[
https://issues.apache.org/jira/browse/YARN-8342?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16490956#comment-16490956
]
Eric Yang commented on YARN-8342:
---------------------------------
[~vinodkv] The original design was:
- Images in trusted registry can run on the cluster.
- Admin user with sudo privileges, can run images from trusted registry with
admin privileges.
- Normal users can run images from trusted registry as themselves.
Docker.trusted.registries was renamed to docker.privileged.registries by [this
comment|https://issues.apache.org/jira/browse/YARN-7516?focusedCommentId=16317178&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-16317178].
I think rename it back to [trusted registry|https://docs.docker.com/ee/dtr/]
would make this inline with docker terminology. We made a commit for checking
docker image, then a commit for checking sudo privileges. The out of order
review process is what caused the confusion in my opinion.
{quote}
Option 1 requires RHEL 7.5+ to be completely immune to security hole.
Can you expand what this means?
{quote}
The current implementation will block system auditing inside docker container
with selinux turned on. System administrators will not be able to identify
malicious activities occur in the container because selinux transition calls
are blocked. Hadoop will lock down the normal user to his own access,
therefore, the risk is minimized. System administrators can not audit other
system administrator's activity when selinux transition calls are blocked.
Base on the comments, more people are in favor of option #2 to change the label
to be less confusing. I will update patch to match this.
> Using docker image from a non-privileged registry, the launch_command is not
> honored
> ------------------------------------------------------------------------------------
>
> Key: YARN-8342
> URL: https://issues.apache.org/jira/browse/YARN-8342
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Wangda Tan
> Assignee: Eric Yang
> Priority: Critical
> Labels: Docker
> Attachments: YARN-8342.001.patch
>
>
> During test of the Docker feature, I found that if a container comes from
> non-privileged docker registry, the specified launch command will be ignored.
> Container will success without any log, which is very confusing to end users.
> And this behavior is inconsistent to containers from privileged docker
> registries.
> cc: [~eyang], [[email protected]], [~ebadger], [~jlowe]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
