Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-3611 Support Docker Containers In LinuxContainerExecutor
  3. YARN-4266

Allow users to enter containers as UID:GID pair instead of by username

    XMLWordPrintableJSON

    Details

    • Type: Sub-task
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.9.0, 3.0.0-beta1
    • Component/s: yarn
    • Labels:
    • Hadoop Flags:
      Reviewed

      Description

      Docker provides a mechanism (the --user switch) that enables us to specify the user the container processes should run as. We use this mechanism today when launching docker containers . In non-secure mode, we run the docker container based on `yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user` and in secure mode, as the submitting user. However, this mechanism breaks down with a large number of 'pre-created' images which don't necessarily have the users available within the image. Examples of such images include shared images that need to be used by multiple users. We need a way in which we can allow a pre-defined set of users to run containers based on existing images, without using the --user switch. There are some implications of disabling this user squashing that we'll need to work through : log aggregation, artifact deletion etc.,

        Attachments

        1. YARN-4266-branch-2.8.001.patch
          12 kB
          Zhankun Tang
        2. YARN-4266.006.patch
          17 kB
          Eric Badger
        3. YARN-4266.005.patch
          17 kB
          Eric Badger
        4. YARN-4266.004.patch
          16 kB
          Eric Badger
        5. YARN-4266.003.patch
          16 kB
          Eric Badger
        6. YARN-4266.002.patch
          16 kB
          Eric Badger
        7. YARN-4266.001.patch
          10 kB
          Zhankun Tang
        8. YARN-4266.001.patch
          5 kB
          luhuichun
        9. YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping.pdf
          69 kB
          Zhankun Tang
        10. YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping_v3.pdf
          77 kB
          Zhankun Tang
        11. YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping_v2.pdf
          75 kB
          Zhankun Tang

          Issue Links

          blocks

          Sub-task - The sub-task of the issue YARN-7221 Add security check for privileged docker container

          • Major - Major loss of function.
          • Resolved
          duplicates

          Sub-task - The sub-task of the issue YARN-5360 Decouple host user and Docker container user

          • Major - Major loss of function.
          • Resolved

            Activity

              People

              • Assignee:
                luhuichun luhuichun
                Reporter:
                sidharta-s Sidharta Seethana
              • Votes:
                0 Vote for this issue
                Watchers:
                16 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: