[
https://issues.apache.org/jira/browse/YARN-7066?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16139165#comment-16139165
]
Eric Yang commented on YARN-7066:
---------------------------------
[[email protected]] This is designed to work with YARN-4266. The
user UID:GID are enforced to mounted file system. The unix process of the
docker container would be owned by UID:GID of launching user. Hence, user
doesn't get additional privileges through mounting. If someone tries to mount
same mount point twice, such as /etc/sudoers file. Docker will detect
duplicated entries and abort execution. Therefore, there is no loophole to
fake /etc/sudoers file in container to gain extra privileges. As long as the
white list mount points are secured, and no privileges escalation possible in
container, this feature does not contain security hole.
> Add ability to specify volumes to mount for DockerContainerRuntime
> ------------------------------------------------------------------
>
> Key: YARN-7066
> URL: https://issues.apache.org/jira/browse/YARN-7066
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn-native-services
> Affects Versions: 3.0.0-beta1
> Reporter: Eric Yang
> Attachments: YARN-7066.001.patch
>
>
> Yarnfile describes environment, docker image, and configuration template for
> launching docker containers in YARN. It would be nice to have ability to
> specify the volumes to mount. This can be used in combination to
> AMBARI-21748 to mount HDFS as data directories to docker containers.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
