[jira] [Commented] (YARN-6623) Add support to turn off launching privileged containers in the container-executor

Tue, 26 Sep 2017 18:29:31 -0700 

    [ 
https://issues.apache.org/jira/browse/YARN-6623?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16181845#comment-16181845
 ] 

Eric Yang commented on YARN-6623:
---------------------------------

[~wangda] How does a non-privileged user acquire excessive permission by 
executing c-e?  root:yarn is typically the owner of c-e binary.  The user has 
to be root or yarn to run the binary.  Hence, validation done by YARN user 
would be better than doing post validation after root privilege is acquired.  
One can argue that YARN user does not have access to check mount points, hence 
the validation needs to happen at root user level.  If docker container is 
started for unprivileged user by using -u [uid]:[gid], Linux file system ACL 
still applies to process inside container.  There will be no extra permission 
gain with mounting unauthorized path.  In the previous implementation, there 
was no effective group id passed to docker.  This was the reason that extra 
permission was gain through effective group.  When this security hole is closed 
by YARN-4266, then there is no gain to shift validation logic to root user side 
for mount point permission validation.

> Add support to turn off launching privileged containers in the 
> container-executor
> ---------------------------------------------------------------------------------
>
>                 Key: YARN-6623
>                 URL: https://issues.apache.org/jira/browse/YARN-6623
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: nodemanager
>            Reporter: Varun Vasudev
>            Assignee: Varun Vasudev
>            Priority: Blocker
>         Attachments: YARN-6623.001.patch, YARN-6623.002.patch, 
> YARN-6623.003.patch, YARN-6623.004.patch, YARN-6623.005.patch, 
> YARN-6623.006.patch, YARN-6623.007.patch, YARN-6623.008.patch, 
> YARN-6623.009.patch, YARN-6623.010.patch, YARN-6623.011.patch, 
> YARN-6623.012.patch, YARN-6623.013.patch
>
>
> Currently, launching privileged containers is controlled by the NM. We should 
> add a flag to the container-executor.cfg allowing admins to disable launching 
> privileged containers at the container-executor level.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to