hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Varun Vasudev (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-4262) Allow whitelisted users to run privileged docker containers.
Date Fri, 16 Oct 2015 06:53:05 GMT

    [ https://issues.apache.org/jira/browse/YARN-4262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14960258#comment-14960258
] 

Varun Vasudev commented on YARN-4262:
-------------------------------------

Thanks for the patch [~sidharta-s]. Couple of things -
1)
{code}
   .</description>
{code}
Formatting.

2)

{code}
+    if (!privilegedContainersEnabledOnCluster) {
+      String errorMsg = "Privileged container being requested but privileged "
+          + "containers are not enabled on this cluster";
+      LOG.error(errorMsg);
+      throw new ContainerExecutionException(errorMsg);
+    }
{code}
and
{code}
+    if (!privilegedContainersAcl.isUserAllowed(submitterUgi)) {
+      String errorMsg = "Cannot launch privileged container. Submitting user ("
+          + submittingUser + ") fails ACL check.";
+      LOG.error(errorMsg);
+      throw new ContainerExecutionException(errorMsg);
+    }
{code}
Change the log level to warnings.

> Allow whitelisted users to run privileged docker containers. 
> -------------------------------------------------------------
>
>                 Key: YARN-4262
>                 URL: https://issues.apache.org/jira/browse/YARN-4262
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: Sidharta Seethana
>            Assignee: Sidharta Seethana
>         Attachments: YARN-4262.001.patch, YARN-4262.002.patch
>
>
> (Updated based on discussion in the JIRA)
> There are scenarios where privileged containers are necessary in order to run certain
kinds of applications (one example is trying to run postresql/oracle inside containers). However,
given the security implications, we should ensure that : 
> 1) privileged containers are disabled by default
> 2) if enabled, only a whitelisted set of users should be allowed to launch such containers
and 
> 3) Not all containers launched by whitelisted users need to be privileged containers
: whitelisted users need to explicitly request that a privileged container be launched.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message