[jira] [Commented] (YARN-7430) User and Group mapping are incorrect in docker container

Mon, 13 Nov 2017 08:39:03 -0800 

    [ 
https://issues.apache.org/jira/browse/YARN-7430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16249796#comment-16249796
 ] 

Eric Badger commented on YARN-7430:
-----------------------------------

bq. This will redirect docker output by the shell script. It depends on who 
spawned the shell, and the resulting log output would be owned by the user who 
spawned the shell. Root user can potentially end up with a file owned by root 
user, which you stated that can not be cleaned up
Right, but that's only for stuff written to stdout/stderr. What about the logs 
written via log4j or some other logging plugin? These won't be written out to 
stdout/stderr and will instead most likely be written to a file. This file will 
be owned by whomever is running the process, which would be root in the case of 
a root docker container. Now it's possible that we could leverage the 
container-executor to do log aggregation and clean up the logs on the node, but 
that would require extra changes. The only other argument I can see here is 
that anything written by a root container should be cleaned up properly by that 
root user, since no other users should be able to touch it. 


> User and Group mapping are incorrect in docker container
> --------------------------------------------------------
>
>                 Key: YARN-7430
>                 URL: https://issues.apache.org/jira/browse/YARN-7430
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: security, yarn
>    Affects Versions: 2.9.0, 3.0.0
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Blocker
>         Attachments: YARN-7430.001.patch
>
>
> In YARN-4266, the recommendation was to use -u [uid]:[gid] numeric values to 
> enforce user and group for the running user.  In YARN-6623, this translated 
> to --user=test --group-add=group1.  The code no longer enforce group 
> correctly for launched process.  
> In addition, the implementation in YARN-6623 requires the user and group 
> information to exist in container to translate username and group to uid/gid. 
>  For users on LDAP, there is no good way to populate container with user and 
> group information. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to