[jira] [Commented] (YARN-7960) Add no-new-privileges flag to docker run

Tue, 15 May 2018 13:57:18 -0700 

    [ 
https://issues.apache.org/jira/browse/YARN-7960?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16476458#comment-16476458
 ] 

Eric Badger commented on YARN-7960:
-----------------------------------

bq. Eric Badger Can we run sestatus to check instead of depending on config 
values? If sestatus is not found, then no-new-privileges option is enabled.
The main reason I'm hesitant to go this route is because once this starts 
working on CentOS (does it work on 7.5?) then it will be completely legitimate 
to run with selinux (aka sestatus returns enabled) while also running with 
no-new-privileges. Making it a config property would leave it up to the admin 
to decide whether they would want the no-new-privileges flag to be enabled or 
not. 

The other reason is because I don't really like quietly changing things. In 
this case, someone could assume that the container is running with 
no-new-privileges, but then that flag is stripped out based on the specific 
node it's running on. In my ideal world, if you give a configuration that is 
invalid, you get a loud failure telling you that the configuration is invalid 
instead of the configuration quietly being changed to be valid. 

The no-new-privileges flag could also be inconsistent across a cluster if the 
nodes were different configurations. However, I'm not sure how likely it would 
be to have clusters with some nodes being selinux enabled while others not. 

> Add no-new-privileges flag to docker run
> ----------------------------------------
>
>                 Key: YARN-7960
>                 URL: https://issues.apache.org/jira/browse/YARN-7960
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Eric Badger
>            Assignee: Eric Badger
>            Priority: Major
>              Labels: Docker
>         Attachments: YARN-7960.001.patch
>
>
> Minimally, this should be used for unprivileged containers. It's a cheap way 
> to add an extra layer of security to the docker model. For privileged 
> containers, it might be appropriate to omit this flag
> https://github.com/moby/moby/pull/20727



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to