[jira] [Commented] (YARN-2480) DockerContainerExecutor must support user namespaces

Ravindra Kumar Naik (JIRA) Fri, 13 Mar 2015 13:34:46 -0700

    [ 
https://issues.apache.org/jira/browse/YARN-2480?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14361049#comment-14361049
 ]


Ravindra Kumar Naik commented on YARN-2480:
-------------------------------------------

Though this support exists in Linux containers (LXC), docker doesn't yet 
support such mapping 
Please have a look at https://github.com/docker/docker/issues/7906

> DockerContainerExecutor must support user namespaces
> ----------------------------------------------------
>
>                 Key: YARN-2480
>                 URL: https://issues.apache.org/jira/browse/YARN-2480
>             Project: Hadoop YARN
>          Issue Type: New Feature
>            Reporter: Abin Shahab
>              Labels: security
>
> When DockerContainerExector launches a container, the root inside that 
> container has root privileges on the host. 
> This is insecure in a mult-tenant environment. The uid of the container's 
> root user must be mapped to a non-privileged user on the host.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (YARN-2480) DockerContainerExecutor must support user namespaces

Reply via email to