[jira] [Commented] (YARN-7904) Privileged, trusted containers need all of their bind-mounted directories to be read-only

Wed, 02 Jan 2019 09:58:20 -0800 


    [ 
https://issues.apache.org/jira/browse/YARN-7904?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16732257#comment-16732257
 ] 

Eric Yang commented on YARN-7904:
---------------------------------

When privileged container is running as someone else, the root file system 
inside the container is managed by docker.  Docker sandbox directory can be 
clean up properly.  If the container mounts external volume/directories, the 
data will be written as the user running inside the container.  The file 
permission of the external volume/directories must have consistency between 
user in the container and host system to ensure no file system permissions are 
violated.  This is handled by YARN-7782 feature.  The only exception to the 
rule is when the node manager bind mount working directory for logging purpose 
using non-entrypoint mode.  Log file would be written as root user or other 
users that can create problems to prevent node manager from clean up the 
working directory.  

Instead of making all bind-mounted directories read-only.  We may want to 
consider to block privileged container from non-entrypoint mode to reduce the 
incompatible changes to the minimum.  Thought? 

> Privileged, trusted containers need all of their bind-mounted directories to 
> be read-only
> -----------------------------------------------------------------------------------------
>
>                 Key: YARN-7904
>                 URL: https://issues.apache.org/jira/browse/YARN-7904
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Eric Badger
>            Assignee: Zhaohui Xin
>            Priority: Major
>              Labels: Docker
>
> Since they will be running as some other user than themselves, the NM likely 
> won't be able to clean up after them because of permissions issues. So, to 
> prevent this, we should make these directories read-only.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to