hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason Lowe (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-7197) Add support for a volume blacklist for docker containers
Date Mon, 06 Nov 2017 22:31:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16241014#comment-16241014

Jason Lowe commented on YARN-7197:

bq. I see that I missed a key point about mounting above parent directory. When the target
location is set to another location, the blacklist addictive does not enforce blacklisted
path relative to target location.

If I'm understanding properly, we need to be worried not only about what host path the user
is trying to mount but also _where_ they are trying to mount it within the image?  I was under
the impression the contents of the image were user-provided.  If that's the case then I do
not see why the user needs a bind-mount from the host to clobber some path in the image. 
They could just create the nefarious contents in the image directly.  Am I misunderstanding,
or do you have an example where it is necessary?

bq. Do you agree that by tracking blacklisted path relative location to target location, we
can satisfy the original motive of preventing jail break out of container?

I thought the point of this JIRA was to prevent exposing sensitive paths on the host to the
container so it's inaccessible even if the user gains privilege within the container.  It
sounds like you're proposing that the blacklist should also prevent those paths in the image
from being clobbered by mounts from the host.  If the user controls the image contents then
I'm not sure that protects us from much.  Apologies if I'm misunderstanding what is meant
by "relative location to target location."

> Add support for a volume blacklist for docker containers
> --------------------------------------------------------
>                 Key: YARN-7197
>                 URL: https://issues.apache.org/jira/browse/YARN-7197
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: Shane Kumpf
>            Assignee: Eric Yang
>         Attachments: YARN-7197.001.patch, YARN-7197.002.patch, YARN-7197.003.patch, YARN-7197.004.patch,
> Docker supports bind mounting host directories into containers. Work is underway to allow
admins to configure a whilelist of volume mounts. While this is a much needed and useful feature,
it opens the door for misconfiguration that may lead to users being able to compromise or
crash the system. 
> One example would be allowing users to mount /run from a host running systemd, and then
running systemd in that container, rendering the host mostly unusable.
> This issue is to add support for a default blacklist. The default blacklist would be
where we put files and directories that if mounted into a container, are likely to have negative
consequences. Users are encouraged not to remove items from the default blacklist, but may
do so if necessary.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message