[
https://issues.apache.org/jira/browse/YARN-7815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16344067#comment-16344067
]
Jason Lowe commented on YARN-7815:
----------------------------------
This would break a framework where containers on the same node act as
co-processors and read (or even write) each other's directories directly.
I guess I am missing the use-case for this. All the application frameworks I
know of don't really have the concept of separate security tokens across
containers. Once you compromise a single container you have essentially
compromised the entire app as far as secrets are concerned. If we really need
extreme separation across containers within the same application then I would
argue that's a separate runtime model than what YARN provides today.
> Mount the filecache as read-only in Docker containers
> -----------------------------------------------------
>
> Key: YARN-7815
> URL: https://issues.apache.org/jira/browse/YARN-7815
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Shane Kumpf
> Assignee: Shane Kumpf
> Priority: Major
>
> Currently, when using the Docker runtime, the filecache directories are
> mounted read-write into the Docker containers. Read write access is not
> necessary. We should make this more restrictive by changing that mount to
> read-only.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
