hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-7197) Add support for a volume blacklist for docker containers
Date Thu, 14 Sep 2017 20:11:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16166916#comment-16166916

Eric Yang commented on YARN-7197:

Consider the following scenarios:

# Docker container with --privileged=true flag enabled and run systemd in docker container
with: /sys/fs/cgroup:/sys/fs/cgroup:ro.  This allows systemd to run in docker container, while
protecting cgroup control enforced from host layer.
# Docker container attempt to mount /run should be forbidden, always initialized with tmpfs.
# Allow docker container to access /var/run/docker.socket on the host layer for privileged
container to interact with host layer docker daemon.

The black list needs to have ability to list all the forbidden mount points, such as /sys,
and /run.  There are some exception that needs to have ability to mount as read only.  The
last but not the least, the ability to create special mount points for privileged container
to access host layer docker daemon.  This feature requires to maintain 3 control lists for

# A general backlisted mount points
# A read-only mount points
# A exception list that is allowed to mount, if running with privileged mode.

Last one can be covered by white list feature in YARN-5534.  This JIRA only needs to cover
case 1, and 2.

> Add support for a volume blacklist for docker containers
> --------------------------------------------------------
>                 Key: YARN-7197
>                 URL: https://issues.apache.org/jira/browse/YARN-7197
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: Shane Kumpf
> Docker supports bind mounting host directories into containers. Work is underway to allow
admins to configure a whilelist of volume mounts. While this is a much needed and useful feature,
it opens the door for misconfiguration that may lead to users being able to compromise or
crash the system. 
> One example would be allowing users to mount /run from a host running systemd, and then
running systemd in that container, rendering the host mostly unusable.
> This issue is to add support for a default blacklist. The default blacklist would be
where we put files and directories that if mounted into a container, are likely to have negative
consequences. Users are encouraged not to remove items from the default blacklist, but may
do so if necessary.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message