You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-issues@hadoop.apache.org by "Bikas Saha (JIRA)" <ji...@apache.org> on 2013/05/31 00:57:20 UTC

[jira] [Commented] (YARN-732) YARN support for container isolation on Windows

    [ https://issues.apache.org/jira/browse/YARN-732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13670919#comment-13670919 ] 

Bikas Saha commented on YARN-732:
---------------------------------

I like the idea of not using impersonation to achieve isolation. Would you mind sharing something about the approach/design before submitting patches. That would help shed some light and evoke discussion (better than a patch might IMO). Is the plan to continue to use winutils or create a new launcher executable?
                
> YARN support for container isolation on Windows
> -----------------------------------------------
>
>                 Key: YARN-732
>                 URL: https://issues.apache.org/jira/browse/YARN-732
>             Project: Hadoop YARN
>          Issue Type: New Feature
>          Components: nodemanager
>    Affects Versions: trunk-win
>            Reporter: Kyle Leckie
>              Labels: security
>             Fix For: trunk-win
>
>
> There is no ContainerExecutor on windows that can launch containers in a manner that creates:
> 1) container isolation
> 2) container execution with reduced rights
> I am working on patches that will add the ability to launch containers in a process with a reduced access token. My current approach does not attempt to run the process as the domain user passed into the launchContainer() call. Instead we run as a local user.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira