YARN-7361. Improve the docker container runtime documentation. Contributed by Shane Kumpf
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/fac72eef Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/fac72eef Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/fac72eef Branch: refs/heads/YARN-6592 Commit: fac72eef23bb0a74a34f289dd6ef50ffa4303aa4 Parents: b246c54 Author: Jason Lowe <jl...@apache.org> Authored: Wed Nov 15 12:32:02 2017 -0600 Committer: Jason Lowe <jl...@apache.org> Committed: Wed Nov 15 12:32:02 2017 -0600 ---------------------------------------------------------------------- .../src/site/markdown/DockerContainers.md | 26 ++++++++++++++++---- 1 file changed, 21 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/fac72eef/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md ---------------------------------------------------------------------- diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md index 36c391a..dbbce7f 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/DockerContainers.md @@ -17,11 +17,15 @@ Launching Applications Using Docker Containers <!-- MACRO{toc|fromDepth=0|toDepth=1} --> -Notice ------- -This feature is experimental and is not complete. Enabling this feature and -running Docker containers in your cluster has security implications. -Please do a security analysis before enabling this feature. +Security Warning +--------------- +**IMPORTANT** This feature is experimental and is not complete. **IMPORTANT** +Enabling this feature and running Docker containers in your cluster has security +implications. With this feature enabled, it may be possible to gain root access +to the YARN NodeManager hosts. Given Docker's integration with many powerful +kernel features, it is imperative that administrators understand +[Docker security](https://docs.docker.com/engine/security/security/) before +enabling this feature. Overview -------- @@ -153,6 +157,18 @@ The following properties should be set in yarn-site.xml: privileged contains if privileged containers are allowed. </description> </property> + + <property> + <name>yarn.nodemanager.runtime.linux.docker.capabilities</name> + <value>CHOWN,DAC_OVERRIDE,FSETID,FOWNER,MKNOD,NET_RAW,SETGID,SETUID,SETFCAP,SETPCAP,NET_BIND_SERVICE,SYS_CHROOT,KILL,AUDIT_WRITE</value> + <description> + Optional. This configuration setting determines the capabilities + assigned to docker containers when they are launched. While these may not + be case-sensitive from a docker perspective, it is best to keep these + uppercase. To run without any capabilites, set this value to + "none" or "NONE" + </description> + </property> </configuration> ``` --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org