[
https://issues.apache.org/jira/browse/YARN-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sidharta Seethana updated YARN-4266:
------------------------------------
Description:
Docker provides a mechanism (the --user switch) that enables us to specify the
user the container processes should run as. We use this mechanism today when
launching docker containers . In non-secure mode, we run the docker container
based on `yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user`
and in secure mode, as the submitting user. However, this mechanism breaks down
with a large number of 'pre-created' images which don't necessarily have the
users available within the image. Examples of such images include shared images
that need to be used by multiple users. We need a way in which we can allow a
pre-defined set of users to run containers based on existing images, without
using the --user switch. There are some implications of disabling this user
squashing that we'll need to work through : log aggregation, artifact deletion
etc.,
was:
Docker provides a mechanism (the --user switch) that enables us to specify the
user the container processes should run as. We use this mechanism today when
launching docker containers . In non-secure mode, we run the docker container
based on `yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user`
and in secure mode, as the submitting user. However, this mechanism breaks down
with a large number of 'pre-created' images which don't necessarily have the
users available within the image. Examples of such images include shared images
that need to be used by multiple users. We need a way in which we can allow a
pre-defined set of users to run containers based on existing images, without
using the --user switch.
> Allow whitelisted users to disable user re-mapping/squashing when launching
> docker containers
> ---------------------------------------------------------------------------------------------
>
> Key: YARN-4266
> URL: https://issues.apache.org/jira/browse/YARN-4266
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: Sidharta Seethana
> Assignee: Sidharta Seethana
>
> Docker provides a mechanism (the --user switch) that enables us to specify
> the user the container processes should run as. We use this mechanism today
> when launching docker containers . In non-secure mode, we run the docker
> container based on
> `yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user` and in
> secure mode, as the submitting user. However, this mechanism breaks down with
> a large number of 'pre-created' images which don't necessarily have the users
> available within the image. Examples of such images include shared images
> that need to be used by multiple users. We need a way in which we can allow a
> pre-defined set of users to run containers based on existing images, without
> using the --user switch. There are some implications of disabling this user
> squashing that we'll need to work through : log aggregation, artifact
> deletion etc.,
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
