Abin Shahab commented on YARN-2480:

Thanks, yes, it's interesting, but it demands contiguous id space for all
tasks/docker containers. We are wondering how to distribute the ids among
the tasks(do all tasks get the same range? Do all of them get separate
ranges? Do all tasks belonging to the same job get the same range?)

On Wed, Nov 11, 2015 at 6:52 PM, Erik Weathers (JIRA) <j...@apache.org>

> DockerContainerExecutor must support user namespaces
> ----------------------------------------------------
>                 Key: YARN-2480
>                 URL: https://issues.apache.org/jira/browse/YARN-2480
>             Project: Hadoop YARN
>          Issue Type: New Feature
>            Reporter: Abin Shahab
>              Labels: security
> When DockerContainerExector launches a container, the root inside that 
> container has root privileges on the host. 
> This is insecure in a mult-tenant environment. The uid of the container's 
> root user must be mapped to a non-privileged user on the host.

This message was sent by Atlassian JIRA

Reply via email to