hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (YARN-7197) Add support for a volume blacklist for docker containers
Date Tue, 07 Nov 2017 00:55:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16241257#comment-16241257
] 

Eric Yang edited comment on YARN-7197 at 11/7/17 12:54 AM:
-----------------------------------------------------------

{quote}
{code}
docker run -it -v /etc:/home/test/etc --mount 'type=bind,source=/var/empty/sshd,target=/home/test/etc/shadow,readonly'
centos:latest bash
{code}
{quote}

This case will fail, unless developer change their rules to be more specific of which sub-directory
that they like to mount.  They can refine their configuration to:

{code}
docker run -v /etc/hadoop/conf:/home/test/conf/hadoop centos:latest bash
{code}

Result in:

{code}
docker run -it -v /etc/hadoop/conf:/home/test/conf/hadoop centos:latest bash
{code}

Black list doesn't get included because path diverged.

If I make empty file and sockets, and mount those, it seems a bit over kill, and harder to
secure because yarn user isn't root.  There might be some limitation to make the same ownership
file in yarn working directory to map to container.  Therefore, we fail fast and let developer
and system admin resolve this on their own.  Is this a fair compromise?



was (Author: eyang):
{quote}
{code}
docker run -it -v /etc:/home/test/etc --mount 'type=bind,source=/var/empty/sshd,target=/home/test/etc/shadow,readonly'
centos:latest bash
{code}
{quote}

This case will fail, unless developer change their rules to be more specific of which sub-directory
that they like to mount.  If I make empty file and sockets, and mount those, it seems a bit
over kill, and harder to secure because yarn user isn't root.  There might be some limitation
to make the same ownership file in yarn working directory to map to container.  Therefore,
we fail fast and let developer and system admin resolve this on their own.  Is this a fair
compromise?


> Add support for a volume blacklist for docker containers
> --------------------------------------------------------
>
>                 Key: YARN-7197
>                 URL: https://issues.apache.org/jira/browse/YARN-7197
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: Shane Kumpf
>            Assignee: Eric Yang
>         Attachments: YARN-7197.001.patch, YARN-7197.002.patch, YARN-7197.003.patch, YARN-7197.004.patch,
YARN-7197.005.patch
>
>
> Docker supports bind mounting host directories into containers. Work is underway to allow
admins to configure a whilelist of volume mounts. While this is a much needed and useful feature,
it opens the door for misconfiguration that may lead to users being able to compromise or
crash the system. 
> One example would be allowing users to mount /run from a host running systemd, and then
running systemd in that container, rendering the host mostly unusable.
> This issue is to add support for a default blacklist. The default blacklist would be
where we put files and directories that if mounted into a container, are likely to have negative
consequences. Users are encouraged not to remove items from the default blacklist, but may
do so if necessary.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message