hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-7066) Add ability to specify volumes to mount for DockerContainerRuntime
Date Wed, 23 Aug 2017 21:33:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-7066?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16139165#comment-16139165
] 

Eric Yang commented on YARN-7066:
---------------------------------

[~miklos.szegedi@cloudera.com] This is designed to work with YARN-4266.  The user UID:GID
are enforced to mounted file system.  The unix process of the docker container would be owned
by UID:GID of launching user.  Hence, user doesn't get additional privileges through mounting.
 If someone tries to mount same mount point twice, such as /etc/sudoers file.  Docker will
detect duplicated entries and abort execution.  Therefore, there is no loophole to fake /etc/sudoers
file in container to gain extra privileges.  As long as the white list mount points are secured,
and no privileges escalation possible in container, this feature does not contain security
hole.

> Add ability to specify volumes to mount for DockerContainerRuntime
> ------------------------------------------------------------------
>
>                 Key: YARN-7066
>                 URL: https://issues.apache.org/jira/browse/YARN-7066
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn-native-services
>    Affects Versions: 3.0.0-beta1
>            Reporter: Eric Yang
>         Attachments: YARN-7066.001.patch
>
>
> Yarnfile describes environment, docker image, and configuration template for launching
docker containers in YARN.  It would be nice to have ability to specify the volumes to mount.
 This can be used in combination to AMBARI-21748 to mount HDFS as data directories to docker
containers.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message