[jira] [Comment Edited] (YARN-7066) Add ability to specify volumes to mount for DockerContainerRuntime

Eric Yang (JIRA) Fri, 13 Oct 2017 16:09:23 -0700

    [ 
https://issues.apache.org/jira/browse/YARN-7066?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16204321#comment-16204321
 ]


Eric Yang edited comment on YARN-7066 at 10/13/17 11:08 PM:
------------------------------------------------------------

[~ebadger] Security restriction will be enforced by:

# Check for sudo privileges for launching privileged container (YARN-7221)
# Enforced effective uid:gid (YARN-4266)
# Black listed volume (YARN-7197)
# Allowed white list volume (YARN-5534)

For privileged users, there is minimum restrictions.  For unprivileged users, 
they can express path to mount, but they will be blocked to unauthorized area 
or by their own uid:gid privileges to file system ACL.

When the listed security defects are solved, this feature will be as good as 
accessing local file system ACL.


was (Author: eyang):
[~ebadger] Security restriction will be enforced by:

# Check for sudo privileges for launching privileged container (YARN-7221)
# Enforced effective uid:gid (YARN-4266)
# Black listed volume (YARN-7197)
# Allowed white list volume (YARN-5534)

For privileged users, there is minimum restrictions.  For unprivileged user, 
they can express path to mount, but they will be blocked to unauthorized area 
or by their own uid:gid privileges to file system ACL.

When the listed security defects are solved, this feature will be as good as 
accessing local file system ACL.

> Add ability to specify volumes to mount for DockerContainerRuntime
> ------------------------------------------------------------------
>
>                 Key: YARN-7066
>                 URL: https://issues.apache.org/jira/browse/YARN-7066
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn-native-services
>    Affects Versions: 3.0.0-beta1
>            Reporter: Eric Yang
>         Attachments: YARN-7066.001.patch, YARN-7066.002.patch
>
>
> Yarnfile describes environment, docker image, and configuration template for 
> launching docker containers in YARN.  It would be nice to have ability to 
> specify the volumes to mount.  This can be used in combination to 
> AMBARI-21748 to mount HDFS as data directories to docker containers.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Comment Edited] (YARN-7066) Add ability to specify volumes to mount for DockerContainerRuntime

Reply via email to