hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shane Kumpf (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-7197) Add support for a volume blacklist for docker containers
Date Tue, 31 Oct 2017 11:12:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16226626#comment-16226626
] 

Shane Kumpf commented on YARN-7197:
-----------------------------------

My initial thought was that the empty directory bind mounted (Solution 3) would work nicely
to achieve this goal, but I believe that could be problematic as well. A bulk of the top level
directories being discussed as blacklist candidates are "API filesystems", for example /run.
While containers != VMs, containers will be used similarly and as a result will run systemd.
Systemd manages "API Filesystems" if they don't exist. However, in the case of an empty /run
bind mount, systemd will not create the tmpfs /run, which can lead to broken behavior for
units leveraging tmpfiles. This is one case I'm aware of, but I would not be surprised to
find other issues on non-systemd systems. Given the discussions on how the proposed solutions
may surprise users and doesn't necessarily prevent attack, I'm starting to believe documentation
about the dangers of white listing top-level mounts might be most appropriate, as Jason mentioned
earlier.

> Add support for a volume blacklist for docker containers
> --------------------------------------------------------
>
>                 Key: YARN-7197
>                 URL: https://issues.apache.org/jira/browse/YARN-7197
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: Shane Kumpf
>            Assignee: Eric Yang
>         Attachments: YARN-7197.001.patch, YARN-7197.002.patch
>
>
> Docker supports bind mounting host directories into containers. Work is underway to allow
admins to configure a whilelist of volume mounts. While this is a much needed and useful feature,
it opens the door for misconfiguration that may lead to users being able to compromise or
crash the system. 
> One example would be allowing users to mount /run from a host running systemd, and then
running systemd in that container, rendering the host mostly unusable.
> This issue is to add support for a default blacklist. The default blacklist would be
where we put files and directories that if mounted into a container, are likely to have negative
consequences. Users are encouraged not to remove items from the default blacklist, but may
do so if necessary.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message