7 Feb 2018 18:48:06 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -109.511 X-Spam-Level: X-Spam-Status: No, score=-109.511 tagged_above=-999 required=6.31 tests=[ENV_AND_HDR_SPF_MATCH=-0.5, KAM_ASCII_DIVIDERS=0.8, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_SPF_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id o928U7oZ0TF9 for ; Wed, 7 Feb 2018 18:48:05 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id C18715F17D for ; Wed, 7 Feb 2018 18:48:04 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 44EE8E0149 for ; Wed, 7 Feb 2018 18:48:04 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id DA2EA24112 for ; Wed, 7 Feb 2018 18:48:00 +0000 (UTC) Date: Wed, 7 Feb 2018 18:48:00 +0000 (UTC) From: "Eric Yang (JIRA)" To: yarn-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (YARN-7446) Docker container privileged mode and --user flag contradict each other MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/YARN-7446?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Eric Yang updated YARN-7446: ---------------------------- Attachment: YARN-7446.002.patch > Docker container privileged mode and --user flag contradict each other > ---------------------------------------------------------------------- > > Key: YARN-7446 > URL: https://issues.apache.org/jira/browse/YARN-7446 > Project: Hadoop YARN > Issue Type: Sub-task > Affects Versions: 3.0.0 > Reporter: Eric Yang > Assignee: Eric Yang > Priority: Major > Attachments: YARN-7446.001.patch, YARN-7446.002.patch > > > In the current implementation, when privileged=true, --user flag is also passed to docker for launching container. In reality, the container has no way to use root privileges unless there is sticky bit or sudoers in the image for the specified user to gain privileges again. To avoid duplication of dropping and reacquire root privileges, we can reduce the duplication of specifying both flag. When privileged mode is enabled, --user flag should be omitted. When non-privileged mode is enabled, --user flag is supplied. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org For additional commands, e-mail: yarn-issues-help@hadoop.apache.org