[jira] [Commented] (MESOS-7605) UCR doesn't isolate uts namespace w/ host networking

Tue, 11 Jul 2017 20:09:08 -0700 

    [ 
https://issues.apache.org/jira/browse/MESOS-7605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16083347#comment-16083347
 ] 

James Peach commented on MESOS-7605:
------------------------------------

{quote}
It also implies that it's impossible to give a container permission to *bind* 
to a host network port without also giving it permission to *change the host's 
network name*. This feels like a security hole to me.
{quote}

The task would only have permission to change the hostname if it is privileged 
with the right capabilities or running as root. I think this is expected 
behavior, not a security hole.

The reason we didn't apply UTS namespace in host networking was because we were 
not sure whether to allow the kernel hostname to diverge from the hostname 
stored in the system files. However, thinking about this some more, I don't see 
any reason to not enter a UTS namespace when we are using host networking, just 
as a defense-in-depth measure.

> UCR doesn't isolate uts namespace w/ host networking
> ----------------------------------------------------
>
>                 Key: MESOS-7605
>                 URL: https://issues.apache.org/jira/browse/MESOS-7605
>             Project: Mesos
>          Issue Type: Improvement
>          Components: containerization
>            Reporter: James DeFelice
>              Labels: mesosphere
>
> Docker's {{run}} command supports a {{--hostname}} parameter which impacts 
> container isolation, even in {{host}} network mode: (via 
> https://docs.docker.com/engine/reference/run/)
> {quote}
> Even in host network mode a container has its own UTS namespace by default. 
> As such --hostname is allowed in host network mode and will only change the 
> hostname inside the container. Similar to --hostname, the --add-host, --dns, 
> --dns-search, and --dns-option options can be used in host network mode.
> {quote}
> I see no evidence that UCR offers a similar isolation capability.
> Related: the {{ContainerInfo}} protobuf has a {{hostname}} field which was 
> initially added to support the Docker containerizer's use of the 
> {{--hostname}} Docker {{run}} flag.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to