[
https://issues.apache.org/jira/browse/YARN-7960?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16476330#comment-16476330
]
Eric Yang commented on YARN-7960:
---------------------------------
[~ebadger] no-new-privileges option will block [selinux
auditing|https://github.com/projectatomic/container-selinux/issues/51]. This
feature will prevent enterprise customers from auditing security inside the
container. Some effort has been put in place to ensure selinux auditing is
unblocked for CentOS 7.5 and newer. It might be a good idea to check if the
Hadoop cluster has selinux enforced before this option is appended to
non-privileged container.
> Add no-new-privileges flag to docker run
> ----------------------------------------
>
> Key: YARN-7960
> URL: https://issues.apache.org/jira/browse/YARN-7960
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Eric Badger
> Assignee: Eric Badger
> Priority: Major
> Labels: Docker
> Attachments: YARN-7960.001.patch
>
>
> Minimally, this should be used for unprivileged containers. It's a cheap way
> to add an extra layer of security to the docker model. For privileged
> containers, it might be appropriate to omit this flag
> https://github.com/moby/moby/pull/20727
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
