> On July 8, 2015, 9:38 p.m., Bill Farner wrote:
> > Only nits remaining, and one request for test coverage.
> > 
> > One final disclaimer on the security issue this creates - IIUC, arbitrary 
> > user-specified volume mounts opens up your cluster to privilege escalation.
> > See this discussion for some detail: 
> > https://github.com/docker/docker/issues/3124, specifically this comment:
> > ```
> >  thaJeztah commented on May 23
> > 
> > @JWGmeligMeyling files and folders created in the volume will have the same 
> > uid:gid (numeric) as the user creating them in the container. If you add a 
> > user inside the container having the same uid:gid as outside the container 
> > and run your contsiner as that user, that should be possible
> > ```
> > 
> > More direct coverage of the risk:
> > https://fosterelli.co/privilege-escalation-via-docker.html
> > http://reventlov.com/advisories/using-the-docker-command-to-root-the-host
> > 
> > 
> > I'm happy to be proven wrong on this suspicion, but please confirm for 
> > yourself that this is safe to do.

Hi, I'm aware of the security implications of the patch. Not only using 
volumes, but also enabling privilege mode, enabling host based networking, or 
mapping devices can mess up the host. But since this is supported by Mesos, and 
we disable it by default now, I think is an assumed risk of using docker and 
its faulty security model.

I understand this is a huge concern if the use case is that arbitrary task 
definitions are submitted directly into aurora by users. One spurious job can 
crash all the tasks in a host. But there are also other use cases in which the 
interaction with aurora is curated or hidden behind another tool. In those 
cases having this flexibility enables a lot of posibilities with docker 
containers.

Do you think it would be beneficial to raise up the discussion involving more 
people, or this modification just moves the project in the wrong direction?


- Mauricio


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/34337/#review90994
-----------------------------------------------------------


On July 5, 2015, 11:58 p.m., Mauricio Garavaglia wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/34337/
> -----------------------------------------------------------
> 
> (Updated July 5, 2015, 11:58 p.m.)
> 
> 
> Review request for Aurora and Bill Farner.
> 
> 
> Repository: aurora
> 
> 
> Description
> -------
> 
> Support Arbitrary Docker Parameters in DockerContainer
> 
> 
> Diffs
> -----
> 
>   api/src/main/thrift/org/apache/aurora/gen/api.thrift d740a90 
>   docs/configuration-reference.md dafd306 
>   
> src/main/java/org/apache/aurora/scheduler/configuration/ConfigurationManager.java
>  be79e70 
>   src/main/java/org/apache/aurora/scheduler/mesos/MesosTaskFactory.java 
> c0d165a 
>   src/main/python/apache/aurora/config/schema/base.py d1f1e4f 
>   src/main/python/apache/aurora/config/thrift.py 88dd1c7 
>   
> src/test/java/org/apache/aurora/scheduler/mesos/MesosTaskFactoryImplTest.java 
> c0cadfb 
> 
> Diff: https://reviews.apache.org/r/34337/diff/
> 
> 
> Testing
> -------
> 
> Used Docker as the container of a Job. Included volumes and label parameters 
> which are correctly picked up by mesos when starting the task. The docker 
> container gets the specified label and bind mounts the volumes correctly. 
> I've been running multiple PostgreSQL databases docker containers for several 
> weeks deploying them as aurora jobs.
> 
> 
> Thanks,
> 
> Mauricio Garavaglia
> 
>

Reply via email to