[ 
https://issues.apache.org/jira/browse/YARN-4262?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sidharta Seethana updated YARN-4262:
------------------------------------
    Description: 
(Updated based on discussion in the JIRA)

There are scenarios where privileged containers are necessary in order to run 
certain kinds of applications (one example is trying to run postresql/oracle 
inside containers). However, given the security implications, we should ensure 
that : 
1) privileged containers are disabled by default
2) if enabled, only a whitelisted set of users should be allowed to launch such 
containers and 
3) Not all containers launched by whitelisted users need to be privileged 
containers : whitelisted users need to explicitly request that a privileged 
container be launched.


  was:
There are scenarios where privileged containers are necessary in order to run 
certain kinds of applications (one example is trying to run postresql/oracle 
inside containers). However, given the security implications, we should ensure 
that : 
1) privileged containers are disabled by default, even for admins 
2) if enabled, only admins should be allowed to launch such containers and 
3) Not all containers launched by admin users need to be privileged containers 
: admin users need to explicitly request that a privileged container be 
launched.



> Allow admins to run privileged docker containers. 
> --------------------------------------------------
>
>                 Key: YARN-4262
>                 URL: https://issues.apache.org/jira/browse/YARN-4262
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: Sidharta Seethana
>            Assignee: Sidharta Seethana
>         Attachments: YARN-4262.001.patch
>
>
> (Updated based on discussion in the JIRA)
> There are scenarios where privileged containers are necessary in order to run 
> certain kinds of applications (one example is trying to run postresql/oracle 
> inside containers). However, given the security implications, we should 
> ensure that : 
> 1) privileged containers are disabled by default
> 2) if enabled, only a whitelisted set of users should be allowed to launch 
> such containers and 
> 3) Not all containers launched by whitelisted users need to be privileged 
> containers : whitelisted users need to explicitly request that a privileged 
> container be launched.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to