hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Abin Shahab (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-2480) DockerContainerExecutor must support user namespaces
Date Thu, 12 Nov 2015 05:19:11 GMT

    [ https://issues.apache.org/jira/browse/YARN-2480?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15001707#comment-15001707

Abin Shahab commented on YARN-2480:

Thanks, yes, it's interesting, but it demands contiguous id space for all
tasks/docker containers. We are wondering how to distribute the ids among
the tasks(do all tasks get the same range? Do all of them get separate
ranges? Do all tasks belonging to the same job get the same range?)

On Wed, Nov 11, 2015 at 6:52 PM, Erik Weathers (JIRA) <jira@apache.org>

> DockerContainerExecutor must support user namespaces
> ----------------------------------------------------
>                 Key: YARN-2480
>                 URL: https://issues.apache.org/jira/browse/YARN-2480
>             Project: Hadoop YARN
>          Issue Type: New Feature
>            Reporter: Abin Shahab
>              Labels: security
> When DockerContainerExector launches a container, the root inside that container has
root privileges on the host. 
> This is insecure in a mult-tenant environment. The uid of the container's root user must
be mapped to a non-privileged user on the host.

This message was sent by Atlassian JIRA

View raw message