[
https://issues.apache.org/jira/browse/YARN-3852?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14637258#comment-14637258
]
Varun Vasudev commented on YARN-3852:
-------------------------------------
Yes. In the current version of launch_container_as_user, we have this call
{code}
// give up root privs
if (change_user(user_detail->pw_uid, user_detail->pw_gid) != 0) {
exit_code = SETUID_OPER_FAILED;
goto cleanup;
}
{code}
After the refactor, this call has been put in an if condition
{code}
if (effective_user == 1) {
if (change_effective_user(user_detail->pw_uid, user_detail->pw_gid) != 0) {
fprintf(ERRORFILE, "Could not change to effective users %d, %d\n",
user_detail->pw_uid, user_detail->pw_gid);
fflush(ERRORFILE);
goto cleanup;
}
} else {
// give up root privs
if (change_user(user_detail->pw_uid, user_detail->pw_gid) != 0) {
exit_code = SETUID_OPER_FAILED;
goto cleanup;
}
}
{code}
in create_local_dirs
> Add docker container support to container-executor
> ---------------------------------------------------
>
> Key: YARN-3852
> URL: https://issues.apache.org/jira/browse/YARN-3852
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: Sidharta Seethana
> Assignee: Abin Shahab
> Attachments: YARN-3852-1.patch, YARN-3852-2.patch, YARN-3852.patch
>
>
> For security reasons, we need to ensure that access to the docker daemon and
> the ability to run docker containers is restricted to privileged users ( i.e
> users running applications should not have direct access to docker). In order
> to ensure the node manager can run docker commands, we need to add docker
> support to the container-executor binary.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
