hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-7197) Add support for a volume blacklist for docker containers
Date Tue, 07 Nov 2017 18:29:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16242583#comment-16242583

Eric Yang commented on YARN-7197:

Unfortunately, I've recently encountered a scenario where this restriction would have made
the use case pretty difficult to get working. The issue goes back to what I mentioned about
systemd and API filesystems. There are valid cases for mounting the docker socket, such as
CI. Due to systemd running in the container, /run is mounted as a tmpfs after the docker bind
mount is handled, hiding /run/docker.sock in the container, so docker in docker use cases
that also use systemd as the init process would not be possible (without modifications to
the docker daemon config on the host). If we do impose that restriction by default, then we'll
also need a way to disable it.

There are a lot of painful lesson to run docker in docker.  There is a good blog about [this|https://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/].
 I had almost exact experience with the drawbacks.

We can run docker in parallel, which allows privileged container to mount /run/docker.sock
to spawn docker at top level docker image.  If a normal user mount /run/docker.sock into a
non-privileged container, they should not have access to control /run/docker.sock.  Today,
they may have access to /run/docker.sock due to a bug for not pass in primary group, and allow
non-privileged user to become root group (YARN-7430).  However, this implementation will not
safe guard toward docker instances spawned from inside the container.  It is possible to lose
tracking of container spawned by containers.  Hence, be very careful about who you hand the
keys over to spawn privileged containers.

> Add support for a volume blacklist for docker containers
> --------------------------------------------------------
>                 Key: YARN-7197
>                 URL: https://issues.apache.org/jira/browse/YARN-7197
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: Shane Kumpf
>            Assignee: Eric Yang
>         Attachments: YARN-7197.001.patch, YARN-7197.002.patch, YARN-7197.003.patch, YARN-7197.004.patch,
> Docker supports bind mounting host directories into containers. Work is underway to allow
admins to configure a whilelist of volume mounts. While this is a much needed and useful feature,
it opens the door for misconfiguration that may lead to users being able to compromise or
crash the system. 
> One example would be allowing users to mount /run from a host running systemd, and then
running systemd in that container, rendering the host mostly unusable.
> This issue is to add support for a default blacklist. The default blacklist would be
where we put files and directories that if mounted into a container, are likely to have negative
consequences. Users are encouraged not to remove items from the default blacklist, but may
do so if necessary.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message