[jira] [Commented] (YARN-7430) User and Group mapping are incorrect in docker container

Tue, 14 Nov 2017 09:06:38 -0800 

    [ 
https://issues.apache.org/jira/browse/YARN-7430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16251740#comment-16251740
 ] 

Eric Badger commented on YARN-7430:
-----------------------------------

bq. I'm fine with it. Eric Badger - does it sounds ok to you?

I'm less familiar with use cases outside of using uid:gid to enter the 
container. However, I'm wondering if this would cause some other use cases to 
fail. If an image has a user {{foo}} with different uid:gid pairs inside and 
outside of the container or if the user doesn't exist outside of the container, 
then the process may fail due to permissions issues or due to user lookup 
failures. I imagine this might be the case for standing up simple long running 
services, like a web server or something like that. Basically, enabling uid:gid 
remapping by default will require the docker image and the host to be in sync 
with their users. This isn't currently a requirement and could possibly break 
jobs. Hopefully someone else is more familiar with these cases and can shed 
some more light on whether or not this would break jobs.

> User and Group mapping are incorrect in docker container
> --------------------------------------------------------
>
>                 Key: YARN-7430
>                 URL: https://issues.apache.org/jira/browse/YARN-7430
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: security, yarn
>    Affects Versions: 2.9.0, 3.0.0
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Blocker
>         Attachments: YARN-7430.001.patch, YARN-7430.png
>
>
> In YARN-4266, the recommendation was to use -u [uid]:[gid] numeric values to 
> enforce user and group for the running user.  In YARN-6623, this translated 
> to --user=test --group-add=group1.  The code no longer enforce group 
> correctly for launched process.  
> In addition, the implementation in YARN-6623 requires the user and group 
> information to exist in container to translate username and group to uid/gid. 
>  For users on LDAP, there is no good way to populate container with user and 
> group information. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to