[jira] [Commented] (HDDS-1712) Remove sudo access from Ozone docker image

Eric Yang (JIRA) Wed, 17 Jul 2019 13:19:05 -0700


    [ 
https://issues.apache.org/jira/browse/HDDS-1712?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16887394#comment-16887394
 ]


Eric Yang commented on HDDS-1712:
---------------------------------

{quote}Yes, AFAIK it's fine. If you have any error message, let me know. Happy 
to help. (But maybe not in this jira, but using the usual channels...)

(I am just wondering: If you can't deploy, how do you know how does it work? 
How do you know if it's wrong...){quote}

According to kubctl output, the pod configuration does not have 3 datanodes:

{code}
$ kubectl get pod
NAME         READY   STATUS    RESTARTS   AGE
datanode-0   0/1     Pending   0          11m
om-0         0/1     Pending   0          11m
s3g-0        0/1     Pending   0          11m
scm-0        0/1     Pending   0          11m
{code}

ozone.replication is not set to 1, how does this work?

Pod configuration in json format indicates there is no environment variables 
for CORE-SITE.XML.  How does this work?

{code}
$ kubectl get pod -o json 
{
    "apiVersion": "v1",
    "items": [
        {
            "apiVersion": "v1",
            "kind": "Pod",
            "metadata": {
                "annotations": {
                    "prdatanodeetheus.io/path": "/prom",
                    "prdatanodeetheus.io/port": "9882",
                    "prdatanodeetheus.io/scrape": "true"
                },
                "creationTimestamp": "2019-07-17T19:30:41Z",
                "generateName": "datanode-",
                "labels": {
                    "app": "ozone",
                    "component": "datanode",
                    "controller-revision-hash": "datanode-5f4d6556b8",
                    "statefulset.kubernetes.io/pod-name": "datanode-0"
                },
                "name": "datanode-0",
                "namespace": "default",
                "ownerReferences": [
                    {
                        "apiVersion": "apps/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "StatefulSet",
                        "name": "datanode",
                        "uid": "449168e5-c9b9-443c-b65b-475a97e64710"
                    }
                ],
                "resourceVersion": "99413",
                "selfLink": "/api/v1/namespaces/default/pods/datanode-0",
                "uid": "46f1ad81-312e-4e33-b0a7-8496937511bd"
            },
            "spec": {
                "affinity": {
                    "podAntiAffinity": {
                        "requiredDuringSchedulingIgnoredDuringExecution": [
                            {
                                "labelSelector": {
                                    "matchExpressions": [
                                        {
                                            "key": "component",
                                            "operator": "In",
                                            "values": [
                                                "datanode"
                                            ]
                                        }
                                    ]
                                },
                                "topologyKey": "kubernetes.io/hostname"
                            }
                        ]
                    }
                },
                "containers": [
                    {
                        "args": [
                            "ozone",
                            "datanode"
                        ],
                        "envFrom": [
                            {
                                "configMapRef": {
                                    "name": "config"
                                }
                            }
                        ],
                        "image": "eyang/ozone:0.5.0-SNAPSHOT",
                        "imagePullPolicy": "IfNotPresent",
                        "name": "datanode",
                        "resources": {},
                        "terminationMessagePath": "/dev/termination-log",
                        "terminationMessagePolicy": "File",
                        "volumeMounts": [
                            {
                                "mountPath": "/data",
                                "name": "data"
                            },
                            {
                                "mountPath": 
"/var/run/secrets/kubernetes.io/serviceaccount",
                                "name": "default-token-phlhw",
                                "readOnly": true
                            }
                        ]
                    }
                ],
                "dnsPolicy": "ClusterFirst",
                "enableServiceLinks": true,
                "hostname": "datanode-0",
                "priority": 0,
                "restartPolicy": "Always",
                "schedulerName": "default-scheduler",
                "securityContext": {
                    "fsGroup": 1000
                },
                "serviceAccount": "default",
                "serviceAccountName": "default",
                "subdomain": "datanode",
                "terminationGracePeriodSeconds": 30,
                "tolerations": [
                    {
                        "effect": "NoExecute",
                        "key": "node.kubernetes.io/not-ready",
                        "operator": "Exists",
                        "tolerationSeconds": 300
                    },
                    {
                        "effect": "NoExecute",
                        "key": "node.kubernetes.io/unreachable",
                        "operator": "Exists",
                        "tolerationSeconds": 300
                    }
                ],
                "volumes": [
                    {
                        "name": "data",
                        "persistentVolumeClaim": {
                            "claimName": "data-datanode-0"
                        }
                    },
                    {
                        "name": "default-token-phlhw",
                        "secret": {
                            "defaultMode": 420,
                            "secretName": "default-token-phlhw"
