[ https://issues.apache.org/jira/browse/YARN-2480?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15001610#comment-15001610 ]
Erik Weathers commented on YARN-2480: ------------------------------------- Experimental support for user-namespaces in Docker has landed in version 1.9: * http://integratedcode.us/2015/10/13/user-namespaces-have-arrived-in-docker/ * https://github.com/docker/docker/pull/12648 It's available via experimental builds (not in the normal 1.9 build), see this link for info on getting those builds: * https://github.com/docker/docker/tree/master/experimental Documentation on the feature: * https://github.com/docker/docker/blob/3b5fac462d21ca164b3778647420016315289034/experimental/userns.md > DockerContainerExecutor must support user namespaces > ---------------------------------------------------- > > Key: YARN-2480 > URL: https://issues.apache.org/jira/browse/YARN-2480 > Project: Hadoop YARN > Issue Type: New Feature > Reporter: Abin Shahab > Labels: security > > When DockerContainerExector launches a container, the root inside that > container has root privileges on the host. > This is insecure in a mult-tenant environment. The uid of the container's > root user must be mapped to a non-privileged user on the host. -- This message was sent by Atlassian JIRA (v6.3.4#6332)