[
https://issues.apache.org/jira/browse/HDDS-1712?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16886283#comment-16886283
]
Eric Yang commented on HDDS-1712:
---------------------------------
[~elek]
Root can jail break from container, when mounting host level files is allowed,
such as mounting /etc/passwd, /proc, /sys/fs. In the Pull Request #1053, it
demonstrates the danger to give hadoop user root privileges without
restriction. By printing a write line to /etc/passwd file, this allows hadoop
user to install a root user into host. Hadoop user has the power to create
chaos, when too much privileges is given. We can remove the risk by giving it
non-root privileges access in container.
Hadoop user is given sudo access for binary installation during test runtime.
The flow of package installation logic can happen during compilation or package
phase of maven build cycle. By removing the sudo access, it will force
developer to rethink how to instrument test into the running container more
efficiently without the duplicated downloads of test framework from internet in
the current smoke test. If we can expand on the idea to build docker image
after tarball creation (HDDS-1495) rather than current runner image layout,
then forward progress would be easier. I find it difficult to operate in
reactive approach to remove sudo requirement and make the current smoke test
work with ozone-runner or hadoop-runner because:
# The sudo code is in a separate branch from smoke test. I can not make smoke
test changes in this ticket because smoke test logic resides in another branch.
# Many binary download and installation during test run. It takes quite a long
time to repeat install binaries during test run. On flaky internet, the test
cases fails more frequently due to inability to install test framework rather
than running the tests.
# The current smoke tests and Kubernetes cluster are working with replication
factor of 1, and many tests are using empty core-site.xml, hence, the disk
operations are not distributed. Hence, I found the current smoke test
confusing because the test parameters are invalid.
# Need on demand configuration changes - maven resource templating allows to
modify environment variables prior to startup of test runs. There is a
mismatch between test generated volume and bucket and core-site.xml
configuration. Bucket creation sequence and configuration file generation, and
daemon startup are in non-specific order. The current tests are masking
problems because a empty configuration leading to use local disk and allowed
some tests to pass.
To properly address those problems, the conversations are much longer ones.
This is my reasoning to narrow the scope of this patch to first step of
removing the root power. Would you be open to fix smoke test on a follow up
ticket?
> Remove sudo access from Ozone docker image
> ------------------------------------------
>
> Key: HDDS-1712
> URL: https://issues.apache.org/jira/browse/HDDS-1712
> Project: Hadoop Distributed Data Store
> Issue Type: Bug
> Reporter: Eric Yang
> Assignee: Eric Yang
> Priority: Major
> Labels: pull-request-available
> Attachments: HDDS-1712.001.patch
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Ozone docker image is given unlimited sudo access to hadoop user. This poses
> a security risk where host level user uid 1000 can attach a debugger to the
> container process to obtain root access.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
