From yarn-issues-return-134696-archive-asf-public=cust-asf.ponee.io@hadoop.apache.org  Thu Jan 11 22:55:19 2018
Return-Path: <yarn-issues-return-134696-archive-asf-public=cust-asf.ponee.io@hadoop.apache.org>
X-Original-To: archive-asf-public@eu.ponee.io
Delivered-To: archive-asf-public@eu.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by mx-eu-01.ponee.io (Postfix) with ESMTP id DE3FD180656
	for <archive-asf-public@eu.ponee.io>; Thu, 11 Jan 2018 22:55:19 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id CDE97160C23; Thu, 11 Jan 2018 21:55:19 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id EC970160C13
	for <archive-asf-public@cust-asf.ponee.io>; Thu, 11 Jan 2018 22:55:18 +0100 (CET)
Received: (qmail 86228 invoked by uid 500); 11 Jan 2018 21:55:18 -0000
Mailing-List: contact yarn-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:yarn-issues-help@hadoop.apache.org>
List-Unsubscribe: <mailto:yarn-issues-unsubscribe@hadoop.apache.org>
List-Post: <mailto:yarn-issues@hadoop.apache.org>
List-Id: <yarn-issues.hadoop.apache.org>
Delivered-To: mailing list yarn-issues@hadoop.apache.org
Received: (qmail 86217 invoked by uid 99); 11 Jan 2018 21:55:18 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 11 Jan 2018 21:55:18 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 9A3C8180635
	for <yarn-issues@hadoop.apache.org>; Thu, 11 Jan 2018 21:55:17 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -108.711
X-Spam-Level:
X-Spam-Status: No, score=-108.711 tagged_above=-999 required=6.31
	tests=[ENV_AND_HDR_SPF_MATCH=-0.5, RCVD_IN_DNSWL_LOW=-0.7,
	SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_SPF_WL=-7.5,
	USER_IN_WHITELIST=-100] autolearn=disabled
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024)
	with ESMTP id Xy57K34zW5SC for <yarn-issues@hadoop.apache.org>;
	Thu, 11 Jan 2018 21:55:03 +0000 (UTC)
Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id EA58B5FBDF
	for <yarn-issues@hadoop.apache.org>; Thu, 11 Jan 2018 21:55:00 +0000 (UTC)
Received: from jira-lw-us.apache.org (unknown [207.244.88.139])
	by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 72EAFE0C18
	for <yarn-issues@hadoop.apache.org>; Thu, 11 Jan 2018 21:55:00 +0000 (UTC)
Received: from jira-lw-us.apache.org (localhost [127.0.0.1])
	by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 31568255CC
	for <yarn-issues@hadoop.apache.org>; Thu, 11 Jan 2018 21:55:00 +0000 (UTC)
Date: Thu, 11 Jan 2018 21:55:00 +0000 (UTC)
From: "Eric Badger (JIRA)" <jira@apache.org>
To: yarn-issues@hadoop.apache.org
Message-ID: <JIRA.13119010.1510859204000.632222.1515707700200@Atlassian.JIRA>
In-Reply-To: <JIRA.13119010.1510859204000@Atlassian.JIRA>
References: <JIRA.13119010.1510859204000@Atlassian.JIRA> <JIRA.13119010.1510859204115@jira-lw-us.apache.org>
Subject: [jira] [Commented] (YARN-7516) Security check for untrusted docker
 image
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/YARN-7516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16323037#comment-16323037 ] 

Eric Badger commented on YARN-7516:
-----------------------------------

{noformat:title=Both privileges and capabilities}
-bash-4.2$ sudo docker run --privileged image_name ls /dev | column -c 160
WARNING: IPv4 forwarding is disabled. Networking will not work.
autofs			network_throughput	sde1			tty15			tty43			uinput
bsg			null			sde2			tty16			tty44			urandom
btrfs-control		nvram			sdf			tty17			tty45			usbmon0
bus			oldmem			sdf1			tty18			tty46			usbmon1
core			port			sdf2			tty19			tty47			usbmon2
cpu			ppp			sdg			tty2			tty48			usbmon3
cpu_dma_latency		ptmx			sdg1			tty20			tty49			usbmon4
crash			ptp0			sdh			tty21			tty5			vcs
dri			pts			sdh1			tty22			tty50			vcs1
fb0			random			sg0			tty23			tty51			vcs2
fd			raw			sg1			tty24			tty52			vcs3
full			rtc0			sg2			tty25			tty53			vcs4
fuse			sda			sg3			tty26			tty54			vcs5
hpet			sda1			sg4			tty27			tty55			vcs6
hwrng			sda2			sg5			tty28			tty56			vcsa
input			sda3			sg6			tty29			tty57			vcsa1
ipmi0			sda4			sg7			tty3			tty58			vcsa2
kmsg			sda5			shm			tty30			tty59			vcsa3
kvm			sdb			snapshot		tty31			tty6			vcsa4
loop-control		sdb1			snd			tty32			tty60			vcsa5
mapper			sdb2			stderr			tty33			tty61			vcsa6
mcelog			sdb3			stdin			tty34			tty62			vfio
md0			sdb4			stdout			tty35			tty63			vga_arbiter
md1			sdb5			tty			tty36			tty7			vhci
md2			sdc			tty0			tty37			tty8			vhost-net
md3			sdc1			tty1			tty38			tty9			zero
md4			sdc2			tty10			tty39			ttyS0
mem			sdd			tty11			tty4			ttyS1
mqueue			sdd1			tty12			tty40			ttyS2
net			sdd2			tty13			tty41			ttyS3
network_latency		sde			tty14			tty42			uhid
{noformat}