                        }
                    }
                ]
            },
            "status": {
                "conditions": [
                    {
                        "lastProbeTime": null,
                        "lastTransitionTime": "2019-07-17T19:30:41Z",
                        "message": "pod has unbound immediate 
PersistentVolumeClaims (repeated 4 times)",
                        "reason": "Unschedulable",
                        "status": "False",
                        "type": "PodScheduled"
                    }
                ],
                "phase": "Pending",
                "qosClass": "BestEffort"
            }
        },
        {
            "apiVersion": "v1",
            "kind": "Pod",
            "metadata": {
                "annotations": {
                    "prometheus.io/path": "/prom",
                    "prometheus.io/port": "9874",
                    "prometheus.io/scrape": "true"
                },
                "creationTimestamp": "2019-07-17T19:30:41Z",
                "generateName": "om-",
                "labels": {
                    "app": "ozone",
                    "component": "om",
                    "controller-revision-hash": "om-5df5c7cc57",
                    "statefulset.kubernetes.io/pod-name": "om-0"
                },
                "name": "om-0",
                "namespace": "default",
                "ownerReferences": [
                    {
                        "apiVersion": "apps/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "StatefulSet",
                        "name": "om",
                        "uid": "d2bed5a9-e694-4219-a58a-98245726b67d"
                    }
                ],
                "resourceVersion": "99428",
                "selfLink": "/api/v1/namespaces/default/pods/om-0",
                "uid": "b961bde3-c865-42a0-8617-39c384c61f7a"
            },
            "spec": {
                "containers": [
                    {
                        "args": [
                            "ozone",
                            "om"
                        ],
                        "env": [
                            {
                                "name": "WAITFOR",
                                "value": "scm-0.scm:9876"
                            },
                            {
                                "name": "ENSURE_OM_INITIALIZED",
                                "value": "/data/metadata/om/current/VERSION"
                            }
                        ],
                        "envFrom": [
                            {
                                "configMapRef": {
                                    "name": "config"
                                }
                            }
                        ],
                        "image": "eyang/ozone:0.5.0-SNAPSHOT",
                        "imagePullPolicy": "IfNotPresent",
                        "livenessProbe": {
                            "failureThreshold": 3,
                            "initialDelaySeconds": 30,
                            "periodSeconds": 10,
                            "successThreshold": 1,
                            "tcpSocket": {
                                "port": 9862
                            },
                            "timeoutSeconds": 1
                        },
                        "name": "om",
                        "resources": {},
                        "terminationMessagePath": "/dev/termination-log",
                        "terminationMessagePolicy": "File",
                        "volumeMounts": [
                            {
                                "mountPath": "/data",
                                "name": "data"
                            },
                            {
                                "mountPath": 
"/var/run/secrets/kubernetes.io/serviceaccount",
                                "name": "default-token-phlhw",
                                "readOnly": true
                            }
                        ]
                    }
                ],
                "dnsPolicy": "ClusterFirst",
                "enableServiceLinks": true,
                "hostname": "om-0",
                "priority": 0,
                "restartPolicy": "Always",
                "schedulerName": "default-scheduler",
                "securityContext": {
                    "fsGroup": 1000
                },
                "serviceAccount": "default",
                "serviceAccountName": "default",
                "subdomain": "om",
                "terminationGracePeriodSeconds": 30,
                "tolerations": [
                    {
                        "effect": "NoExecute",
                        "key": "node.kubernetes.io/not-ready",
                        "operator": "Exists",
                        "tolerationSeconds": 300
                    },
                    {
                        "effect": "NoExecute",
                        "key": "node.kubernetes.io/unreachable",
                        "operator": "Exists",
                        "tolerationSeconds": 300
                    }
                ],
                "volumes": [
                    {
                        "name": "data",
                        "persistentVolumeClaim": {
                            "claimName": "data-om-0"
                        }
                    },
                    {
                        "name": "default-token-phlhw",
                        "secret": {
                            "defaultMode": 420,
                            "secretName": "default-token-phlhw"
                        }
                    }
                ]
            },
            "status": {
                "conditions": [
                    {
                        "lastProbeTime": null,
                        "lastTransitionTime": "2019-07-17T19:30:41Z",
                        "message": "pod has unbound immediate 
PersistentVolumeClaims (repeated 4 times)",
                        "reason": "Unschedulable",
                        "status": "False",
                        "type": "PodScheduled"
                    }
                ],
                "phase": "Pending",
                "qosClass": "BestEffort"
            }
