hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (YARN-8241) MRAppMaster fails when using UID:GID pair within docker container
Date Wed, 02 May 2018 22:54:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-8241?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16461706#comment-16461706
] 

Eric Yang edited comment on YARN-8241 at 5/2/18 10:53 PM:
----------------------------------------------------------

There are two possible solutions for this problem:

Option 1) Automatically detect existence of sssd or nscd socket, and bind-mount the socket
into container.

*Pros*
 Simple to implement. [Online tutorial|https://jhrozek.wordpress.com/2015/03/31/authenticating-a-docker-container-against-hosts-unix-accounts/]
covers how to do this.
 *Cons*
 The image must be built with sssd client or nscd libraries for pam to work in addition to
Kerberos setup.

Option 2) Fix UserGroupInformation logic to map to Kerberos subject principal name instead
of Unix Principal name. This will allow high level java code to work without username and
group name.

*Pros*
 Less dependencies. Krb5.conf and keytab are only requirement for this to work.
 *Cons*
 Works for Hadoop related java code, does not work with non-Hadoop workload.


was (Author: eyang):
There are two possible solutions for this problem:

Option 1) Automatically detect existence of sssd or nscd socket, and bind-mount the socket
into container.

*Pros*
 Simple to implement. [Online tutorial|https://jhrozek.wordpress.com/2015/03/31/authenticating-a-docker-container-against-hosts-unix-accounts/]
covers how to do this.
*Cons*
 The image must be built with sssd client or nscd libraries for pam to work in addition to
Kerberos setup.

Option 2) Fix UserGroupInformation logic to map to Kerberos subject principal name instead
of Unix Principal name. This will allow high level java code to work without username and
group name.

*Pros*
 Less dependencies. Krb5.conf and keytab are only requirement for this ti work.
 *Cons*
 Works for Hadoop related java code, does not work with non-Hadoop workload.

> MRAppMaster fails when using UID:GID pair within docker container
> -----------------------------------------------------------------
>
>                 Key: YARN-8241
>                 URL: https://issues.apache.org/jira/browse/YARN-8241
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Eric Badger
>            Priority: Major
>              Labels: Docker
>
> As mentioned in [this comment|https://issues.apache.org/jira/browse/YARN-4266?focusedCommentId=16063931&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-16063931],
the MRAppMaster fails for docker containers if there is no additional user lookup strategy
(e.g. bind-mounting /var/run/nscd or /etc/passwd). We need a better solution so that users
can still run even if they are not known inside of the container by name



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message