hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allen Wittenauer (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-4262) Allow admins to run privileged docker containers.
Date Wed, 14 Oct 2015 20:02:05 GMT

    [ https://issues.apache.org/jira/browse/YARN-4262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14957635#comment-14957635
] 

Allen Wittenauer commented on YARN-4262:
----------------------------------------

But admin also exposes functionality on the RM.

bq.  should we expose such functionality to anybody who is not in the 'admin' role for the
cluster?

No, which is why it should be a separate list.  This isn't an "either/or". You need three
lists: regular users, users who can run docker in priv mode, and admin level privs.  This
is particular relevant when you think about OSes that aren't Linux that support Docker container
formats but do support roles...

> Allow admins to run privileged docker containers. 
> --------------------------------------------------
>
>                 Key: YARN-4262
>                 URL: https://issues.apache.org/jira/browse/YARN-4262
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: Sidharta Seethana
>            Assignee: Sidharta Seethana
>         Attachments: YARN-4262.001.patch
>
>
> There are scenarios where privileged containers are necessary in order to run certain
kinds of applications (one example is trying to run postresql/oracle inside containers). However,
given the security implications, we should ensure that : 
> 1) privileged containers are disabled by default, even for admins 
> 2) if enabled, only admins should be allowed to launch such containers and 
> 3) Not all containers launched by admin users need to be privileged containers : admin
users need to explicitly request that a privileged container be launched.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message