hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (YARN-8922) Fix test-container-executor
Date Fri, 19 Oct 2018 21:40:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-8922?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16657472#comment-16657472
] 

Eric Yang edited comment on YARN-8922 at 10/19/18 9:39 PM:
-----------------------------------------------------------

The code base may have years of evolution that made some mode of operations irreverent.  There
are two modes that container-executor operates on:

In none secure mode
yarn user = yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user (nobody)
user = user who submitted the app.

In secure mode
yarn user = yarn (or the user who runs node manager)
user = user who submitted the app

When unit test running as normal user, the non-secure mode is exercised.  Additional tests
will be triggered for secure mode validations, if unit test is running as root user.

I think delete /tmp/test-container-executor after test-container-executor completed, is probably
the good enough option to solve the unit tests problem.  However, 755 must be enforced for
yarn local dir to prevent security problem, and /tmp/test-container-executor seems like a
prefix of yarn local dir.  Without enforcing 755, it is a security hole as well.


was (Author: eyang):
The code base may have years of evolution that made some mode of operations irreverent.  There
are two modes that container-executor operates on:

In none secure mode
yarn user = yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user (nobody)
user = user who submitted the app.

In secure mode
yarn user = yarn (or the user who runs node manager)
user = user who submitted the app

When unit test running as normal user, the non-secure mode is exercised.  Additional tests
will be triggered for secure mode validations, if unit test is running as root user.

I think delete /tmp/test-container-executor after test-container-executor completed, is probably
the better option to solve the unit tests problem.

> Fix test-container-executor
> ---------------------------
>
>                 Key: YARN-8922
>                 URL: https://issues.apache.org/jira/browse/YARN-8922
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: test
>    Affects Versions: 3.3.0
>            Reporter: Robert Kanter
>            Assignee: Robert Kanter
>            Priority: Major
>         Attachments: YARN-8922.001.patch
>
>
> YARN-8448 attempted to fix the {{test-container-executor}} C test to be able to run
as root.  The test claims that it should be possible to run as root; in fact, there are some
tests that only run if you use root.  
> One of the fixes was to change the permissions of the test's config dir to 0777 from
0755.  The problem was that the directory was owned by root, but then other users would need
to write files/directories under it, which would fail with 0755.  YARN-8448 fixed this by
making it 0777.  However, this breaks running cetest because it expects the directory to be
0755, and it's run afterwards.
> The proper fix for all this is to leave the directory at 0755, but to make sure it's
owned by the "nodemanager" user.  Confusingly, in {{test-container-executor}}, that appears
to be the {{username}} and not the {{yarn_username}} (i.e. {{username}} is the user running
the NM while {{yarn_username}} is just some user running a Yarn app).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message