hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shane Kumpf (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-7197) Add support for a volume blacklist for docker containers
Date Tue, 31 Oct 2017 11:12:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16226626#comment-16226626

Shane Kumpf commented on YARN-7197:

My initial thought was that the empty directory bind mounted (Solution 3) would work nicely
to achieve this goal, but I believe that could be problematic as well. A bulk of the top level
directories being discussed as blacklist candidates are "API filesystems", for example /run.
While containers != VMs, containers will be used similarly and as a result will run systemd.
Systemd manages "API Filesystems" if they don't exist. However, in the case of an empty /run
bind mount, systemd will not create the tmpfs /run, which can lead to broken behavior for
units leveraging tmpfiles. This is one case I'm aware of, but I would not be surprised to
find other issues on non-systemd systems. Given the discussions on how the proposed solutions
may surprise users and doesn't necessarily prevent attack, I'm starting to believe documentation
about the dangers of white listing top-level mounts might be most appropriate, as Jason mentioned

> Add support for a volume blacklist for docker containers
> --------------------------------------------------------
>                 Key: YARN-7197
>                 URL: https://issues.apache.org/jira/browse/YARN-7197
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: Shane Kumpf
>            Assignee: Eric Yang
>         Attachments: YARN-7197.001.patch, YARN-7197.002.patch
> Docker supports bind mounting host directories into containers. Work is underway to allow
admins to configure a whilelist of volume mounts. While this is a much needed and useful feature,
it opens the door for misconfiguration that may lead to users being able to compromise or
crash the system. 
> One example would be allowing users to mount /run from a host running systemd, and then
running systemd in that container, rendering the host mostly unusable.
> This issue is to add support for a default blacklist. The default blacklist would be
where we put files and directories that if mounted into a container, are likely to have negative
consequences. Users are encouraged not to remove items from the default blacklist, but may
do so if necessary.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message