[
https://issues.apache.org/jira/browse/YARN-7960?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16476416#comment-16476416
]
Eric Yang commented on YARN-7960:
---------------------------------
[~ebadger] Can we run sestatus to check instead of depending on config values?
If sestatus is not found, then no-new-privileges option is enabled. Like you
said that selinux auditing is the exception. I am ok with this option being
enabled by default in absence of selinux. This can prevent configuration
mistake made by system administrator.
> Add no-new-privileges flag to docker run
> ----------------------------------------
>
> Key: YARN-7960
> URL: https://issues.apache.org/jira/browse/YARN-7960
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Eric Badger
> Assignee: Eric Badger
> Priority: Major
> Labels: Docker
> Attachments: YARN-7960.001.patch
>
>
> Minimally, this should be used for unprivileged containers. It's a cheap way
> to add an extra layer of security to the docker model. For privileged
> containers, it might be appropriate to omit this flag
> https://github.com/moby/moby/pull/20727
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
