[
https://issues.apache.org/jira/browse/HDDS-1712?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16889300#comment-16889300
]
Anu Engineer edited comment on HDDS-1712 at 7/20/19 4:42 AM:
-------------------------------------------------------------
First of all, there is no vulnerability. That is just FUD that is being spewed
by you. If there is a CVE in Docker world; the fix is to upgrade docker. So I
completely disagree.
Second, the example of running Docker on your machine means that you need to be
able to install Docker, which implies that you are an admin on that machine. if
not, you cannot run this. Now your argument is that someone can write some code
which has some issue and my answer has been that what you are saying can be
done with Hadoop as well. someone can write backdoors, and that is why we have
committers. To make sure that someone does not do random crap like this.
The third and most important point, the quick start guide, explains what Ozone
is. It is not a guide on how to run Ozone. I gather that you have never taken a
look at the current documentation on trunk or 0.4.1.
So I am still against you wasting a countless hour with pointless discussion
and I am -1;
{quote}Hence, this vulernable docker image puts everyone who tries Ozone at risk
{quote}
This is the random stuff that you keep on saying without any merit each time.
Case in point when you told me that Ozone is full of findbugs issues and
checkstyle issues. When I asked you to compare with Hadoop you ran away,
because like this it was blatantly false.
was (Author: anu):
First of all, there is no vulnerability. That is just FUD that is being spewed
by you. If there is a CVE in Docker world; the fix is to upgrade docker. So I
completely disagree.
Second, the example of running Docker on your machine means that you need to be
able to install Docker, which implies that you are an admin on that machine. if
not, you cannot run this. Now your argument is that someone can write some code
which has some issue and my answer has been that what you are saying can be
done with Hadoop as well. someone can write backdoors, and that is why we have
committers. To make sure that someone does not do random crap like this.
The third and most important point, the quick start guide, explains what Ozone
is. It is not a guide on how to run Ozone. I gather that you have never taken a
look at the current documentation on trunk or 0.4.1.
So I am still against you wasting a countless hour with pointless discussion
and I am -1;
{quote}Hence, this vulernable docker image puts everyone who tries Ozone at risk
{quote}
This is the random stuff that you keep on saying without any merit each time.
Case in point when you can and told me that Ozone is full of findbugs issues
and checkstyle. When I asked you to compare with Hadoop you ran away.
> Remove sudo access from Ozone docker image
> ------------------------------------------
>
> Key: HDDS-1712
> URL: https://issues.apache.org/jira/browse/HDDS-1712
> Project: Hadoop Distributed Data Store
> Issue Type: Bug
> Reporter: Eric Yang
> Assignee: Eric Yang
> Priority: Major
> Labels: pull-request-available
> Attachments: HDDS-1712.001.hadoop-docker-ozone.patch,
> HDDS-1712.001.patch, HDDS-1712.002.patch
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Ozone docker image is given unlimited sudo access to hadoop user. This poses
> a security risk where host level user uid 1000 can attach a debugger to the
> container process to obtain root access.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
