If YARN is configured with yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user to restrict YARN workload to run as a specific user only. Container shell does not support this configuration because the workdir directory is owned by local-user. The container shell is intended to launch a bash process owned by the application owner. When bash process owner and current working directory are mismatched. The child process will terminate immediately due to no permission to WORKDIR. It is probably best to report this configuration as not supported rather than allowing application owner to gain all privileges of local-user.