Erik Weathers commented on YARN-2480:

Experimental support for user-namespaces in Docker has landed in version 1.9:
* http://integratedcode.us/2015/10/13/user-namespaces-have-arrived-in-docker/
* https://github.com/docker/docker/pull/12648

It's available via experimental builds (not in the normal 1.9 build), see this 
link for info on getting those builds:
* https://github.com/docker/docker/tree/master/experimental 

Documentation on the feature:

> DockerContainerExecutor must support user namespaces
> ----------------------------------------------------
>                 Key: YARN-2480
>                 URL: https://issues.apache.org/jira/browse/YARN-2480
>             Project: Hadoop YARN
>          Issue Type: New Feature
>            Reporter: Abin Shahab
>              Labels: security
> When DockerContainerExector launches a container, the root inside that 
> container has root privileges on the host. 
> This is insecure in a mult-tenant environment. The uid of the container's 
> root user must be mapped to a non-privileged user on the host.

This message was sent by Atlassian JIRA

Reply via email to