You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "Daniel Templeton (JIRA)" <ji...@apache.org> on 2017/05/18 11:38:04 UTC
[jira] [Commented] (YARN-6623) Add support to turn off launching
privileged containers in the container-executor
[ https://issues.apache.org/jira/browse/YARN-6623?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16015619#comment-16015619 ]
Daniel Templeton commented on YARN-6623:
----------------------------------------
It's not obvious to me why having two ways to disable privileged containers is necessary. The container-executer.cfg also lives on the NM, so what we're saying is that we want two ways to disable privileged containers on the NM, both controlled by the administrator. Is the point to keep someone from being able to use the container-executor binary as a security exploit outside of the NM? If someone manages to gain the ability to launch the container-executor directly, privileged containers are the least of our worries.
> Add support to turn off launching privileged containers in the container-executor
> ---------------------------------------------------------------------------------
>
> Key: YARN-6623
> URL: https://issues.apache.org/jira/browse/YARN-6623
> Project: Hadoop YARN
> Issue Type: Improvement
> Components: nodemanager
> Reporter: Varun Vasudev
> Assignee: Varun Vasudev
>
> Currently, launching privileged containers is controlled by the NM. We should add a flag to the container-executor.cfg allowing admins to disable launching privileged containers at the container-executor level.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org