[jira] [Updated] (YARN-732) YARN support for container isolation on Windows

Fri, 12 Jul 2013 15:50:52 -0700 

     [ 
https://issues.apache.org/jira/browse/YARN-732?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Kyle Leckie updated YARN-732:
-----------------------------

    Description: 
There is no ContainerExecutor on windows that can launch containers in a manner 
that creates:
1) container isolation
2) container execution with reduced rights
I am working on patches that will add the ability to launch containers in a 
process with a reduced access token. 
Update: After examining several approaches I have settled on launching the task 
as a domain user. I have attached the current winutils diff which is a work in 
progress. 
Work remaining:
- Create isolated desktop for task processes.
- Set integrity of spawned processed to low.

  was:
There is no ContainerExecutor on windows that can launch containers in a manner 
that creates:
1) container isolation
2) container execution with reduced rights
I am working on patches that will add the ability to launch containers in a 
process with a reduced access token. 
Update: After examining several approaches I have settled on launching the task 
as a domain user. I have attached the current winutils patch which is a work in 
progress. 


    
> YARN support for container isolation on Windows
> -----------------------------------------------
>
>                 Key: YARN-732
>                 URL: https://issues.apache.org/jira/browse/YARN-732
>             Project: Hadoop YARN
>          Issue Type: New Feature
>          Components: nodemanager
>    Affects Versions: trunk-win
>            Reporter: Kyle Leckie
>              Labels: security
>             Fix For: trunk-win
>
>
> There is no ContainerExecutor on windows that can launch containers in a 
> manner that creates:
> 1) container isolation
> 2) container execution with reduced rights
> I am working on patches that will add the ability to launch containers in a 
> process with a reduced access token. 
> Update: After examining several approaches I have settled on launching the 
> task as a domain user. I have attached the current winutils diff which is a 
> work in progress. 
> Work remaining:
> - Create isolated desktop for task processes.
> - Set integrity of spawned processed to low.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to