hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-5534) Allow whitelisted volume mounts
Date Thu, 16 Nov 2017 16:46:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-5534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16255583#comment-16255583
] 

Eric Yang commented on YARN-5534:
---------------------------------

[~ebadger] [~shanekumpf@gmail.com] In YARN-7430, there was mentioned how do we handle arbitrary
docker image from docker hub without consistent uid:gid with the cluster.  That discussion
is related to allow defining white listed volume.  We can check the origin of the docker image,
if it comes from private registry, image name that starts with hostname of private registry,
then we allow white list volumes.  If image is from public repository, then we disallow user
defined mount.  When image has been approved to move from dockerhub to private repository,
then user can store data into HDFS.  The approval process is the safe guard to make sure the
uid:gid used by image is compatible with the cluster.  Does this sound reasonable approach
to protect against unknown images?

> Allow whitelisted volume mounts 
> --------------------------------
>
>                 Key: YARN-5534
>                 URL: https://issues.apache.org/jira/browse/YARN-5534
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: luhuichun
>            Assignee: Shane Kumpf
>         Attachments: YARN-5534.001.patch, YARN-5534.002.patch, YARN-5534.003.patch
>
>
> Introduction 
> Mounting files or directories from the host is one way of passing configuration and other
information into a docker container. 
> We could allow the user to set a list of mounts in the environment of ContainerLaunchContext
(e.g. /dir1:/targetdir1,/dir2:/targetdir2). 
> These would be mounted read-only to the specified target locations. This has been resolved
in YARN-4595
> 2.Problem Definition
> Bug mounting arbitrary volumes into a Docker container can be a security risk.
> 3.Possible solutions
> one approach to provide safe mounts is to allow the cluster administrator to configure
a set of parent directories as white list mounting directories.
>  Add a property named yarn.nodemanager.volume-mounts.white-list, when container executor
do mount checking, only the allowed directories or sub-directories can be mounted. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message