From yarn-issues-return-137754-archive-asf-public=cust-asf.ponee.io@hadoop.apache.org Mon Feb 12 18:22:04 2018 Return-Path: X-Original-To: archive-asf-public@eu.ponee.io Delivered-To: archive-asf-public@eu.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by mx-eu-01.ponee.io (Postfix) with ESMTP id 3E1FF180652 for ; Mon, 12 Feb 2018 18:22:04 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 2DAB1160C31; Mon, 12 Feb 2018 17:22:04 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 73ED9160C3F for ; Mon, 12 Feb 2018 18:22:03 +0100 (CET) Received: (qmail 8837 invoked by uid 500); 12 Feb 2018 17:22:02 -0000 Mailing-List: contact yarn-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list yarn-issues@hadoop.apache.org Received: (qmail 8826 invoked by uid 99); 12 Feb 2018 17:22:02 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 12 Feb 2018 17:22:02 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 2625FC1150 for ; Mon, 12 Feb 2018 17:22:02 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -109.511 X-Spam-Level: X-Spam-Status: No, score=-109.511 tagged_above=-999 required=6.31 tests=[ENV_AND_HDR_SPF_MATCH=-0.5, KAM_ASCII_DIVIDERS=0.8, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_SPF_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id YgwP3mKb4zxO for ; Mon, 12 Feb 2018 17:22:01 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 27DFC5F522 for ; Mon, 12 Feb 2018 17:22:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 6ED81E01BE for ; Mon, 12 Feb 2018 17:22:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 2E5EE240F2 for ; Mon, 12 Feb 2018 17:22:00 +0000 (UTC) Date: Mon, 12 Feb 2018 17:22:00 +0000 (UTC) From: "Eric Badger (JIRA)" To: yarn-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Comment Edited] (YARN-7446) Docker container privileged mode and --user flag contradict each other MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/YARN-7446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16361107#comment-16361107 ] Eric Badger edited comment on YARN-7446 at 2/12/18 5:21 PM: ------------------------------------------------------------ Another thing I just found while testing out YARN-7221 is that this patch doesn't remove the {{\-\-group\-add}} calls, which accompany the {{--user}}. Those should be disabled as well was (Author: ebadger): Another thing I just found while testing out YARN-7221 is that this patch doesn't remove the "--group-add" calls, which accompany the "--user". Those should be disabled as well > Docker container privileged mode and --user flag contradict each other > ---------------------------------------------------------------------- > > Key: YARN-7446 > URL: https://issues.apache.org/jira/browse/YARN-7446 > Project: Hadoop YARN > Issue Type: Sub-task > Affects Versions: 3.0.0 > Reporter: Eric Yang > Assignee: Eric Yang > Priority: Major > Attachments: YARN-7446.001.patch, YARN-7446.002.patch > > > In the current implementation, when privileged=true, --user flag is also passed to docker for launching container. In reality, the container has no way to use root privileges unless there is sticky bit or sudoers in the image for the specified user to gain privileges again. To avoid duplication of dropping and reacquire root privileges, we can reduce the duplication of specifying both flag. When privileged mode is enabled, --user flag should be omitted. When non-privileged mode is enabled, --user flag is supplied. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org For additional commands, e-mail: yarn-issues-help@hadoop.apache.org