Sidharta Seethana commented on YARN-4262:

Hi [~aw],

I did consider using a separate list. Running a privileged container in some 
ways provides the equivalent of superuser access to the underlying node. So, 
the question here would be : should we expose such functionality to anybody who 
is not in the 'admin' role for the cluster? Thoughts?


> Allow admins to run privileged docker containers. 
> --------------------------------------------------
>                 Key: YARN-4262
>                 URL: https://issues.apache.org/jira/browse/YARN-4262
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: Sidharta Seethana
>            Assignee: Sidharta Seethana
>         Attachments: YARN-4262.001.patch
> There are scenarios where privileged containers are necessary in order to run 
> certain kinds of applications (one example is trying to run postresql/oracle 
> inside containers). However, given the security implications, we should 
> ensure that : 
> 1) privileged containers are disabled by default, even for admins 
> 2) if enabled, only admins should be allowed to launch such containers and 
> 3) Not all containers launched by admin users need to be privileged 
> containers : admin users need to explicitly request that a privileged 
> container be launched.

This message was sent by Atlassian JIRA

Reply via email to