hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sidharta Seethana (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (YARN-4262) Allow admins to run privileged docker containers.
Date Thu, 15 Oct 2015 05:48:05 GMT

     [ https://issues.apache.org/jira/browse/YARN-4262?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Sidharta Seethana updated YARN-4262:
------------------------------------
    Description: 
(Updated based on discussion in the JIRA)

There are scenarios where privileged containers are necessary in order to run certain kinds
of applications (one example is trying to run postresql/oracle inside containers). However,
given the security implications, we should ensure that : 
1) privileged containers are disabled by default
2) if enabled, only a whitelisted set of users should be allowed to launch such containers
and 
3) Not all containers launched by whitelisted users need to be privileged containers : whitelisted
users need to explicitly request that a privileged container be launched.


  was:
There are scenarios where privileged containers are necessary in order to run certain kinds
of applications (one example is trying to run postresql/oracle inside containers). However,
given the security implications, we should ensure that : 
1) privileged containers are disabled by default, even for admins 
2) if enabled, only admins should be allowed to launch such containers and 
3) Not all containers launched by admin users need to be privileged containers : admin users
need to explicitly request that a privileged container be launched.



> Allow admins to run privileged docker containers. 
> --------------------------------------------------
>
>                 Key: YARN-4262
>                 URL: https://issues.apache.org/jira/browse/YARN-4262
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: Sidharta Seethana
>            Assignee: Sidharta Seethana
>         Attachments: YARN-4262.001.patch
>
>
> (Updated based on discussion in the JIRA)
> There are scenarios where privileged containers are necessary in order to run certain
kinds of applications (one example is trying to run postresql/oracle inside containers). However,
given the security implications, we should ensure that : 
> 1) privileged containers are disabled by default
> 2) if enabled, only a whitelisted set of users should be allowed to launch such containers
and 
> 3) Not all containers launched by whitelisted users need to be privileged containers
: whitelisted users need to explicitly request that a privileged container be launched.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message