[ https://issues.apache.org/jira/browse/YARN-7430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16249796#comment-16249796 ]
Eric Badger commented on YARN-7430: ----------------------------------- bq. This will redirect docker output by the shell script. It depends on who spawned the shell, and the resulting log output would be owned by the user who spawned the shell. Root user can potentially end up with a file owned by root user, which you stated that can not be cleaned up Right, but that's only for stuff written to stdout/stderr. What about the logs written via log4j or some other logging plugin? These won't be written out to stdout/stderr and will instead most likely be written to a file. This file will be owned by whomever is running the process, which would be root in the case of a root docker container. Now it's possible that we could leverage the container-executor to do log aggregation and clean up the logs on the node, but that would require extra changes. The only other argument I can see here is that anything written by a root container should be cleaned up properly by that root user, since no other users should be able to touch it. > User and Group mapping are incorrect in docker container > -------------------------------------------------------- > > Key: YARN-7430 > URL: https://issues.apache.org/jira/browse/YARN-7430 > Project: Hadoop YARN > Issue Type: Sub-task > Components: security, yarn > Affects Versions: 2.9.0, 3.0.0 > Reporter: Eric Yang > Assignee: Eric Yang > Priority: Blocker > Attachments: YARN-7430.001.patch > > > In YARN-4266, the recommendation was to use -u [uid]:[gid] numeric values to > enforce user and group for the running user. In YARN-6623, this translated > to --user=test --group-add=group1. The code no longer enforce group > correctly for launched process. > In addition, the implementation in YARN-6623 requires the user and group > information to exist in container to translate username and group to uid/gid. > For users on LDAP, there is no good way to populate container with user and > group information. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org