[SPARK-25275][K8S] require memberhip in wheel to run 'su' in dockerfiles

erikerlandson · erikerlandson · commit d6d1224ffab7 · 2018-08-30T14:07:04.000-07:00
## What changes were proposed in this pull request? Add a PAM configuration in k8s dockerfile to require authentication into wheel to run as `su` ## How was this patch tested? Verify against CI that PAM config succeeds & causes no regressions Closes apache#22285 from erikerlandson/spark-25275. Authored-by: Erik Erlandson <eerlands@redhat.com> Signed-off-by: Erik Erlandson <eerlands@redhat.com>
diff --git a/resource-managers/kubernetes/docker/src/main/dockerfiles/spark/Dockerfile b/resource-managers/kubernetes/docker/src/main/dockerfiles/spark/Dockerfile
@@ -29,12 +29,13 @@ ARG img_path=kubernetes/dockerfiles
 
 RUN set -ex && \
     apk upgrade --no-cache && \
-    apk add --no-cache bash tini libc6-compat && \
+    apk add --no-cache bash tini libc6-compat linux-pam && \
     mkdir -p /opt/spark && \
     mkdir -p /opt/spark/work-dir && \
     touch /opt/spark/RELEASE && \
     rm /bin/sh && \
     ln -sv /bin/bash /bin/sh && \
+    echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su && \
     chgrp root /etc/passwd && chmod ug+rw /etc/passwd
 
 COPY ${spark_jars} /opt/spark/jars
