Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-3611 Support Docker Containers In LinuxContainerExecutor
  3. YARN-7446

Docker container privileged mode and --user flag contradict each other

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 3.0.0, 3.1.0
    • 3.1.0
    • None

    Description

      In the current implementation, when privileged=true, --user flag is also passed to docker for launching container. In reality, the container has no way to use root privileges unless there is sticky bit or sudoers in the image for the specified user to gain privileges again. To avoid duplication of dropping and reacquire root privileges, we can reduce the duplication of specifying both flag. When privileged mode is enabled, --user flag should be omitted. When non-privileged mode is enabled, --user flag is supplied.

      Attachments

        1. YARN-7446.001.patch
          6 kB
          Eric Yang
        2. YARN-7446.002.patch
          6 kB
          Eric Yang
        3. YARN-7446.003.patch
          7 kB
          Eric Yang
        4. YARN-7446.004.patch
          7 kB
          Eric Yang

        Issue Links

          is part of

          Bug - A problem which impairs or prevents the functions of the product. YARN-3611 Support Docker Containers In LinuxContainerExecutor

          • Major - Major loss of function.
          • Resolved
          relates to

          Sub-task - The sub-task of the issue YARN-7654 Support ENTRY_POINT for docker container

          • Blocker - Blocks development and/or testing work, production could not run
          • Resolved

          Activity

            People

              eyang Eric Yang
              eyang Eric Yang
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: