hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Badger (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-7197) Add support for a volume blacklist for docker containers
Date Wed, 25 Oct 2017 13:57:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16218663#comment-16218663

Eric Badger commented on YARN-7197:

bq. File system ACL is the only protection to verify uid:gid are indeed authorized to access
the included area.
If that's true, then I don't see what the black list gives us

The black list is designed to filter out more sinister attack against the system.
For example, system admin configures:
white-listed-read-write: /mnt/hdfs/user
black-listed: /mnt/hdfs/user/yarn,/run/docker.socket
This will prevent naughty junior developer from doing:
docker run -u yarn:yarn -it -v /mnt/hdfs/user/yarn:/tmp centos:latest bash
docker run -u yarn:docker -it -v /run/docker.socket:/run/docker.socket centos:latest bash
But there's nothing preventing the attacker from running 

docker run -u yarn:yarn -it -v /mnt/hdfs/user:/tmp centos:latest bash
and then using /tmp/yarn instead of /tmp to get to /mnt/hdfs/user/yarn. Same applies in the
/run/docker.socket if /run were in the whitelist

bq. The black list feature is not designed to make a subdirectory disappear. Docker still
depends on file system acl to enforce security. This feature is only good for blocking a certain
system directories from developers to protect host OS and Hadoop. This is also the reason
that system admin keeps black list secrets from naughty developers.

But I don't see it blocking directories at all. The user can just mount above the blacklist
and they get access to exactly what they want. This protects them from mounting the exact
path in the blacklist, but that doesn't really buy us anything if they can mount the parent
directory. If I can't prevent a file/directory underneath the parent directory from being
accessed, then I don't see the utility of the blacklist.

> Add support for a volume blacklist for docker containers
> --------------------------------------------------------
>                 Key: YARN-7197
>                 URL: https://issues.apache.org/jira/browse/YARN-7197
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: Shane Kumpf
>            Assignee: Eric Yang
>         Attachments: YARN-7197.001.patch, YARN-7197.002.patch
> Docker supports bind mounting host directories into containers. Work is underway to allow
admins to configure a whilelist of volume mounts. While this is a much needed and useful feature,
it opens the door for misconfiguration that may lead to users being able to compromise or
crash the system. 
> One example would be allowing users to mount /run from a host running systemd, and then
running systemd in that container, rendering the host mostly unusable.
> This issue is to add support for a default blacklist. The default blacklist would be
where we put files and directories that if mounted into a container, are likely to have negative
consequences. Users are encouraged not to remove items from the default blacklist, but may
do so if necessary.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message