        },
        {
            "apiVersion": "v1",
            "kind": "Pod",
            "metadata": {
                "creationTimestamp": "2019-07-17T19:30:41Z",
                "generateName": "s3g-",
                "labels": {
                    "app": "ozone",
                    "component": "s3g",
                    "controller-revision-hash": "s3g-c7b9c5886",
                    "statefulset.kubernetes.io/pod-name": "s3g-0"
                },
                "name": "s3g-0",
                "namespace": "default",
                "ownerReferences": [
                    {
                        "apiVersion": "apps/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "StatefulSet",
                        "name": "s3g",
                        "uid": "cbcde998-0558-46df-9ae2-8078c5827856"
                    }
                ],
                "resourceVersion": "99442",
                "selfLink": "/api/v1/namespaces/default/pods/s3g-0",
                "uid": "4bc82c4c-0005-41d8-a9eb-6b8962b6de08"
            },
            "spec": {
                "containers": [
                    {
                        "args": [
                            "ozone",
                            "s3g"
                        ],
                        "envFrom": [
                            {
                                "configMapRef": {
                                    "name": "config"
                                }
                            }
                        ],
                        "image": "eyang/ozone:0.5.0-SNAPSHOT",
                        "imagePullPolicy": "IfNotPresent",
                        "livenessProbe": {
                            "failureThreshold": 3,
                            "httpGet": {
                                "path": "/",
                                "port": 9878,
                                "scheme": "HTTP"
                            },
                            "initialDelaySeconds": 30,
                            "periodSeconds": 10,
                            "successThreshold": 1,
                            "timeoutSeconds": 1
                        },
                        "name": "s3g",
                        "resources": {},
                        "terminationMessagePath": "/dev/termination-log",
                        "terminationMessagePolicy": "File",
                        "volumeMounts": [
                            {
                                "mountPath": "/data",
                                "name": "data"
                            },
                            {
                                "mountPath": 
"/var/run/secrets/kubernetes.io/serviceaccount",
                                "name": "default-token-phlhw",
                                "readOnly": true
                            }
                        ]
                    }
                ],
                "dnsPolicy": "ClusterFirst",
                "enableServiceLinks": true,
                "hostname": "s3g-0",
                "priority": 0,
                "restartPolicy": "Always",
                "schedulerName": "default-scheduler",
                "securityContext": {},
                "serviceAccount": "default",
                "serviceAccountName": "default",
                "subdomain": "s3g",
                "terminationGracePeriodSeconds": 30,
                "tolerations": [
                    {
                        "effect": "NoExecute",
                        "key": "node.kubernetes.io/not-ready",
                        "operator": "Exists",
                        "tolerationSeconds": 300
                    },
                    {
                        "effect": "NoExecute",
                        "key": "node.kubernetes.io/unreachable",
                        "operator": "Exists",
                        "tolerationSeconds": 300
                    }
                ],
                "volumes": [
                    {
                        "name": "data",
                        "persistentVolumeClaim": {
                            "claimName": "data-s3g-0"
                        }
                    },
                    {
                        "name": "default-token-phlhw",
                        "secret": {
                            "defaultMode": 420,
                            "secretName": "default-token-phlhw"
                        }
                    }
                ]
            },
            "status": {
                "conditions": [
                    {
                        "lastProbeTime": null,
                        "lastTransitionTime": "2019-07-17T19:30:41Z",
                        "message": "pod has unbound immediate 
PersistentVolumeClaims (repeated 4 times)",
                        "reason": "Unschedulable",
                        "status": "False",
                        "type": "PodScheduled"
                    }
                ],
                "phase": "Pending",
                "qosClass": "BestEffort"
            }
        },
        {
            "apiVersion": "v1",
            "kind": "Pod",
            "metadata": {
                "annotations": {
                    "prometheus.io/path": "/prom",
                    "prometheus.io/port": "9876",
                    "prometheus.io/scrape": "true"
                },
                "creationTimestamp": "2019-07-17T19:30:41Z",
                "generateName": "scm-",
                "labels": {
                    "app": "ozone",
                    "component": "scm",
                    "controller-revision-hash": "scm-cfd995757",
                    "statefulset.kubernetes.io/pod-name": "scm-0"
                },
                "name": "scm-0",
                "namespace": "default",
                "ownerReferences": [
                    {
                        "apiVersion": "apps/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "StatefulSet",
                        "name": "scm",
                        "uid": "bf7e5480-e241-4c5e-b687-30643122635c"
                    }
                ],
                "resourceVersion": "99453",
                "selfLink": "/api/v1/namespaces/default/pods/scm-0",
                "uid": "aa982362-c10a-444e-b03f-d2414ba4a478"
