From yarn-issues-return-137494-archive-asf-public=cust-asf.ponee.io@hadoop.apache.org Wed Feb 7 18:17:21 2018 Return-Path: X-Original-To: archive-asf-public@eu.ponee.io Delivered-To: archive-asf-public@eu.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by mx-eu-01.ponee.io (Postfix) with ESMTP id 6482318065B for ; Wed, 7 Feb 2018 18:17:21 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 54453160C5B; Wed, 7 Feb 2018 17:17:21 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 98F45160C3C for ; Wed, 7 Feb 2018 18:17:20 +0100 (CET) Received: (qmail 16144 invoked by uid 500); 7 Feb 2018 17:17:19 -0000 Mailing-List: contact yarn-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list yarn-issues@hadoop.apache.org Received: (qmail 16133 invoked by uid 99); 7 Feb 2018 17:17:19 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 07 Feb 2018 17:17:19 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 2A1DAC1328 for ; Wed, 7 Feb 2018 17:17:19 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -110.311 X-Spam-Level: X-Spam-Status: No, score=-110.311 tagged_above=-999 required=6.31 tests=[ENV_AND_HDR_SPF_MATCH=-0.5, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_SPF_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id D9u1qb2xmTc0 for ; Wed, 7 Feb 2018 17:17:18 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 8DB655F3FE for ; Wed, 7 Feb 2018 17:17:17 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id A5E77E018A for ; Wed, 7 Feb 2018 17:17:16 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id C7DE924116 for ; Wed, 7 Feb 2018 17:17:11 +0000 (UTC) Date: Wed, 7 Feb 2018 17:17:11 +0000 (UTC) From: "Eric Badger (JIRA)" To: yarn-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (YARN-7221) Add security check for privileged docker container MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/YARN-7221?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16355748#comment-16355748 ] Eric Badger commented on YARN-7221: ----------------------------------- Hey [~eyang], can you rebase this to trunk? Didn't apply for me when I just went to go test it out > Add security check for privileged docker container > -------------------------------------------------- > > Key: YARN-7221 > URL: https://issues.apache.org/jira/browse/YARN-7221 > Project: Hadoop YARN > Issue Type: Sub-task > Reporter: Eric Yang > Assignee: Eric Yang > Priority: Major > Attachments: YARN-7221.001.patch, YARN-7221.002.patch, YARN-7221.003.patch > > > When a docker is running with privileges, majority of the use case is to have some program running with root then drop privileges to another user. i.e. httpd to start with privileged and bind to port 80, then drop privileges to www user. > # We should add security check for submitting users, to verify they have "sudo" access to run privileged container. > # We should remove --user=uid:gid for privileged containers. > > Docker can be launched with --privileged=true, and --user=uid:gid flag. With this parameter combinations, user will not have access to become root user. All docker exec command will be drop to uid:gid user to run instead of granting privileges. User can gain root privileges if container file system contains files that give user extra power, but this type of image is considered as dangerous. Non-privileged user can launch container with special bits to acquire same level of root power. Hence, we lose control of which image should be run with --privileges, and who have sudo rights to use privileged container images. As the result, we should check for sudo access then decide to parameterize --privileged=true OR --user=uid:gid. This will avoid leading developer down the wrong path. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org For additional commands, e-mail: yarn-issues-help@hadoop.apache.org