[jira] [Updated] (YARN-4262) Allow whitelisted users to run privileged docker containers.
[ https://issues.apache.org/jira/browse/YARN-4262?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Eric Badger updated YARN-4262: -- Labels: Docker (was: ) > Allow whitelisted users to run privileged docker containers. > - > > Key: YARN-4262 > URL: https://issues.apache.org/jira/browse/YARN-4262 > Project: Hadoop YARN > Issue Type: Sub-task > Components: yarn >Reporter: Sidharta Seethana >Assignee: Sidharta Seethana >Priority: Major > Labels: Docker > Fix For: 2.8.0, 3.0.0-alpha1 > > Attachments: YARN-4262.001.patch, YARN-4262.002.patch, > YARN-4262.003.patch > > > (Updated based on discussion in the JIRA) > There are scenarios where privileged containers are necessary in order to run > certain kinds of applications (one example is trying to run postresql/oracle > inside containers). However, given the security implications, we should > ensure that : > 1) privileged containers are disabled by default > 2) if enabled, only a whitelisted set of users should be allowed to launch > such containers and > 3) Not all containers launched by whitelisted users need to be privileged > containers : whitelisted users need to explicitly request that a privileged > container be launched. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-4262) Allow whitelisted users to run privileged docker containers.
[ https://issues.apache.org/jira/browse/YARN-4262?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sidharta Seethana updated YARN-4262: Attachment: YARN-4262.003.patch Thanks, [~vvasudev]. Uploaded a new patch with the suggested fixes in place. > Allow whitelisted users to run privileged docker containers. > - > > Key: YARN-4262 > URL: https://issues.apache.org/jira/browse/YARN-4262 > Project: Hadoop YARN > Issue Type: Sub-task > Components: yarn >Reporter: Sidharta Seethana >Assignee: Sidharta Seethana > Attachments: YARN-4262.001.patch, YARN-4262.002.patch, > YARN-4262.003.patch > > > (Updated based on discussion in the JIRA) > There are scenarios where privileged containers are necessary in order to run > certain kinds of applications (one example is trying to run postresql/oracle > inside containers). However, given the security implications, we should > ensure that : > 1) privileged containers are disabled by default > 2) if enabled, only a whitelisted set of users should be allowed to launch > such containers and > 3) Not all containers launched by whitelisted users need to be privileged > containers : whitelisted users need to explicitly request that a privileged > container be launched. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (YARN-4262) Allow whitelisted users to run privileged docker containers.
[ https://issues.apache.org/jira/browse/YARN-4262?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sidharta Seethana updated YARN-4262: Summary: Allow whitelisted users to run privileged docker containers. (was: Allow admins to run privileged docker containers. ) > Allow whitelisted users to run privileged docker containers. > - > > Key: YARN-4262 > URL: https://issues.apache.org/jira/browse/YARN-4262 > Project: Hadoop YARN > Issue Type: Sub-task > Components: yarn >Reporter: Sidharta Seethana >Assignee: Sidharta Seethana > Attachments: YARN-4262.001.patch, YARN-4262.002.patch > > > (Updated based on discussion in the JIRA) > There are scenarios where privileged containers are necessary in order to run > certain kinds of applications (one example is trying to run postresql/oracle > inside containers). However, given the security implications, we should > ensure that : > 1) privileged containers are disabled by default > 2) if enabled, only a whitelisted set of users should be allowed to launch > such containers and > 3) Not all containers launched by whitelisted users need to be privileged > containers : whitelisted users need to explicitly request that a privileged > container be launched. -- This message was sent by Atlassian JIRA (v6.3.4#6332)