hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shane Kumpf (JIRA)" <j...@apache.org>
Subject [jira] [Created] (YARN-7197) Add support for a volume blacklist for docker containers
Date Thu, 14 Sep 2017 19:48:00 GMT
Shane Kumpf created YARN-7197:

             Summary: Add support for a volume blacklist for docker containers
                 Key: YARN-7197
                 URL: https://issues.apache.org/jira/browse/YARN-7197
             Project: Hadoop YARN
          Issue Type: Sub-task
          Components: yarn
            Reporter: Shane Kumpf

Docker supports bind mounting host directories into containers. Work is underway to allow
admin's to configure a whilelist of user mounts. While this is a much needed and useful feature,
it opens the door for misconfiguration that may lead to users' being able to compromise or
crash the system. 

One example would be allowing users to mount /run from a host running systemd, and then running
systemd in that container, rendering the host mostly unusable.

This issue is to add support for a default blacklist. The default blacklist would be where
we put files and directories that if mounted into a container, are likely to have negative
consequences. Users are encouraged not to remove items from the default blacklist, but may
do so if necessary.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message