[
https://issues.apache.org/jira/browse/YARN-7066?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16204321#comment-16204321
]
Eric Yang commented on YARN-7066:
---------------------------------
[~ebadger] Security restriction will be enforced by:
# Check for sudo privileges for launching privileged container (YARN-7221)
# Enforced effective uid:gid (YARN-4266)
# Black listed volume (YARN-7197)
# Allowed white list volume (YARN-5534)
For privileged users, there is minimum restrictions. For unprivileged user,
they can express path to mount, but they will be blocked to unauthorized area
or by their own uid:gid privileges to file system ACL.
When the listed security defects are solved, this feature will be as good as
accessing local file system ACL.
> Add ability to specify volumes to mount for DockerContainerRuntime
> ------------------------------------------------------------------
>
> Key: YARN-7066
> URL: https://issues.apache.org/jira/browse/YARN-7066
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn-native-services
> Affects Versions: 3.0.0-beta1
> Reporter: Eric Yang
> Attachments: YARN-7066.001.patch, YARN-7066.002.patch
>
>
> Yarnfile describes environment, docker image, and configuration template for
> launching docker containers in YARN. It would be nice to have ability to
> specify the volumes to mount. This can be used in combination to
> AMBARI-21748 to mount HDFS as data directories to docker containers.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
