https://community.cloudera.com/t5/Archives-of-Support-Questions/Running-as-root-is-not-allowed/m-p/30395#M6866 <P>I tried to set up Impala to use YARN resource management. This requires (except from other things) to turn on Linux Container Execution (LCE) on all hots and&nbsp;</P><P>configuring YARN to use LCE.</P><P>The problem is, that when I tried to run a Spark job under root account YARN refused to do ths. First, it was an error message about nobody user.</P><P>Since YARN is by default configured to use this user, I changed the yarn.nodemanager.linux-container-executor.nonsecure-mode.local.user to&nbsp;<STRONG>false&nbsp;</STRONG></P><P>in safety valve for yarn-site.xml.</P><P>&nbsp;</P><P>Regarding the documentation this should enforce that every action in the container is executed under the user who submitted the job.</P><P>&nbsp;</P><P>I tried to add root to the whitelist of allowed users in YARN (allowed.system.users) and setting min.user.id to 1, but nothng helped.</P><P>&nbsp;</P><P>Yarn still is refusing to start a job under root.</P><P>&nbsp;</P><P>Any ideas?</P><P>thanks</P><P>Tomas</P><P>&nbsp;</P> Fri, 16 Sep 2022 09:36:39 GMT Tomas79 2022-09-16T09:36:39Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Running-as-root-is-not-allowed/m-p/30395#M6866 <P>I tried to set up Impala to use YARN resource management. This requires (except from other things) to turn on Linux Container Execution (LCE) on all hots and&nbsp;</P><P>configuring YARN to use LCE.</P><P>The problem is, that when I tried to run a Spark job under root account YARN refused to do ths. First, it was an error message about nobody user.</P><P>Since YARN is by default configured to use this user, I changed the yarn.nodemanager.linux-container-executor.nonsecure-mode.local.user to&nbsp;<STRONG>false&nbsp;</STRONG></P><P>in safety valve for yarn-site.xml.</P><P>&nbsp;</P><P>Regarding the documentation this should enforce that every action in the container is executed under the user who submitted the job.</P><P>&nbsp;</P><P>I tried to add root to the whitelist of allowed users in YARN (allowed.system.users) and setting min.user.id to 1, but nothng helped.</P><P>&nbsp;</P><P>Yarn still is refusing to start a job under root.</P><P>&nbsp;</P><P>Any ideas?</P><P>thanks</P><P>Tomas</P><P>&nbsp;</P> Fri, 16 Sep 2022 09:36:39 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Running-as-root-is-not-allowed/m-p/30395#M6866 Tomas79 2022-09-16T09:36:39Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Running-as-root-is-not-allowed/m-p/30412#M6867 Hi Tomas,<BR /><BR />Root has uid=0, that's why.<BR />It is highly recommended not to use root to run jobs for various reasons: security, stability, portability etc.<BR />The best solution is to run container as standard user, which needs certain level of permissions. Here is example with ubuntu:<BR /><A href="https://docs.docker.com/installation/ubuntulinux/#giving-non-root-access" target="_blank">https://docs.docker.com/installation/ubuntulinux/#giving-non-root-access</A><BR /><BR />Please let us know if it worked.<BR /><BR />Regards,<BR />Pawel Niemiec Mon, 03 Aug 2015 20:57:51 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Running-as-root-is-not-allowed/m-p/30412#M6867 pawelniemiec 2015-08-03T20:57:51Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Running-as-root-is-not-allowed/m-p/40238#M6868 <P>Hello,</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; yarn makes three checks ( <A href="https://svn.apache.org/repos/asf/hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c" target="_self">source code</A> )&nbsp; :</P><OL><LI>compare the name of the user with string root with string compare (strcmp(user, "root") == 0</LI><LI>verify if your user is white listed&nbsp;&nbsp; ( !is_whitelisted(user)</LI><LI>check the uid of the user with minuid.&nbsp; ( user_info-&gt;pw_uid &lt; min_uid&nbsp; )</LI></OL><P>For now the only workaround I found is to create a new user with UID and GID equal to 0 and insert the name of the user in white listed and set min user id to 0.</P><P>&nbsp;</P><P>There is an important motivation to use root: if you need to use distcp on a target location that is an NFS filesystem or a sharable filesystem mounted local on the datanode/workernode to make a backup.</P><P>&nbsp;</P><P>Infact in that case, if you run a job with a normal user, it's not possible to change the owner of the file, so the distcp backup will fails.&nbsp; Obviously if you run as root it will fail too for the hard coded control.</P><P>&nbsp;</P><P>Kind Regards</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 27 Apr 2016 14:56:03 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Running-as-root-is-not-allowed/m-p/40238#M6868 matdba 2016-04-27T14:56:03Z