hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-7197) Add support for a volume blacklist for docker containers
Date Sat, 28 Oct 2017 07:47:01 GMT

    [ https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16223306#comment-16223306
] 

Eric Yang commented on YARN-7197:
---------------------------------

[~jlowe] I agree with everything you said that the current implementation is a moot point
besides top level directories.  The real security problem with mount was solved in YARN-4266,
where enforcing effective group will ensure the processes inside the container doesn't get
more privileges than the user was allowed.  The intend of black list is supposed to add additional
safe guard to prevent mistakes that can result in jail break.  If we go by what you said,
then it would be {{/mnt/hdfs/user/yarn}} in black list, it automatically gets replaced with
{{/dev/null}}.

If someone make an attack like:
{code}
docker run -v /mnt/hdfs/user/yarn:/tmp/yarn centos:latest bash
{code}

The resulting command looks like:
{code}
docker run -v /dev/null:/tmp/yarn centos:latest bash
{code}

Inside the container looks like:

{code}
[root@6d6588764109 /]# ls -l /tmp
total 4
-rwx------ 1 root root  836 Sep 11 15:53 ks-script-q6TWGF
crw-rw-rw- 1 root root 1, 3 Oct 28 07:37 yarn
-rw------- 1 root root    0 Sep 11 15:51 yum.log
{code}

Everything goes no where, and no clean up.  Thoughts?

> Add support for a volume blacklist for docker containers
> --------------------------------------------------------
>
>                 Key: YARN-7197
>                 URL: https://issues.apache.org/jira/browse/YARN-7197
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: Shane Kumpf
>            Assignee: Eric Yang
>         Attachments: YARN-7197.001.patch, YARN-7197.002.patch
>
>
> Docker supports bind mounting host directories into containers. Work is underway to allow
admins to configure a whilelist of volume mounts. While this is a much needed and useful feature,
it opens the door for misconfiguration that may lead to users being able to compromise or
crash the system. 
> One example would be allowing users to mount /run from a host running systemd, and then
running systemd in that container, rendering the host mostly unusable.
> This issue is to add support for a default blacklist. The default blacklist would be
where we put files and directories that if mounted into a container, are likely to have negative
consequences. Users are encouraged not to remove items from the default blacklist, but may
do so if necessary.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message