[ZEPPELIN-5862] Allow using the docker socket to start dockerized interpreter processes - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: docker
Labels:
None

Description

Currently, in the documentation for running the interpreters in Docker at https://zeppelin.apache.org/docs/latest/quickstart/docker.html, we recommend users to expose their docker daemon over TCP.

This is dangerous, because the docker daemon typically has broad system permissions, as documented at https://docs.docker.com/engine/security/#docker-daemon-attack-surface. Making the docker daemon available to the Zeppelin service over TCP without accidentally also opening it to untrusted clients is hard.

It would be great if the DockerInterpreterProcess could talk to Docker over the docker daemon socket: this can be exposed to only the Zeppelin service (and not other clients) much easier.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Arnout Engelen

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 02/Dec/22 16:32

Updated:: 02/Dec/22 16:32