hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Miklos Szegedi (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-6623) Add support to turn off launching privileged containers in the container-executor
Date Wed, 02 Aug 2017 18:40:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-6623?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16111499#comment-16111499

Miklos Szegedi commented on YARN-6623:

[~daniel@cloudera.com], this is needed I think for defense in depth. container-executor.cfg
is enforced to be runnable only by root. yarn-site.xml is not. Also container-executor does
not allow now to launch something impersonating root. This feature should be followed by the
Docker code as well.
 * Is the user a real user account?
 * Checks:
 *   1. Not root
 *   2. UID is above the minimum configured.
 *   3. Not in banned user list
 * Returns NULL on failure
struct passwd* check_user(const char *user) {
Let's assume someone allows the container-executor executed from yarn but set user to root
(or run privileged docker). In this case the point running YARN as yarn and not root is lost.

> Add support to turn off launching privileged containers in the container-executor
> ---------------------------------------------------------------------------------
>                 Key: YARN-6623
>                 URL: https://issues.apache.org/jira/browse/YARN-6623
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: nodemanager
>            Reporter: Varun Vasudev
>            Assignee: Varun Vasudev
> Currently, launching privileged containers is controlled by the NM. We should add a flag
to the container-executor.cfg allowing admins to disable launching privileged containers at
the container-executor level.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message