Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-3611 Support Docker Containers In LinuxContainerExecutor
  3. YARN-4266

Allow users to enter containers as UID:GID pair instead of by username

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 2.9.0, 3.0.0-beta1
    • yarn
    • Reviewed

    Description

      Docker provides a mechanism (the --user switch) that enables us to specify the user the container processes should run as. We use this mechanism today when launching docker containers . In non-secure mode, we run the docker container based on `yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user` and in secure mode, as the submitting user. However, this mechanism breaks down with a large number of 'pre-created' images which don't necessarily have the users available within the image. Examples of such images include shared images that need to be used by multiple users. We need a way in which we can allow a pre-defined set of users to run containers based on existing images, without using the --user switch. There are some implications of disabling this user squashing that we'll need to work through : log aggregation, artifact deletion etc.,

      Attachments

        1. YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping_v2.pdf
          75 kB
          Zhankun Tang
        2. YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping_v3.pdf
          77 kB
          Zhankun Tang
        3. YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping.pdf
          69 kB
          Zhankun Tang
        4. YARN-4266.001.patch
          5 kB
          luhuichun
        5. YARN-4266.001.patch
          10 kB
          Zhankun Tang
        6. YARN-4266.002.patch
          16 kB
          Eric Badger
        7. YARN-4266.003.patch
          16 kB
          Eric Badger
        8. YARN-4266.004.patch
          16 kB
          Eric Badger
        9. YARN-4266.005.patch
          17 kB
          Eric Badger
        10. YARN-4266.006.patch
          17 kB
          Eric Badger
        11. YARN-4266-branch-2.8.001.patch
          12 kB
          Zhankun Tang

        Issue Links

          blocks

          Sub-task - The sub-task of the issue YARN-7221 Add security check for privileged docker container

          • Major - Major loss of function.
          • Resolved
          duplicates

          Sub-task - The sub-task of the issue YARN-5360 Decouple host user and Docker container user

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              luhuichun luhuichun
              sidharta-s Sidharta Seethana
              Votes:
              0 Vote for this issue
              Watchers:
              16 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: