Sidharta Seethana, Great thanks for reviewing this!
Like I mentioned in a earlier comment, the usermod operation only makes changes to the home directory and not elsewhere in the image. Modifying the rest of the image is not scalable and could significantly slow down the launch of every container where we go down this path.
Yes. Agree with this. This is a drawback that we cannot avoid at present.
Running this usermod operation also requires that launch_container.sh be launched as a privileged user. Also, note that running docker run --pid=host … bash ../launch_container.sh $newUID $containerUsername does not guarantee that launch_container.sh as described here will work correctly - if the image has a ‘USER’ directive, launch_container.sh will be run as that user and that user might not have privileges to run a usermod operation.
You might missed the part in the patch that we'll use "--user=root" to guarantee successful "usermod". We first inspect the Docker image, if it setup a non-root user and wants to run with it, we'll use "--user=root". If the setup user in image is root, we'll just let it go.
In addition, I don’t believe we should be using —pid=host. This exposes other containers’s processes into this container - which will break isolation and possibly behavior for certain applications (applications that assume a single instance is running on a ’node’, for example).
thanks for pointing this. I forget to delete this when I'm trying different implementation(sudo issue if I remember correctly). I have a double-check and --pid=host is not needed.
Lastly, adding more commands that run inside the container (usermod in this case) adds even more requirements for the docker image being launched : we already require that bash, find, ls etc be present in the image.
This usermod is installed by default in most distributions I guess. Since we already require several commands in the image, why cannot we document this too?
IMO, this is the light-weight way that can work securely and won't break down the log staff. The drawbacks are:
1. usermod is a requirement in Docker image
2. usermod only changes the UID of files in home directory.
I indeed got some complaint about current user remapping from customer. So I think this JIRA is an important feature to make YARN a good supporter for container(Docker and others maybe) and possibly not only big data Docker images. We should invite more people on this. Daniel Templeton, Varun Vasudev, Shane Kumpf, Zhongyue Nah?