[
https://issues.apache.org/jira/browse/YARN-7446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16347300#comment-16347300
]
Eric Yang commented on YARN-7446:
---------------------------------
Hi [~shaneku...@gmail.com], to carry out the conversation on YARN-7516
regarding --privileged and -u flag being mutually exclusive. Base on
[~ebadger]'s comments on YARN-7516, --privileged and --cap-add/--cap-drop are
not addictive. When --privileged is given, and we drop the starting user to a
normal uid/gid. This instance of container is still running with root
privileges, for the end user to regain kernel level access, the image needs to
have either a sudoers list with sudo binary and sticky bits prebuild or some
executable binary with sticky bits to regain control of root privileges. Once
user can regain control of the root power in the image, then it defeats the
purpose to drop privileges in the first place from security point of view. "To
grant root power, or not to grant" is the question. When this question is
asked upfront, there is little purpose to drop to normal user uid/gid because
normal user will need to spend more effort to resume root power form usability
point of view. The initial decision for privileged flag makes the user
parameter irrelevant from both usability point of view or security point of
view. Thoughts?
> Docker container privileged mode and --user flag contradict each other
> ----------------------------------------------------------------------
>
> Key: YARN-7446
> URL: https://issues.apache.org/jira/browse/YARN-7446
> Project: Hadoop YARN
> Issue Type: Sub-task
> Affects Versions: 3.0.0
> Reporter: Eric Yang
> Assignee: Eric Yang
> Priority: Major
> Attachments: YARN-7446.001.patch
>
>
> In the current implementation, when privileged=true, --user flag is also
> passed to docker for launching container. In reality, the container has no
> way to use root privileges unless there is sticky bit or sudoers in the image
> for the specified user to gain privileges again. To avoid duplication of
> dropping and reacquire root privileges, we can reduce the duplication of
> specifying both flag. When privileged mode is enabled, --user flag should be
> omitted. When non-privileged mode is enabled, --user flag is supplied.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
