hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-7197) Add support for a volume blacklist for docker containers
Date Tue, 24 Oct 2017 20:28:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16217638#comment-16217638

Eric Yang commented on YARN-7197:

[~ebadger] Symlink are banned to prevent mistakes.  I can lift the symlink check and trust
that system admin will always express physical path correctly instead of symlink paths in
black list.  I found myself expressing /var/run/utmp more often instead of /run/utmp, and
double negative could slip through undetected when symlinks are supported for black list.

I did not separate black list for read-only and read-write to reduce wordy configurations
that could generate security holes.  For example, if someone would like to mount /run as read
only, and allow docket.socket to be used inside container.

Should they specify?

white-listed-read-only: /run
white-listed-read-write: /run/docker.socket
black-listed-read-write: /run


white-listed-read-only: /run
white-listed-read-write: /run/docker.socket

Ideally, user should be able to specify the minimum to get the system to work:

white-listed-read-only: /run
white-listed-read-write: /run/docker.socket


white-listed-read-only: /run
black-listed-read-only: /run/docker.socket

> Add support for a volume blacklist for docker containers
> --------------------------------------------------------
>                 Key: YARN-7197
>                 URL: https://issues.apache.org/jira/browse/YARN-7197
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: Shane Kumpf
>            Assignee: Eric Yang
>         Attachments: YARN-7197.001.patch, YARN-7197.002.patch
> Docker supports bind mounting host directories into containers. Work is underway to allow
admins to configure a whilelist of volume mounts. While this is a much needed and useful feature,
it opens the door for misconfiguration that may lead to users being able to compromise or
crash the system. 
> One example would be allowing users to mount /run from a host running systemd, and then
running systemd in that container, rendering the host mostly unusable.
> This issue is to add support for a default blacklist. The default blacklist would be
where we put files and directories that if mounted into a container, are likely to have negative
consequences. Users are encouraged not to remove items from the default blacklist, but may
do so if necessary.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message