hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Badger (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-7516) Security check for untrusted docker image
Date Thu, 11 Jan 2018 22:35:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-7516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16323121#comment-16323121

Eric Badger commented on YARN-7516:

-bash-4.2$ ls /dev | column -c 160
autofs			md3			sdc1			tty10			tty4			ttyS2
block			md4			sdc2			tty11			tty40			ttyS3
bsg			mem			sdd			tty12			tty41			uhid
btrfs-control		mqueue			sdd1			tty13			tty42			uinput
bus			net			sdd2			tty14			tty43			urandom
char			network_latency		sde			tty15			tty44			usbmon0
console			network_throughput	sde1			tty16			tty45			usbmon1
core			null			sde2			tty17			tty46			usbmon2
cpu			nvram			sdf			tty18			tty47			usbmon3
cpu_dma_latency		oldmem			sdf1			tty19			tty48			usbmon4
crash			port			sdf2			tty2			tty49			vcs
disk			ppp			sdg			tty20			tty5			vcs1
dri			ptmx			sdg1			tty21			tty50			vcs2
fb0			ptp0			sdh			tty22			tty51			vcs3
fd			pts			sdh1			tty23			tty52			vcs4
full			random			sg0			tty24			tty53			vcs5
fuse			raw			sg1			tty25			tty54			vcs6
hpet			rtc			sg2			tty26			tty55			vcsa
hugepages		rtc0			sg3			tty27			tty56			vcsa1
hwrng			sda			sg4			tty28			tty57			vcsa2
initctl			sda1			sg5			tty29			tty58			vcsa3
input			sda2			sg6			tty3			tty59			vcsa4
ipmi0			sda3			sg7			tty30			tty6			vcsa5
kmsg			sda4			shm			tty31			tty60			vcsa6
kvm			sda5			snapshot		tty32			tty61			vfio
log			sdb			snd			tty33			tty62			vga_arbiter
loop-control		sdb1			stderr			tty34			tty63			vhci
mapper			sdb2			stdin			tty35			tty7			vhost-net
mcelog			sdb3			stdout			tty36			tty8			zero
md0			sdb4			tty			tty37			tty9
md1			sdb5			tty0			tty38			ttyS0
md2			sdc			tty1			tty39			ttyS1

bq. Are you able to run mount command to attach your host disk partition to the container
Yes, I am able to mount disks on the host inside of the container and access their contents

> Security check for untrusted docker image
> -----------------------------------------
>                 Key: YARN-7516
>                 URL: https://issues.apache.org/jira/browse/YARN-7516
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>         Attachments: YARN-7516.001.patch, YARN-7516.002.patch, YARN-7516.003.patch, YARN-7516.004.patch,
YARN-7516.005.patch, YARN-7516.006.patch, YARN-7516.007.patch
> Hadoop YARN Services can support using private docker registry image or docker image
from docker hub.  In current implementation, Hadoop security is enforced through username
and group membership, and enforce uid:gid consistency in docker container and distributed
file system.  There is cloud use case for having ability to run untrusted docker image on
the same cluster for testing.  
> The basic requirement for untrusted container is to ensure all kernel and root privileges
are dropped, and there is no interaction with distributed file system to avoid contamination.
 We can probably enforce detection of untrusted docker image by checking the following:
> # If docker image is from public docker hub repository, the container is automatically
flagged as insecure, and disk volume mount are disabled automatically, and drop all kernel
> # If docker image is from private repository in docker hub, and there is a white list
to allow the private repository, disk volume mount is allowed, kernel capabilities follows
the allowed list.
> # If docker image is from private trusted registry with image name like "private.registry.local:5000/centos",
and white list allows this private trusted repository.  Disk volume mount is allowed, kernel
capabilities follows the allowed list.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message