hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Badger (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-7516) Security check for untrusted docker image
Date Thu, 11 Jan 2018 21:55:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-7516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16323037#comment-16323037
] 

Eric Badger commented on YARN-7516:
-----------------------------------

{noformat:title=Both privileges and capabilities}
-bash-4.2$ sudo docker run --privileged image_name ls /dev | column -c 160
WARNING: IPv4 forwarding is disabled. Networking will not work.
autofs			network_throughput	sde1			tty15			tty43			uinput
bsg			null			sde2			tty16			tty44			urandom
btrfs-control		nvram			sdf			tty17			tty45			usbmon0
bus			oldmem			sdf1			tty18			tty46			usbmon1
core			port			sdf2			tty19			tty47			usbmon2
cpu			ppp			sdg			tty2			tty48			usbmon3
cpu_dma_latency		ptmx			sdg1			tty20			tty49			usbmon4
crash			ptp0			sdh			tty21			tty5			vcs
dri			pts			sdh1			tty22			tty50			vcs1
fb0			random			sg0			tty23			tty51			vcs2
fd			raw			sg1			tty24			tty52			vcs3
full			rtc0			sg2			tty25			tty53			vcs4
fuse			sda			sg3			tty26			tty54			vcs5
hpet			sda1			sg4			tty27			tty55			vcs6
hwrng			sda2			sg5			tty28			tty56			vcsa
input			sda3			sg6			tty29			tty57			vcsa1
ipmi0			sda4			sg7			tty3			tty58			vcsa2
kmsg			sda5			shm			tty30			tty59			vcsa3
kvm			sdb			snapshot		tty31			tty6			vcsa4
loop-control		sdb1			snd			tty32			tty60			vcsa5
mapper			sdb2			stderr			tty33			tty61			vcsa6
mcelog			sdb3			stdin			tty34			tty62			vfio
md0			sdb4			stdout			tty35			tty63			vga_arbiter
md1			sdb5			tty			tty36			tty7			vhci
md2			sdc			tty0			tty37			tty8			vhost-net
md3			sdc1			tty1			tty38			tty9			zero
md4			sdc2			tty10			tty39			ttyS0
mem			sdd			tty11			tty4			ttyS1
mqueue			sdd1			tty12			tty40			ttyS2
net			sdd2			tty13			tty41			ttyS3
network_latency		sde			tty14			tty42			uhid
{noformat}

{noformat:title=Just privileges, no capabilities}
-bash-4.2$ sudo docker run --rm --privileged --cap-drop='ALL' image_name ls /dev | column
-c 160
WARNING: IPv4 forwarding is disabled. Networking will not work.
autofs			network_throughput	sde1			tty15			tty43			uinput
bsg			null			sde2			tty16			tty44			urandom
btrfs-control		nvram			sdf			tty17			tty45			usbmon0
bus			oldmem			sdf1			tty18			tty46			usbmon1
core			port			sdf2			tty19			tty47			usbmon2
cpu			ppp			sdg			tty2			tty48			usbmon3
cpu_dma_latency		ptmx			sdg1			tty20			tty49			usbmon4
crash			ptp0			sdh			tty21			tty5			vcs
dri			pts			sdh1			tty22			tty50			vcs1
fb0			random			sg0			tty23			tty51			vcs2
fd			raw			sg1			tty24			tty52			vcs3
full			rtc0			sg2			tty25			tty53			vcs4
fuse			sda			sg3			tty26			tty54			vcs5
hpet			sda1			sg4			tty27			tty55			vcs6
hwrng			sda2			sg5			tty28			tty56			vcsa
input			sda3			sg6			tty29			tty57			vcsa1
ipmi0			sda4			sg7			tty3			tty58			vcsa2
kmsg			sda5			shm			tty30			tty59			vcsa3
kvm			sdb			snapshot		tty31			tty6			vcsa4
loop-control		sdb1			snd			tty32			tty60			vcsa5
mapper			sdb2			stderr			tty33			tty61			vcsa6
mcelog			sdb3			stdin			tty34			tty62			vfio
md0			sdb4			stdout			tty35			tty63			vga_arbiter
md1			sdb5			tty			tty36			tty7			vhci
md2			sdc			tty0			tty37			tty8			vhost-net
md3			sdc1			tty1			tty38			tty9			zero
md4			sdc2			tty10			tty39			ttyS0
mem			sdd			tty11			tty4			ttyS1
mqueue			sdd1			tty12			tty40			ttyS2
net			sdd2			tty13			tty41			ttyS3
network_latency		sde			tty14			tty42			uhid
{noformat}

{noformat:title=Just capabilities, no privileges}
-bash-4.2$ sudo docker run --rm image_name ls /dev | column -c 160
WARNING: IPv4 forwarding is disabled. Networking will not work.
core	fd	full	mqueue	null	ptmx	pts	random	shm	stderr	stdin	stdout	tty	urandom	zero
{noformat}

{noformat:title=No capabilties or privileges}
-bash-4.2$ sudo docker run --rm --cap-drop='ALL' image_name ls /dev | column -c 160
WARNING: IPv4 forwarding is disabled. Networking will not work.
core	fd	full	mqueue	null	ptmx	pts	random	shm	stderr	stdin	stdout	tty	urandom	zero
{noformat}

I don't see any difference with or without capabilities, but I see a huge different without
privilege. 

> Security check for untrusted docker image
> -----------------------------------------
>
>                 Key: YARN-7516
>                 URL: https://issues.apache.org/jira/browse/YARN-7516
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>         Attachments: YARN-7516.001.patch, YARN-7516.002.patch, YARN-7516.003.patch, YARN-7516.004.patch,
YARN-7516.005.patch, YARN-7516.006.patch, YARN-7516.007.patch
>
>
> Hadoop YARN Services can support using private docker registry image or docker image
from docker hub.  In current implementation, Hadoop security is enforced through username
and group membership, and enforce uid:gid consistency in docker container and distributed
file system.  There is cloud use case for having ability to run untrusted docker image on
the same cluster for testing.  
> The basic requirement for untrusted container is to ensure all kernel and root privileges
are dropped, and there is no interaction with distributed file system to avoid contamination.
 We can probably enforce detection of untrusted docker image by checking the following:
> # If docker image is from public docker hub repository, the container is automatically
flagged as insecure, and disk volume mount are disabled automatically, and drop all kernel
capabilities.
> # If docker image is from private repository in docker hub, and there is a white list
to allow the private repository, disk volume mount is allowed, kernel capabilities follows
the allowed list.
> # If docker image is from private trusted registry with image name like "private.registry.local:5000/centos",
and white list allows this private trusted repository.  Disk volume mount is allowed, kernel
capabilities follows the allowed list.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message