[ https://issues.apache.org/jira/browse/YARN-7960?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16476330#comment-16476330 ]
Eric Yang commented on YARN-7960: --------------------------------- [~ebadger] no-new-privileges option will block [selinux auditing|https://github.com/projectatomic/container-selinux/issues/51]. This feature will prevent enterprise customers from auditing security inside the container. Some effort has been put in place to ensure selinux auditing is unblocked for CentOS 7.5 and newer. It might be a good idea to check if the Hadoop cluster has selinux enforced before this option is appended to non-privileged container. > Add no-new-privileges flag to docker run > ---------------------------------------- > > Key: YARN-7960 > URL: https://issues.apache.org/jira/browse/YARN-7960 > Project: Hadoop YARN > Issue Type: Sub-task > Reporter: Eric Badger > Assignee: Eric Badger > Priority: Major > Labels: Docker > Attachments: YARN-7960.001.patch > > > Minimally, this should be used for unprivileged containers. It's a cheap way > to add an extra layer of security to the docker model. For privileged > containers, it might be appropriate to omit this flag > https://github.com/moby/moby/pull/20727 -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org