hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDDS-1712) Remove sudo access from Ozone docker image
Date Tue, 16 Jul 2019 16:37:00 GMT

    [ https://issues.apache.org/jira/browse/HDDS-1712?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16886283#comment-16886283

Eric Yang commented on HDDS-1712:

Root can jail break from container, when mounting host level files is allowed, such as mounting
/etc/passwd, /proc, /sys/fs.  In the Pull Request #1053, it demonstrates the danger to give
hadoop user root privileges without restriction.  By printing a write line to /etc/passwd
file, this allows hadoop user to install a root user into host.  Hadoop user has the power
to create chaos, when too much privileges is given.  We can remove the risk by giving it non-root
privileges access in container.

Hadoop user is given sudo access for binary installation during test runtime.  The flow of
package installation logic can happen during compilation or package phase of maven build cycle.
 By removing the sudo access, it will force developer to rethink how to instrument test into
the running container more efficiently without the duplicated downloads of test framework
from internet in the current smoke test.  If we can expand on the idea to build docker image
after tarball creation (HDDS-1495) rather than current runner image layout, then forward progress
would be easier.  I find it difficult to operate in reactive approach to remove sudo requirement
and make the current smoke test work with ozone-runner or hadoop-runner because:

# The sudo code is in a separate branch from smoke test.  I can not make smoke test changes
in this ticket because smoke test logic resides in another branch.
# Many binary download and installation during test run.  It takes quite a long time to repeat
install binaries during test run.  On flaky internet, the test cases fails more frequently
due to inability to install test framework rather than running the tests.
# The current smoke tests and Kubernetes cluster are working with replication factor of 1,
and many tests are using empty core-site.xml, hence, the disk operations are not distributed.
 Hence, I found the current smoke test confusing because the test parameters are invalid.
# Need on demand configuration changes - maven resource templating allows to modify environment
variables prior to startup of test runs.  There is a mismatch between test generated volume
and bucket and core-site.xml configuration.  Bucket creation sequence and configuration file
generation, and daemon startup are in non-specific order.  The current tests are masking problems
because a empty configuration leading to use local disk and allowed some tests to pass.

To properly address those problems, the conversations are much longer ones.  This is my reasoning
to narrow the scope of this patch to first step of removing the root power.  Would you be
open to fix smoke test on a follow up ticket?

> Remove sudo access from Ozone docker image
> ------------------------------------------
>                 Key: HDDS-1712
>                 URL: https://issues.apache.org/jira/browse/HDDS-1712
>             Project: Hadoop Distributed Data Store
>          Issue Type: Bug
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Major
>              Labels: pull-request-available
>         Attachments: HDDS-1712.001.patch
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
> Ozone docker image is given unlimited sudo access to hadoop user.  This poses a security
risk where host level user uid 1000 can attach a debugger to the container process to obtain
root access.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: hdfs-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-help@hadoop.apache.org

View raw message