Return-Path: X-Original-To: apmail-hadoop-yarn-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-yarn-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 9B01718A37 for ; Thu, 15 Oct 2015 05:48:05 +0000 (UTC) Received: (qmail 23077 invoked by uid 500); 15 Oct 2015 05:48:05 -0000 Delivered-To: apmail-hadoop-yarn-issues-archive@hadoop.apache.org Received: (qmail 23033 invoked by uid 500); 15 Oct 2015 05:48:05 -0000 Mailing-List: contact yarn-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: yarn-issues@hadoop.apache.org Delivered-To: mailing list yarn-issues@hadoop.apache.org Received: (qmail 23022 invoked by uid 99); 15 Oct 2015 05:48:05 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 15 Oct 2015 05:48:05 +0000 Date: Thu, 15 Oct 2015 05:48:05 +0000 (UTC) From: "Sidharta Seethana (JIRA)" To: yarn-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (YARN-4262) Allow admins to run privileged docker containers. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/YARN-4262?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sidharta Seethana updated YARN-4262: ------------------------------------ Description: (Updated based on discussion in the JIRA) There are scenarios where privileged containers are necessary in order to run certain kinds of applications (one example is trying to run postresql/oracle inside containers). However, given the security implications, we should ensure that : 1) privileged containers are disabled by default 2) if enabled, only a whitelisted set of users should be allowed to launch such containers and 3) Not all containers launched by whitelisted users need to be privileged containers : whitelisted users need to explicitly request that a privileged container be launched. was: There are scenarios where privileged containers are necessary in order to run certain kinds of applications (one example is trying to run postresql/oracle inside containers). However, given the security implications, we should ensure that : 1) privileged containers are disabled by default, even for admins 2) if enabled, only admins should be allowed to launch such containers and 3) Not all containers launched by admin users need to be privileged containers : admin users need to explicitly request that a privileged container be launched. > Allow admins to run privileged docker containers. > -------------------------------------------------- > > Key: YARN-4262 > URL: https://issues.apache.org/jira/browse/YARN-4262 > Project: Hadoop YARN > Issue Type: Sub-task > Components: yarn > Reporter: Sidharta Seethana > Assignee: Sidharta Seethana > Attachments: YARN-4262.001.patch > > > (Updated based on discussion in the JIRA) > There are scenarios where privileged containers are necessary in order to run certain kinds of applications (one example is trying to run postresql/oracle inside containers). However, given the security implications, we should ensure that : > 1) privileged containers are disabled by default > 2) if enabled, only a whitelisted set of users should be allowed to launch such containers and > 3) Not all containers launched by whitelisted users need to be privileged containers : whitelisted users need to explicitly request that a privileged container be launched. -- This message was sent by Atlassian JIRA (v6.3.4#6332)