[jira] [Commented] (YARN-6623) Add support to turn off launching privileged containers in the container-executor

Tue, 26 Sep 2017 12:37:28 -0700 

    [ 
https://issues.apache.org/jira/browse/YARN-6623?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16181413#comment-16181413
 ] 

Eric Yang commented on YARN-6623:
---------------------------------

A couple concerns:

#  Moving code from Java to C without findbugs check for vulnerability, is 
risky for future enhancement.
#  Mount point white list should be placed in visible place like 
common-site.xml or yarn-site.xml to let other people know about the path that 
can be mounted.
#  Container-executor.cfg permission might set to 640, which prevent usability 
from point #2 for users.

Container-executor binary is governed by setuid bits.  A privileged user is 
allowed to do many things in Linux.  Effort of trying to limit root user to 
less power, does not improve security.  It only make system more difficult to 
service in situations that have yet been realized.  Sorry that there are a lot 
of code been written for this JIRA.  However, it seems a bit risky to push 
validation logic to root user side.  It would have been better to reduce the 
scope of this JIRA to focus on disabling launching privileged containers on 
node manager side only in my opinion.

The failed unit test case does not seem to be related to the latest version of 
patch.

> Add support to turn off launching privileged containers in the 
> container-executor
> ---------------------------------------------------------------------------------
>
>                 Key: YARN-6623
>                 URL: https://issues.apache.org/jira/browse/YARN-6623
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: nodemanager
>            Reporter: Varun Vasudev
>            Assignee: Varun Vasudev
>            Priority: Blocker
>         Attachments: YARN-6623.001.patch, YARN-6623.002.patch, 
> YARN-6623.003.patch, YARN-6623.004.patch, YARN-6623.005.patch, 
> YARN-6623.006.patch, YARN-6623.007.patch, YARN-6623.008.patch, 
> YARN-6623.009.patch, YARN-6623.010.patch, YARN-6623.011.patch, 
> YARN-6623.012.patch, YARN-6623.013.patch
>
>
> Currently, launching privileged containers is controlled by the NM. We should 
> add a flag to the container-executor.cfg allowing admins to disable launching 
> privileged containers at the container-executor level.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to