hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Badger (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-5534) Allow whitelisted volume mounts
Date Tue, 18 Jul 2017 18:27:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-5534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16091952#comment-16091952

Eric Badger commented on YARN-5534:

bq. Can you help me understand the use case here? While there are mounts that will be commonly
needed by containers, I'm not sure of any bind mounts that every container will require.
I was thinking of the current code where we are bind-mounting "/sys/fs/cgroup" for every container.
For my use case, we would always want to bind mount "/var/run/nscd" so that users can do lookups
inside of the container and utilize the host's configs and cache. With the current state of
affairs over in YARN-4266, if we enter the container as a UID:GID pair, MRAppMaster will fail
if we don't bind-mount "/var/run/nscd". 

bq. Given that these mounts are read-only and wholly at the discretion of the admin, I don't
see that it should be much of a risk.
I think that I agree with this. The mounts have to be provided by the admin, so if they have
malicious content in them, that's on them. 

> Allow whitelisted volume mounts 
> --------------------------------
>                 Key: YARN-5534
>                 URL: https://issues.apache.org/jira/browse/YARN-5534
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: luhuichun
>            Assignee: Shane Kumpf
>         Attachments: YARN-5534.001.patch, YARN-5534.002.patch
> Introduction 
> Mounting files or directories from the host is one way of passing configuration and other
information into a docker container. 
> We could allow the user to set a list of mounts in the environment of ContainerLaunchContext
(e.g. /dir1:/targetdir1,/dir2:/targetdir2). 
> These would be mounted read-only to the specified target locations. This has been resolved
in YARN-4595
> 2.Problem Definition
> Bug mounting arbitrary volumes into a Docker container can be a security risk.
> 3.Possible solutions
> one approach to provide safe mounts is to allow the cluster administrator to configure
a set of parent directories as white list mounting directories.
>  Add a property named yarn.nodemanager.volume-mounts.white-list, when container executor
do mount checking, only the allowed directories or sub-directories can be mounted. 

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message