hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-7446) Docker container privileged mode and --user flag contradict each other
Date Thu, 01 Feb 2018 18:00:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-7446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16349008#comment-16349008

Eric Yang commented on YARN-7446:

[~shanekumpf@gmail.com] It would be better to leave --user 0:0 out for some reasons.

1.  If a privileged user use --privileged and docker container has a defined a service user.
 i.e. Hive.  By remove --user 0:0, this allows a system administrator, such as Eric to have
"sudo" like behavior on YARN cluster (given that sudoers check happens in YARN-7221).  Although
hive user is dropped to normal privileges.  This provides sudo like mechanism in a secure
manner for trusted docker images in YARN-7516.

2.  If a privileged user made a mistake to run --privileged flag with normal user container
image.  He will have ability to discover his mistakes.

3.  If the image does not have a predefined user, then full root capability is given.

With changes in YARN-7446, YARN-7221, and YARN-7516.  These three JIRA provides system administrator
a way to run authorized executable on the system with privileges in docker images.  This is
the same concept as sudoers list to authorize users to run authorized binaries.  The changes
are to help the system compliant with Linux security.  I think it is better to avoid hard
code --user 0:0 to make sure #1, and #2 corner cases are properly supported.

> Docker container privileged mode and --user flag contradict each other
> ----------------------------------------------------------------------
>                 Key: YARN-7446
>                 URL: https://issues.apache.org/jira/browse/YARN-7446
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>    Affects Versions: 3.0.0
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Major
>         Attachments: YARN-7446.001.patch
> In the current implementation, when privileged=true, --user flag is also passed to docker
for launching container.  In reality, the container has no way to use root privileges unless
there is sticky bit or sudoers in the image for the specified user to gain privileges again.
 To avoid duplication of dropping and reacquire root privileges, we can reduce the duplication
of specifying both flag.  When privileged mode is enabled, --user flag should be omitted.
 When non-privileged mode is enabled, --user flag is supplied.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message