[SPARK-370][SPARK-499] Change image to run as nobody #189

ArtRand · 2017-09-25T20:52:57Z

Problem

The Spark image that is used for running the Dispatcher, Drivers, and Executors runs as root meaning that Marathon requires permissions to launch containers as root when on a strict-mode cluster.

Solution

Change default to nobody, allow access to directories in the image necessary for running Spark and it's components (e.g. nginx).

Tested

CI unit tests for basic functionality, manually on a strict-mode cluster (see JIRA for details) and manually against a Kerberized HDFS cluster

Manual tests

Kerberos
History server

susanxhuynh · 2017-09-27T00:57:52Z

docker/Dockerfile

@@ -72,15 +72,18 @@ RUN ln -s /bin/grep /usr/bin/grep

 RUN ln -s /var/lib/runit/service/spark /etc/service/spark
 RUN ln -s /var/lib/runit/service/nginx /etc/service/nginx
+RUN mkdir -p /etc/hadoop


This is repeated in L. 60 above, one of them can be removed.

susanxhuynh

LGTM (assuming tests pass)

benclarkwood · 2017-09-27T23:06:13Z

docker/Dockerfile

@@ -76,11 +76,13 @@ RUN ln -s /var/lib/runit/service/nginx /etc/service/nginx
 ADD dist /opt/spark/dist

 # Commenting these for now, because we're running Spark as root in strict mode


What does this comment mean?

It seems like it should go away?

skonto · 2017-10-13T13:56:23Z

@susanxhuynh @ArtRand I am not so sure about nobody in general its a relic: https://lwn.net/Articles/695526/ although widely used...

ArtRand added 2 commits September 25, 2017 13:52

wip, let's see if this works

234632e

change to nobody

5513b13

ArtRand changed the title ~~wip, let's see if this works~~ [SPARK-370][SPARK-499] Change image to run as nobody Sep 26, 2017

ArtRand added 2 commits September 26, 2017 15:17

chmod a few more dirs

a081dd9

update historyserver package a little, manually tested with new package

86b4405

susanxhuynh suggested changes Sep 27, 2017

View reviewed changes

remove extra mkdir

c9f5fe4

susanxhuynh approved these changes Sep 27, 2017

View reviewed changes

benclarkwood suggested changes Sep 27, 2017

View reviewed changes

change comment

adb2429

benclarkwood approved these changes Sep 27, 2017

View reviewed changes

ArtRand merged commit fd1a470 into master Sep 28, 2017

ArtRand deleted the spark-370-2-run-as-nobody branch September 28, 2017 01:45

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[SPARK-370][SPARK-499] Change image to run as nobody #189

[SPARK-370][SPARK-499] Change image to run as nobody #189

ArtRand commented Sep 25, 2017 •

edited

Loading

susanxhuynh Sep 27, 2017

susanxhuynh left a comment

benclarkwood Sep 27, 2017

benclarkwood Sep 27, 2017

skonto commented Oct 13, 2017 •

edited

Loading

		@@ -76,11 +76,13 @@ RUN ln -s /var/lib/runit/service/nginx /etc/service/nginx
		ADD dist /opt/spark/dist

		# Commenting these for now, because we're running Spark as root in strict mode

[SPARK-370][SPARK-499] Change image to run as nobody #189

[SPARK-370][SPARK-499] Change image to run as nobody #189

Conversation

ArtRand commented Sep 25, 2017 • edited Loading

Problem

Solution

Tested

Manual tests

susanxhuynh Sep 27, 2017

Choose a reason for hiding this comment

susanxhuynh left a comment

Choose a reason for hiding this comment

benclarkwood Sep 27, 2017

Choose a reason for hiding this comment

benclarkwood Sep 27, 2017

Choose a reason for hiding this comment

skonto commented Oct 13, 2017 • edited Loading

ArtRand commented Sep 25, 2017 •

edited

Loading

skonto commented Oct 13, 2017 •

edited

Loading