You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-issues@hadoop.apache.org by "Eric Yang (JIRA)" <ji...@apache.org> on 2017/10/13 23:09:00 UTC

[jira] [Comment Edited] (YARN-7066) Add ability to specify volumes to mount for DockerContainerRuntime

    [ https://issues.apache.org/jira/browse/YARN-7066?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16204321#comment-16204321 ] 

Eric Yang edited comment on YARN-7066 at 10/13/17 11:08 PM:
------------------------------------------------------------

[~ebadger] Security restriction will be enforced by:

# Check for sudo privileges for launching privileged container (YARN-7221)
# Enforced effective uid:gid (YARN-4266)
# Black listed volume (YARN-7197)
# Allowed white list volume (YARN-5534)

For privileged users, there is minimum restrictions.  For unprivileged users, they can express path to mount, but they will be blocked to unauthorized area or by their own uid:gid privileges to file system ACL.

When the listed security defects are solved, this feature will be as good as accessing local file system ACL.


was (Author: eyang):
[~ebadger] Security restriction will be enforced by:

# Check for sudo privileges for launching privileged container (YARN-7221)
# Enforced effective uid:gid (YARN-4266)
# Black listed volume (YARN-7197)
# Allowed white list volume (YARN-5534)

For privileged users, there is minimum restrictions.  For unprivileged user, they can express path to mount, but they will be blocked to unauthorized area or by their own uid:gid privileges to file system ACL.

When the listed security defects are solved, this feature will be as good as accessing local file system ACL.

> Add ability to specify volumes to mount for DockerContainerRuntime
> ------------------------------------------------------------------
>
>                 Key: YARN-7066
>                 URL: https://issues.apache.org/jira/browse/YARN-7066
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn-native-services
>    Affects Versions: 3.0.0-beta1
>            Reporter: Eric Yang
>         Attachments: YARN-7066.001.patch, YARN-7066.002.patch
>
>
> Yarnfile describes environment, docker image, and configuration template for launching docker containers in YARN.  It would be nice to have ability to specify the volumes to mount.  This can be used in combination to AMBARI-21748 to mount HDFS as data directories to docker containers.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org