{noformat:title=Just privileges, no capabilities}
-bash-4.2$ sudo docker run --rm --privileged --cap-drop='ALL' image_name ls /dev | column -c 160
WARNING: IPv4 forwarding is disabled. Networking will not work.
autofs			network_throughput	sde1			tty15			tty43			uinput
bsg			null			sde2			tty16			tty44			urandom
btrfs-control		nvram			sdf			tty17			tty45			usbmon0
bus			oldmem			sdf1			tty18			tty46			usbmon1
core			port			sdf2			tty19			tty47			usbmon2
cpu			ppp			sdg			tty2			tty48			usbmon3
cpu_dma_latency		ptmx			sdg1			tty20			tty49			usbmon4
crash			ptp0			sdh			tty21			tty5			vcs
dri			pts			sdh1			tty22			tty50			vcs1
fb0			random			sg0			tty23			tty51			vcs2
fd			raw			sg1			tty24			tty52			vcs3
full			rtc0			sg2			tty25			tty53			vcs4
fuse			sda			sg3			tty26			tty54			vcs5
hpet			sda1			sg4			tty27			tty55			vcs6
hwrng			sda2			sg5			tty28			tty56			vcsa
input			sda3			sg6			tty29			tty57			vcsa1
ipmi0			sda4			sg7			tty3			tty58			vcsa2
kmsg			sda5			shm			tty30			tty59			vcsa3
kvm			sdb			snapshot		tty31			tty6			vcsa4
loop-control		sdb1			snd			tty32			tty60			vcsa5
mapper			sdb2			stderr			tty33			tty61			vcsa6
mcelog			sdb3			stdin			tty34			tty62			vfio
md0			sdb4			stdout			tty35			tty63			vga_arbiter
md1			sdb5			tty			tty36			tty7			vhci
md2			sdc			tty0			tty37			tty8			vhost-net
md3			sdc1			tty1			tty38			tty9			zero
md4			sdc2			tty10			tty39			ttyS0
mem			sdd			tty11			tty4			ttyS1
mqueue			sdd1			tty12			tty40			ttyS2
net			sdd2			tty13			tty41			ttyS3
network_latency		sde			tty14			tty42			uhid
{noformat}

{noformat:title=Just capabilities, no privileges}
-bash-4.2$ sudo docker run --rm image_name ls /dev | column -c 160
WARNING: IPv4 forwarding is disabled. Networking will not work.
core	fd	full	mqueue	null	ptmx	pts	random	shm	stderr	stdin	stdout	tty	urandom	zero
{noformat}

{noformat:title=No capabilties or privileges}
-bash-4.2$ sudo docker run --rm --cap-drop='ALL' image_name ls /dev | column -c 160
WARNING: IPv4 forwarding is disabled. Networking will not work.
core	fd	full	mqueue	null	ptmx	pts	random	shm	stderr	stdin	stdout	tty	urandom	zero
{noformat}

I don't see any difference with or without capabilities, but I see a huge different without privilege. 

> Security check for untrusted docker image
> -----------------------------------------
>
>                 Key: YARN-7516
>                 URL: https://issues.apache.org/jira/browse/YARN-7516
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>         Attachments: YARN-7516.001.patch, YARN-7516.002.patch, YARN-7516.003.patch, YARN-7516.004.patch, YARN-7516.005.patch, YARN-7516.006.patch, YARN-7516.007.patch
>
>
> Hadoop YARN Services can support using private docker registry image or docker image from docker hub.  In current implementation, Hadoop security is enforced through username and group membership, and enforce uid:gid consistency in docker container and distributed file system.  There is cloud use case for having ability to run untrusted docker image on the same cluster for testing.  
> The basic requirement for untrusted container is to ensure all kernel and root privileges are dropped, and there is no interaction with distributed file system to avoid contamination.  We can probably enforce detection of untrusted docker image by checking the following:
> # If docker image is from public docker hub repository, the container is automatically flagged as insecure, and disk volume mount are disabled automatically, and drop all kernel capabilities.
> # If docker image is from private repository in docker hub, and there is a white list to allow the private repository, disk volume mount is allowed, kernel capabilities follows the allowed list.
> # If docker image is from private trusted registry with image name like "private.registry.local:5000/centos", and white list allows this private trusted repository.  Disk volume mount is allowed, kernel capabilities follows the allowed list.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org