hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Miklos Szegedi (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (YARN-5534) Allow whitelisted volume mounts
Date Thu, 03 Aug 2017 17:19:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-5534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16113114#comment-16113114
] 

Miklos Szegedi edited comment on YARN-5534 at 8/3/17 5:18 PM:
--------------------------------------------------------------

Thank you, [~shanekumpf@gmail.com] and [~vinodkv] for the details. As Shane said, Java knows
the configuration letting launch the container and seeing it fail in C. If the system is sending
so many invalid privileged requests that it affects system performance because of this, there
is already something wrong with that system.
However, one more thing. While having a general config to enable/disable privileged is nice,
I think eventually admins will need to specify the users that should be allowed to elevate
to privileged. This can be applied probably to the whitelist as well. Sorry for raising too
many design questions late in the development.


was (Author: miklos.szegedi@cloudera.com):
Thank you, [~shanekumpf@gmail.com] and [~vinodkv] for the details. As Shane said, Java knows
the configuration letting launch the container and seeing it fail in C. If the system is sending
so many invalid privileged requests that it affects system performance because of this, there
is already something wrong with that system.
However, one more thing. While having a general config to enable/disable privileged is nice,
I think eventually admins will need to specify the users that should be allowed to elevate
to privileged. This can be applied probably on the whitelist as well. Sorry for raising too
many design questions late in the development.

> Allow whitelisted volume mounts 
> --------------------------------
>
>                 Key: YARN-5534
>                 URL: https://issues.apache.org/jira/browse/YARN-5534
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: luhuichun
>            Assignee: Shane Kumpf
>         Attachments: YARN-5534.001.patch, YARN-5534.002.patch, YARN-5534.003.patch
>
>
> Introduction 
> Mounting files or directories from the host is one way of passing configuration and other
information into a docker container. 
> We could allow the user to set a list of mounts in the environment of ContainerLaunchContext
(e.g. /dir1:/targetdir1,/dir2:/targetdir2). 
> These would be mounted read-only to the specified target locations. This has been resolved
in YARN-4595
> 2.Problem Definition
> Bug mounting arbitrary volumes into a Docker container can be a security risk.
> 3.Possible solutions
> one approach to provide safe mounts is to allow the cluster administrator to configure
a set of parent directories as white list mounting directories.
>  Add a property named yarn.nodemanager.volume-mounts.white-list, when container executor
do mount checking, only the allowed directories or sub-directories can be mounted. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message