hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-6623) Add support to turn off launching privileged containers in the container-executor
Date Tue, 26 Sep 2017 19:37:01 GMT

    [ https://issues.apache.org/jira/browse/YARN-6623?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16181413#comment-16181413
] 

Eric Yang commented on YARN-6623:
---------------------------------

A couple concerns:

#  Moving code from Java to C without findbugs check for vulnerability, is risky for future
enhancement.
#  Mount point white list should be placed in visible place like common-site.xml or yarn-site.xml
to let other people know about the path that can be mounted.
#  Container-executor.cfg permission might set to 640, which prevent usability from point
#2 for users.

Container-executor binary is governed by setuid bits.  A privileged user is allowed to do
many things in Linux.  Effort of trying to limit root user to less power, does not improve
security.  It only make system more difficult to service in situations that have yet been
realized.  Sorry that there are a lot of code been written for this JIRA.  However, it seems
a bit risky to push validation logic to root user side.  It would have been better to reduce
the scope of this JIRA to focus on disabling launching privileged containers on node manager
side only in my opinion.

The failed unit test case does not seem to be related to the latest version of patch.

> Add support to turn off launching privileged containers in the container-executor
> ---------------------------------------------------------------------------------
>
>                 Key: YARN-6623
>                 URL: https://issues.apache.org/jira/browse/YARN-6623
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: nodemanager
>            Reporter: Varun Vasudev
>            Assignee: Varun Vasudev
>            Priority: Blocker
>         Attachments: YARN-6623.001.patch, YARN-6623.002.patch, YARN-6623.003.patch, YARN-6623.004.patch,
YARN-6623.005.patch, YARN-6623.006.patch, YARN-6623.007.patch, YARN-6623.008.patch, YARN-6623.009.patch,
YARN-6623.010.patch, YARN-6623.011.patch, YARN-6623.012.patch, YARN-6623.013.patch
>
>
> Currently, launching privileged containers is controlled by the NM. We should add a flag
to the container-executor.cfg allowing admins to disable launching privileged containers at
the container-executor level.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message