[
https://issues.apache.org/jira/browse/YARN-6623?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16111499#comment-16111499
]
Miklos Szegedi commented on YARN-6623:
--------------------------------------
[[email protected]], this is needed I think for defense in depth.
container-executor.cfg is enforced to be runnable only by root. yarn-site.xml
is not. Also container-executor does not allow now to launch something
impersonating root. This feature should be followed by the Docker code as well.
{code}
/**
* Is the user a real user account?
* Checks:
* 1. Not root
* 2. UID is above the minimum configured.
* 3. Not in banned user list
* Returns NULL on failure
*/
struct passwd* check_user(const char *user) {
{code}
Let's assume someone allows the container-executor executed from yarn but set
user to root (or run privileged docker). In this case the point running YARN as
yarn and not root is lost.
> Add support to turn off launching privileged containers in the
> container-executor
> ---------------------------------------------------------------------------------
>
> Key: YARN-6623
> URL: https://issues.apache.org/jira/browse/YARN-6623
> Project: Hadoop YARN
> Issue Type: Improvement
> Components: nodemanager
> Reporter: Varun Vasudev
> Assignee: Varun Vasudev
>
> Currently, launching privileged containers is controlled by the NM. We should
> add a flag to the container-executor.cfg allowing admins to disable launching
> privileged containers at the container-executor level.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
