[Impala-ASF-CR] IMPALA-8491: Non-root user in container

Thu, 30 May 2019 13:21:14 -0700 

Hello Joe McDonnell, Impala Public Jenkins,

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/13451

to look at the new patch set (#3).

Change subject: IMPALA-8491: Non-root user in container
......................................................................

IMPALA-8491: Non-root user in container

Set a default USER in the Dockerfile per best practices so that
consumers of the container don't accidentally run as root.
The default user is "impala" if the container is run in docker
without specifying a user.

Various frameworks, including kubernetes, will run the container with
an arbitrary user and group ID set.

This causes issues with some Hadoop libraries, which depend on the
user having a name. This is generally not the case because inside
the container usernames are resolved with the container's /etc/passwd.

To work around this, the entrypoint script checks if the current
user has a name and if not, assigns it one (either dummyuser or
$HADOOP_USER_NAME).

Remove the umask setting that was required to make logs modifiable
by the host user - this is not needed for our tests since the host
host and container users now match up.

Also run apt-get clean in Dockerfile to reduce cruft in the
image.

Change-Id: I0bea9f44a8199851ed04fbef8caf4a2350ae2c0e
---
M bin/start-impala-cluster.py
M docker/daemon_entrypoint.sh
M docker/impala_base/Dockerfile
3 files changed, 21 insertions(+), 6 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/51/13451/3
--
To view, visit http://gerrit.cloudera.org:8080/13451
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I0bea9f44a8199851ed04fbef8caf4a2350ae2c0e
Gerrit-Change-Number: 13451
Gerrit-PatchSet: 3
Gerrit-Owner: Tim Armstrong <tarmstr...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <impala-public-jenk...@cloudera.com>
Gerrit-Reviewer: Joe McDonnell <joemcdonn...@cloudera.com>
Gerrit-Reviewer: Tim Armstrong <tarmstr...@cloudera.com>

Reply via email to