[
https://issues.apache.org/jira/browse/YARN-8342?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16493743#comment-16493743
]
Eric Badger commented on YARN-8342:
-----------------------------------
bq. Is there any reason to block sudo users from running images in
non-privileged containers with mounts?
Depending on the registry it comes from, yes. If the registry is a black box
and operated by some 3rd party, then you might not want that image to be run
with mounts at all.
bq. 3 is a superset of 2. The control valve for privileged container or
non-privileged container is through sudo check. Privileged and non-privileged
users can use 3 as 2 without making 2 and 3 as separate support type.
Yes, 3 is a superset of 2. However, I would never use 3 in my cluster. I don't
want users to run with privileged containers. It increases the surface area for
bugs related to privileged code and opens up the possibility of users elevating
their container's privilege just to get something to work, even when that's not
the correct solution. Since I don't ever want to run a privileged container, it
seems prudent to not allow users to run them instead of trusting that users
won't run them. And then of course if you don't care about the distinction
between the two, then you would simply populate 3 and leave 2 empty.
> Using docker image from a non-privileged registry, the launch_command is not
> honored
> ------------------------------------------------------------------------------------
>
> Key: YARN-8342
> URL: https://issues.apache.org/jira/browse/YARN-8342
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Wangda Tan
> Assignee: Eric Yang
> Priority: Critical
> Labels: Docker
> Attachments: YARN-8342.001.patch
>
>
> During test of the Docker feature, I found that if a container comes from
> non-privileged docker registry, the specified launch command will be ignored.
> Container will success without any log, which is very confusing to end users.
> And this behavior is inconsistent to containers from privileged docker
> registries.
> cc: [~eyang], [[email protected]], [~ebadger], [~jlowe]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
