[
https://issues.apache.org/jira/browse/YARN-2480?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15001610#comment-15001610
]
Erik Weathers commented on YARN-2480:
-------------------------------------
Experimental support for user-namespaces in Docker has landed in version 1.9:
* http://integratedcode.us/2015/10/13/user-namespaces-have-arrived-in-docker/
* https://github.com/docker/docker/pull/12648
It's available via experimental builds (not in the normal 1.9 build), see this
link for info on getting those builds:
* https://github.com/docker/docker/tree/master/experimental
Documentation on the feature:
*
https://github.com/docker/docker/blob/3b5fac462d21ca164b3778647420016315289034/experimental/userns.md
> DockerContainerExecutor must support user namespaces
> ----------------------------------------------------
>
> Key: YARN-2480
> URL: https://issues.apache.org/jira/browse/YARN-2480
> Project: Hadoop YARN
> Issue Type: New Feature
> Reporter: Abin Shahab
> Labels: security
>
> When DockerContainerExector launches a container, the root inside that
> container has root privileges on the host.
> This is insecure in a mult-tenant environment. The uid of the container's
> root user must be mapped to a non-privileged user on the host.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
