[
https://issues.apache.org/jira/browse/YARN-5366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15606015#comment-15606015
]
Allen Wittenauer commented on YARN-5366:
----------------------------------------
I think you misunderstood what I was pointing out. If the yarn user is part of
the docker group, this gives the docker command access to the docker daemon
bits to the point that c-e is no longer needed to exec docker. Given that
there are currently zero protections to how YARN invokes docker, this doesn't
change the security profile at all.
> Add support for toggling the removal of completed and failed docker containers
> ------------------------------------------------------------------------------
>
> Key: YARN-5366
> URL: https://issues.apache.org/jira/browse/YARN-5366
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: Shane Kumpf
> Assignee: Shane Kumpf
> Attachments: YARN-5366.001.patch, YARN-5366.002.patch,
> YARN-5366.003.patch, YARN-5366.004.patch, YARN-5366.005.patch,
> YARN-5366.006.patch
>
>
> Currently, completed and failed docker containers are removed by
> container-executor. Add a job level environment variable to
> DockerLinuxContainerRuntime to allow the user to toggle whether they want the
> container deleted or not and remove the logic from container-executor.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
