hadoop-yarn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zhankun Tang (JIRA)" <j...@apache.org>
Subject [jira] [Created] (YARN-5360) Use UID instead of user name to build the Docker run command
Date Tue, 12 Jul 2016 06:59:10 GMT
Zhankun Tang created YARN-5360:

             Summary: Use UID instead of user name to build the Docker run command
                 Key: YARN-5360
                 URL: https://issues.apache.org/jira/browse/YARN-5360
             Project: Hadoop YARN
          Issue Type: Sub-task
          Components: yarn
            Reporter: Zhankun Tang
            Assignee: Zhankun Tang

There is *a dependency between job submitting user and the user in the Docker image* in LCE
currently. For instance, in order to run the Docker container as yarn user, we can choose
set the "yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user" to yarn and
leave "yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users" default (true).
Then LCE will choose yarn ( UID maybe 1001) as the user running jobs.

But because LCE will mount the generated launch_container.sh (owned by the running job user)
into the Docker container and utilizes "docker run --user=<run_as_user>" option to get
it done internally, we also need to create a *same user name* in the Docker image with the
*same UID* as the running job user. Otherwise LCE will fail to launch container or report
unable to find user. This burdens the Docker image creator with YARN dependency.

Luckily this can be solved through Docker. As far as I know, since Docker v1.8 (or maybe earlier),
the Docker run command "--user=" option accepts UID and *when passing UID, the user does not
have to exist in the container*. So we should use UID instead of user name to construct the
Docker run command to eliminate the dependency that create the same user in the Docker image.
This enables LCE the ability to launch any Docker container safely regardless what users in

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-dev-help@hadoop.apache.org

View raw message