hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-8241) MRAppMaster fails when using UID:GID pair within docker container
Date Wed, 02 May 2018 22:53:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-8241?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16461706#comment-16461706

Eric Yang commented on YARN-8241:

There are two possible solutions for this problem:

Option 1) Automatically detect existence of sssd or nscd socket, and bind-mount the socket
into container.

 Simple to implement. [Online tutorial|https://jhrozek.wordpress.com/2015/03/31/authenticating-a-docker-container-against-hosts-unix-accounts/]
covers how to do this.
 The image must be built with sssd client or nscd libraries for pam to work in addition to
Kerberos setup.

Option 2) Fix UserGroupInformation logic to map to Kerberos subject principal name instead
of Unix Principal name. This will allow high level java code to work without username and
group name.

 Less dependencies. Krb5.conf and keytab are only requirement for this ti work.
 Works for Hadoop related java code, does not work with non-Hadoop workload.

> MRAppMaster fails when using UID:GID pair within docker container
> -----------------------------------------------------------------
>                 Key: YARN-8241
>                 URL: https://issues.apache.org/jira/browse/YARN-8241
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Eric Badger
>            Priority: Major
>              Labels: Docker
> As mentioned in [this comment|https://issues.apache.org/jira/browse/YARN-4266?focusedCommentId=16063931&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-16063931],
the MRAppMaster fails for docker containers if there is no additional user lookup strategy
(e.g. bind-mounting /var/run/nscd or /etc/passwd). We need a better solution so that users
can still run even if they are not known inside of the container by name

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message