[
https://issues.apache.org/jira/browse/YARN-9860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16942699#comment-16942699
]
Shane Kumpf commented on YARN-9860:
-----------------------------------
{quote}Can you give more clear definition of service mode?
{quote}
To simplify it the best I can, in Service Mode, YARN does not set the user
(--user and --group-add) when running the container. The rest of the changes
are in support of dropping the user in this mode. A simple use case where this
is needed is running the official postgres image without modification. Note
that this mode is disabled by default to limit any security implications.
{quote}I don't understand the reason to add --user= parameter only when service
mode is enabled.
{quote}
That code does the opposite of what you stated, user is only passed when
service mode is NOT enabled, which is what we want.
{quote}If there are no log directories, how would you attack debugging
container failures?
{quote}
You are spot on that this will be an issue. The challenge is that if we mount
the read-write log dirs into the container and the container user isn't the
user YARN expects, the writes could fail or YARN may be unable to clean up the
logs. I talked with Craig on this a bit and he had some interesting thoughts on
how we might handle it with fuse. For the sake of this patch, I didn't want to
get bogged down in the details there, given this has enough going already.
Could we address logging in a follow up? In the meantime, with debug delay
enabled, doing a {{docker logs}} on the exited container will allow admins to
take a look, since the output redirection typically done by YARN is dropped in
Service Mode.
I've done extensive testing of an earlier version of this patch and it
addresses the use case and works as expected. I'm going to do some additional
testing today with the patch here to make sure there are no regressions.
> Enable service mode for Docker containers on YARN
> -------------------------------------------------
>
> Key: YARN-9860
> URL: https://issues.apache.org/jira/browse/YARN-9860
> Project: Hadoop YARN
> Issue Type: Improvement
> Affects Versions: 3.3.0
> Reporter: Prabhu Joseph
> Assignee: Prabhu Joseph
> Priority: Major
> Attachments: YARN-9860-001.patch, YARN-9860-002.patch
>
>
> This task is to add support to YARN for running Docker containers in "Service
> Mode".
> Service Mode - Run the container as defined by the image, but still allow for
> injecting configuration.
> Background:
> Entrypoint mode helped - now able to use the ENV and ENTRYPOINT/CMD as
> defined in the image. However, still requires modification to official images
> due to user propagation
> User propagation is problematic for running a secure cluster with sssd
>
> Implementation:
> Must be enabled via c-e.cfg (example: docker.service-mode.allowed=true)
> Must be requested at runtime - (example:
> YARN_CONTAINER_RUNTIME_DOCKER_SERVICE_MODE=true)
> Entrypoint mode is default enabled for this mode (If Service Mode is
> requested, YARN_CONTAINER_RUNTIME_DOCKER_RUN_OVERRIDE_DISABLE should be set
> to true)
> Writable log mount will not be added - stdout logging may still work
> with entrypoint mode - remove the writable bind mounts
> User and groups will not be propagated (now: docker run --user nobody
> --group-add=nobody .... <image>, after: docker run .... <image>)
> Read-only resources mounted at the file level, files get chmod 777,
> parent directory only accessible by the run as user.
> cc [~shaneku...@gmail.com]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
