Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
3.3.0
-
None
-
None
Description
This task is to add support to YARN for running Docker containers in "Service Mode".
Service Mode - Run the container as defined by the image, but still allow for injecting configuration.
Background:
Entrypoint mode helped - now able to use the ENV and ENTRYPOINT/CMD as defined in the image. However, still requires modification to official images due to user propagation
User propagation is problematic for running a secure cluster with sssd
Implementation:
Must be enabled via c-e.cfg (example: docker.service-mode.allowed=true)
Must be requested at runtime - (example: YARN_CONTAINER_RUNTIME_DOCKER_SERVICE_MODE=true)
Entrypoint mode is default enabled for this mode (If Service Mode is requested, YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE should be set to true)
Writable log mount will not be added - stdout logging may still work with entrypoint mode - remove the writable bind mounts
User and groups will not be propagated (now: docker run --user nobody --group-add=nobody .... <image>, after: docker run .... <image>)
Read-only resources mounted at the file level, files get chmod 777, parent directory only accessible by the run as user.