[jira] [Updated] (YARN-732) YARN support for container isolation on Windows

2014-10-01 Thread Vinod Kumar Vavilapalli (JIRA)

 [ 
https://issues.apache.org/jira/browse/YARN-732?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Vinod Kumar Vavilapalli updated YARN-732:
-
Fix Version/s: (was: trunk-win)

 YARN support for container isolation on Windows
 ---

 Key: YARN-732
 URL: https://issues.apache.org/jira/browse/YARN-732
 Project: Hadoop YARN
  Issue Type: New Feature
  Components: nodemanager
Affects Versions: trunk-win
Reporter: Kyle Leckie
  Labels: security
 Attachments: winutils.diff


 There is no ContainerExecutor on windows that can launch containers in a 
 manner that creates:
 1) container isolation
 2) container execution with reduced rights
 I am working on patches that will add the ability to launch containers in a 
 process with a reduced access token. 
 Update: After examining several approaches I have settled on launching the 
 task as a domain user. I have attached the current winutils diff which is a 
 work in progress. 
 Work remaining:
 - Create isolated desktop for task processes.
 - Set integrity of spawned processed to low.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)


[jira] [Updated] (YARN-732) YARN support for container isolation on Windows

2013-07-12 Thread Kyle Leckie (JIRA)

 [ 
https://issues.apache.org/jira/browse/YARN-732?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Kyle Leckie updated YARN-732:
-

Description: 
There is no ContainerExecutor on windows that can launch containers in a manner 
that creates:
1) container isolation
2) container execution with reduced rights
I am working on patches that will add the ability to launch containers in a 
process with a reduced access token. 
Update: After examining several approaches I have settled on launching the task 
as a domain user. I have attached the current winutils patch which is a work in 
progress. 


  was:
There is no ContainerExecutor on windows that can launch containers in a manner 
that creates:
1) container isolation
2) container execution with reduced rights
I am working on patches that will add the ability to launch containers in a 
process with a reduced access token. My current approach does not attempt to 
run the process as the domain user passed into the launchContainer() call. 
Instead we run as a local user.



 YARN support for container isolation on Windows
 ---

 Key: YARN-732
 URL: https://issues.apache.org/jira/browse/YARN-732
 Project: Hadoop YARN
  Issue Type: New Feature
  Components: nodemanager
Affects Versions: trunk-win
Reporter: Kyle Leckie
  Labels: security
 Fix For: trunk-win


 There is no ContainerExecutor on windows that can launch containers in a 
 manner that creates:
 1) container isolation
 2) container execution with reduced rights
 I am working on patches that will add the ability to launch containers in a 
 process with a reduced access token. 
 Update: After examining several approaches I have settled on launching the 
 task as a domain user. I have attached the current winutils patch which is a 
 work in progress. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira


[jira] [Updated] (YARN-732) YARN support for container isolation on Windows

2013-07-12 Thread Kyle Leckie (JIRA)

 [ 
https://issues.apache.org/jira/browse/YARN-732?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Kyle Leckie updated YARN-732:
-

Description: 
There is no ContainerExecutor on windows that can launch containers in a manner 
that creates:
1) container isolation
2) container execution with reduced rights
I am working on patches that will add the ability to launch containers in a 
process with a reduced access token. 
Update: After examining several approaches I have settled on launching the task 
as a domain user. I have attached the current winutils diff which is a work in 
progress. 
Work remaining:
- Create isolated desktop for task processes.
- Set integrity of spawned processed to low.

  was:
There is no ContainerExecutor on windows that can launch containers in a manner 
that creates:
1) container isolation
2) container execution with reduced rights
I am working on patches that will add the ability to launch containers in a 
process with a reduced access token. 
Update: After examining several approaches I have settled on launching the task 
as a domain user. I have attached the current winutils patch which is a work in 
progress. 



 YARN support for container isolation on Windows
 ---

 Key: YARN-732
 URL: https://issues.apache.org/jira/browse/YARN-732
 Project: Hadoop YARN
  Issue Type: New Feature
  Components: nodemanager
Affects Versions: trunk-win
Reporter: Kyle Leckie
  Labels: security
 Fix For: trunk-win


 There is no ContainerExecutor on windows that can launch containers in a 
 manner that creates:
 1) container isolation
 2) container execution with reduced rights
 I am working on patches that will add the ability to launch containers in a 
 process with a reduced access token. 
 Update: After examining several approaches I have settled on launching the 
 task as a domain user. I have attached the current winutils diff which is a 
 work in progress. 
 Work remaining:
 - Create isolated desktop for task processes.
 - Set integrity of spawned processed to low.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira


[jira] [Updated] (YARN-732) YARN support for container isolation on Windows

2013-07-12 Thread Kyle Leckie (JIRA)

 [ 
https://issues.apache.org/jira/browse/YARN-732?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Kyle Leckie updated YARN-732:
-

Attachment: winutils.diff

changes for winutils to launch task as domain user

 YARN support for container isolation on Windows
 ---

 Key: YARN-732
 URL: https://issues.apache.org/jira/browse/YARN-732
 Project: Hadoop YARN
  Issue Type: New Feature
  Components: nodemanager
Affects Versions: trunk-win
Reporter: Kyle Leckie
  Labels: security
 Fix For: trunk-win

 Attachments: winutils.diff


 There is no ContainerExecutor on windows that can launch containers in a 
 manner that creates:
 1) container isolation
 2) container execution with reduced rights
 I am working on patches that will add the ability to launch containers in a 
 process with a reduced access token. 
 Update: After examining several approaches I have settled on launching the 
 task as a domain user. I have attached the current winutils diff which is a 
 work in progress. 
 Work remaining:
 - Create isolated desktop for task processes.
 - Set integrity of spawned processed to low.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira