[
https://issues.apache.org/jira/browse/YARN-7960?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16476403#comment-16476403
]
Eric Badger commented on YARN-7960:
-----------------------------------
[~eyang], that's a good point. Thanks for chiming in. I'd say that selinux
auditing is probably the exception instead of the rule in this case. Would you
be ok with adding this feature as a config option in container-executor.cfg? I
would lean towards it being enabled by default but being allowed to be disabled
(secure by default), but I think getting it in in any respect is better than
not getting it in.
> Add no-new-privileges flag to docker run
> ----------------------------------------
>
> Key: YARN-7960
> URL: https://issues.apache.org/jira/browse/YARN-7960
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Eric Badger
> Assignee: Eric Badger
> Priority: Major
> Labels: Docker
> Attachments: YARN-7960.001.patch
>
>
> Minimally, this should be used for unprivileged containers. It's a cheap way
> to add an extra layer of security to the docker model. For privileged
> containers, it might be appropriate to omit this flag
> https://github.com/moby/moby/pull/20727
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