            },
            "spec": {
                "containers": [
                    {
                        "args": [
                            "ozone",
                            "scm"
                        ],
                        "envFrom": [
                            {
                                "configMapRef": {
                                    "name": "config"
                                }
                            }
                        ],
                        "image": "eyang/ozone:0.5.0-SNAPSHOT",
                        "imagePullPolicy": "IfNotPresent",
                        "livenessProbe": {
                            "failureThreshold": 3,
                            "initialDelaySeconds": 30,
                            "periodSeconds": 10,
                            "successThreshold": 1,
                            "tcpSocket": {
                                "port": 9861
                            },
                            "timeoutSeconds": 1
                        },
                        "name": "scm",
                        "resources": {},
                        "terminationMessagePath": "/dev/termination-log",
                        "terminationMessagePolicy": "File",
                        "volumeMounts": [
                            {
                                "mountPath": "/data",
                                "name": "data"
                            },
                            {
                                "mountPath": 
"/var/run/secrets/kubernetes.io/serviceaccount",
                                "name": "default-token-phlhw",
                                "readOnly": true
                            }
                        ]
                    }
                ],
                "dnsPolicy": "ClusterFirst",
                "enableServiceLinks": true,
                "hostname": "scm-0",
                "initContainers": [
                    {
                        "args": [
                            "ozone",
                            "scm",
                            "--init"
                        ],
                        "envFrom": [
                            {
                                "configMapRef": {
                                    "name": "config"
                                }
                            }
                        ],
                        "image": "eyang/ozone:0.5.0-SNAPSHOT",
                        "imagePullPolicy": "IfNotPresent",
                        "name": "init",
                        "resources": {},
                        "terminationMessagePath": "/dev/termination-log",
                        "terminationMessagePolicy": "File",
                        "volumeMounts": [
                            {
                                "mountPath": "/data",
                                "name": "data"
                            },
                            {
                                "mountPath": 
"/var/run/secrets/kubernetes.io/serviceaccount",
                                "name": "default-token-phlhw",
                                "readOnly": true
                            }
                        ]
                    }
                ],
                "priority": 0,
                "restartPolicy": "Always",
                "schedulerName": "default-scheduler",
                "securityContext": {
                    "fsGroup": 1000
                },
                "serviceAccount": "default",
                "serviceAccountName": "default",
                "subdomain": "scm",
                "terminationGracePeriodSeconds": 30,
                "tolerations": [
                    {
                        "effect": "NoExecute",
                        "key": "node.kubernetes.io/not-ready",
                        "operator": "Exists",
                        "tolerationSeconds": 300
                    },
                    {
                        "effect": "NoExecute",
                        "key": "node.kubernetes.io/unreachable",
                        "operator": "Exists",
                        "tolerationSeconds": 300
                    }
                ],
                "volumes": [
                    {
                        "name": "data",
                        "persistentVolumeClaim": {
                            "claimName": "data-scm-0"
                        }
                    },
                    {
                        "name": "default-token-phlhw",
                        "secret": {
                            "defaultMode": 420,
                            "secretName": "default-token-phlhw"
                        }
                    }
                ]
            },
            "status": {
                "conditions": [
                    {
                        "lastProbeTime": null,
                        "lastTransitionTime": "2019-07-17T19:30:41Z",
                        "message": "pod has unbound immediate 
PersistentVolumeClaims (repeated 4 times)",
                        "reason": "Unschedulable",
                        "status": "False",
                        "type": "PodScheduled"
                    }
                ],
                "phase": "Pending",
                "qosClass": "BestEffort"
            }
        }
    ],
    "kind": "List",
    "metadata": {
        "resourceVersion": "",
        "selfLink": ""
    }
}
{code} 

> Remove sudo access from Ozone docker image
> ------------------------------------------
>
>                 Key: HDDS-1712
>                 URL: https://issues.apache.org/jira/browse/HDDS-1712
>             Project: Hadoop Distributed Data Store
>          Issue Type: Bug
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Major
>              Labels: pull-request-available
>         Attachments: HDDS-1712.001.patch
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> Ozone docker image is given unlimited sudo access to hadoop user.  This poses 
> a security risk where host level user uid 1000 can attach a debugger to the 
> container process to obtain root access.



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Commented] (HDDS-1712) Remove sudo access from Ozone docker image

Reply via email to