[jira] [Commented] (HDDS-1712) Remove sudo access from Ozone docker image

Tue, 16 Jul 2019 11:25:27 -0700 


    [ 
https://issues.apache.org/jira/browse/HDDS-1712?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16886364#comment-16886364
 ] 

Eric Yang commented on HDDS-1712:
---------------------------------

{quote}2. grep for OZONE-SITE instead of CORE-SITE? The workflow is very 
similar to the docker-compose clusters just using kubernetes configmap instead 
of env files.{quote}

Kubernetes configmap of trunk looks like this:
{code}
data:
  OZONE-SITE.XML_hdds.datanode.dir: /data/storage
  OZONE-SITE.XML_ozone.scm.datanode.id.dir: /data
  OZONE-SITE.XML_ozone.metadata.dirs: /data/metadata
  OZONE-SITE.XML_ozone.scm.block.client.address: scm-0.scm
  OZONE-SITE.XML_ozone.om.address: om-0.om
  OZONE-SITE.XML_ozone.scm.client.address: scm-0.scm
  OZONE-SITE.XML_ozone.scm.names: scm-0.scm
  OZONE-SITE.XML_ozone.enabled: "true"
  LOG4J.PROPERTIES_log4j.rootLogger: INFO, stdout
  LOG4J.PROPERTIES_log4j.appender.stdout: org.apache.log4j.ConsoleAppender
  LOG4J.PROPERTIES_log4j.appender.stdout.layout: org.apache.log4j.PatternLayout
  LOG4J.PROPERTIES_log4j.appender.stdout.layout.ConversionPattern: 
'%d{yyyy-MM-dd
    HH:mm:ss} %-5p %c{1}:%L - %m%n'
{code}

There is no core-site.xml generated.  How can the test case be valid?

{quote}If I understood well we can agree that the mentioned statement was not 
true and kubernetes examples doesn't use replication factor 1.{quote}

I can agree on replication factor of 1 does not apply to k8s tests, but it 
doesn't change the fact that the current k8s tests uses invalid core-site.xml, 
hence the test results passing are questionable.

> Remove sudo access from Ozone docker image
> ------------------------------------------
>
>                 Key: HDDS-1712
>                 URL: https://issues.apache.org/jira/browse/HDDS-1712
>             Project: Hadoop Distributed Data Store
>          Issue Type: Bug
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Major
>              Labels: pull-request-available
>         Attachments: HDDS-1712.001.patch
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> Ozone docker image is given unlimited sudo access to hadoop user.  This poses 
> a security risk where host level user uid 1000 can attach a debugger to the 
> container process to obtain root access.



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to