aurora-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Farner" <wfar...@apache.org>
Subject Re: Review Request 34337: Add Docker Parameters
Date Fri, 10 Jul 2015 01:52:38 GMT


> On July 8, 2015, 9:38 p.m., Bill Farner wrote:
> > Only nits remaining, and one request for test coverage.
> > 
> > One final disclaimer on the security issue this creates - IIUC, arbitrary user-specified
volume mounts opens up your cluster to privilege escalation.
> > See this discussion for some detail: https://github.com/docker/docker/issues/3124,
specifically this comment:
> > ```
> >  thaJeztah commented on May 23
> > 
> > @JWGmeligMeyling files and folders created in the volume will have the same uid:gid
(numeric) as the user creating them in the container. If you add a user inside the container
having the same uid:gid as outside the container and run your contsiner as that user, that
should be possible
> > ```
> > 
> > More direct coverage of the risk:
> > https://fosterelli.co/privilege-escalation-via-docker.html
> > http://reventlov.com/advisories/using-the-docker-command-to-root-the-host
> > 
> > 
> > I'm happy to be proven wrong on this suspicion, but please confirm for yourself
that this is safe to do.
> 
> Mauricio Garavaglia wrote:
>     Hi, I'm aware of the security implications of the patch. Not only using volumes,
but also enabling privilege mode, enabling host based networking, or mapping devices can mess
up the host. But since this is supported by Mesos, and we disable it by default now, I think
is an assumed risk of using docker and its faulty security model.
>     
>     I understand this is a huge concern if the use case is that arbitrary task definitions
are submitted directly into aurora by users. One spurious job can crash all the tasks in a
host. But there are also other use cases in which the interaction with aurora is curated or
hidden behind another tool. In those cases having this flexibility enables a lot of posibilities
with docker containers.
>     
>     Do you think it would be beneficial to raise up the discussion involving more people,
or this modification just moves the project in the wrong direction?

> Do you think it would be beneficial to raise up the discussion involving more people,
or this modification just moves the project in the wrong direction?

Since the default is to disable this, i'm okay with proceeding.  Just want to make sure you're
aware of the potential pitfalls if this behavior is opened too widely :-)


- Bill


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/34337/#review90994
-----------------------------------------------------------


On July 5, 2015, 11:58 p.m., Mauricio Garavaglia wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/34337/
> -----------------------------------------------------------
> 
> (Updated July 5, 2015, 11:58 p.m.)
> 
> 
> Review request for Aurora and Bill Farner.
> 
> 
> Repository: aurora
> 
> 
> Description
> -------
> 
> Support Arbitrary Docker Parameters in DockerContainer
> 
> 
> Diffs
> -----
> 
>   api/src/main/thrift/org/apache/aurora/gen/api.thrift d740a90 
>   docs/configuration-reference.md dafd306 
>   src/main/java/org/apache/aurora/scheduler/configuration/ConfigurationManager.java be79e70

>   src/main/java/org/apache/aurora/scheduler/mesos/MesosTaskFactory.java c0d165a 
>   src/main/python/apache/aurora/config/schema/base.py d1f1e4f 
>   src/main/python/apache/aurora/config/thrift.py 88dd1c7 
>   src/test/java/org/apache/aurora/scheduler/mesos/MesosTaskFactoryImplTest.java c0cadfb

> 
> Diff: https://reviews.apache.org/r/34337/diff/
> 
> 
> Testing
> -------
> 
> Used Docker as the container of a Job. Included volumes and label parameters which are
correctly picked up by mesos when starting the task. The docker container gets the specified
label and bind mounts the volumes correctly. I've been running multiple PostgreSQL databases
docker containers for several weeks deploying them as aurora jobs.
> 
> 
> Thanks,
> 
> Mauricio Garavaglia
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message