[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16242631#comment-16242631
]
Eric Yang commented on YARN-7197:
-
[~shaneku...@gmail.com]
{quote}
I'm aware of the differe
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16242605#comment-16242605
]
Shane Kumpf commented on YARN-7197:
---
I'm aware of the differences between mounting the so
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16242583#comment-16242583
]
Eric Yang commented on YARN-7197:
-
[~shaneku...@gmail.com]
{quote}
Unfortunately, I've rece
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16242539#comment-16242539
]
Eric Yang commented on YARN-7197:
-
[~jlowe] {quote}
If the whitelist only allows bindmount
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16242481#comment-16242481
]
Shane Kumpf commented on YARN-7197:
---
{quote}
Would it be too restrictive to enforce that
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16242415#comment-16242415
]
Jason Lowe commented on YARN-7197:
--
bq. Docker image can also be regulated through trusted
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16241479#comment-16241479
]
Eric Yang commented on YARN-7197:
-
I am starting to doubt the feasibility of blacklist appr
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16241257#comment-16241257
]
Eric Yang commented on YARN-7197:
-
{quote}
{code}
docker run -it -v /etc:/home/test/etc --m
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16241233#comment-16241233
]
Eric Yang commented on YARN-7197:
-
[~jlowe]
{quote}
If I'm understanding properly, we need
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16241014#comment-16241014
]
Jason Lowe commented on YARN-7197:
--
bq. I see that I missed a key point about mounting abo
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16240946#comment-16240946
]
Eric Yang commented on YARN-7197:
-
{quote}
Couldn't the same be said about directories? If
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16240765#comment-16240765
]
Jason Lowe commented on YARN-7197:
--
bq. Even if it worked, we could be leaking private con
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16240684#comment-16240684
]
Eric Yang commented on YARN-7197:
-
[~jlowe]
{quote}
Yes, by "explode" I mean the OS will
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16240440#comment-16240440
]
Jason Lowe commented on YARN-7197:
--
bq. Explode might be exaggeration.
Yes, by "explode"
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16238617#comment-16238617
]
Eric Yang commented on YARN-7197:
-
Hi [~jlowe], thank you for the review.
{quote}
I'm no
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16238528#comment-16238528
]
Jason Lowe commented on YARN-7197:
--
Thanks for updating the patch!
bq. Container-Executor
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16236421#comment-16236421
]
Hadoop QA commented on YARN-7197:
-
| (/) *{color:green}+1 overall{color}* |
\\
\\
|| Vote |
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16235101#comment-16235101
]
Hadoop QA commented on YARN-7197:
-
| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote ||
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16234551#comment-16234551
]
Hadoop QA commented on YARN-7197:
-
| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote ||
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16234454#comment-16234454
]
Eric Yang commented on YARN-7197:
-
Hi [~jlowe]
{quote}
If black list contains misconfigure
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16234333#comment-16234333
]
Jason Lowe commented on YARN-7197:
--
Thanks for updating the patch!
bq. If black list cont
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16226857#comment-16226857
]
Shane Kumpf commented on YARN-7197:
---
Thanks for the additional details. For that case, it
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16226800#comment-16226800
]
Jason Lowe commented on YARN-7197:
--
I was under the impression the blacklist would only mo
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16226626#comment-16226626
]
Shane Kumpf commented on YARN-7197:
---
My initial thought was that the empty directory bind
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16225812#comment-16225812
]
Jason Lowe commented on YARN-7197:
--
Solution 3 is more secure since the paths are unavaila
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16225452#comment-16225452
]
Eric Yang commented on YARN-7197:
-
[~jlowe]
{quote}Either /run isn't in the whitelist in
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16225397#comment-16225397
]
Eric Badger commented on YARN-7197:
---
bq. I think we should fail the container creation, i
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16225228#comment-16225228
]
Eric Yang commented on YARN-7197:
-
[~ebadger] My mistakes, normal directory works. I was d
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16225026#comment-16225026
]
Eric Badger commented on YARN-7197:
---
{quote}
Btw, docker doesn't support double mount lik
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16223344#comment-16223344
]
Eric Yang commented on YARN-7197:
-
Btw, docker doesn't support double mount like:
{code}
d
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16223306#comment-16223306
]
Eric Yang commented on YARN-7197:
-
[~jlowe] I agree with everything you said that the curre
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16222610#comment-16222610
]
Jason Lowe commented on YARN-7197:
--
Like [~ebadger], I am a bit confused on how this adds
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16221402#comment-16221402
]
Eric Yang commented on YARN-7197:
-
[~ebadger] Any other concern about this feature? I will
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16219115#comment-16219115
]
Eric Yang commented on YARN-7197:
-
[~ebadger] said:
{quote}
The user can just mount above t
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16218724#comment-16218724
]
Shane Kumpf commented on YARN-7197:
---
The way I saw this being useful was less about secur
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16218663#comment-16218663
]
Eric Badger commented on YARN-7197:
---
bq. File system ACL is the only protection to verify
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16217854#comment-16217854
]
Eric Yang commented on YARN-7197:
-
[~ebadger] You are correct on all points, and mounting p
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16217795#comment-16217795
]
Eric Badger commented on YARN-7197:
---
Actually, thinking about this more, I'm wondering if
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16217693#comment-16217693
]
Eric Badger commented on YARN-7197:
---
[~eyang]
bq. Symlink are banned to prevent mistakes
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16217638#comment-16217638
]
Eric Yang commented on YARN-7197:
-
[~ebadger] Symlink are banned to prevent mistakes. I ca
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16217393#comment-16217393
]
Eric Badger commented on YARN-7197:
---
{noformat}
// symlinks are banned.
if (strcmp(no
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16217162#comment-16217162
]
Eric Badger commented on YARN-7197:
---
[~eyang], since we split the whitelist into separate
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16216245#comment-16216245
]
Eric Yang commented on YARN-7197:
-
The failed unit test is not related to this patch.
> Ad
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16215619#comment-16215619
]
Hadoop QA commented on YARN-7197:
-
| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote ||
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16208479#comment-16208479
]
Eric Badger commented on YARN-7197:
---
[~eyang], just like YARN-5534, I'll hold off looking
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16206912#comment-16206912
]
Hadoop QA commented on YARN-7197:
-
| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote ||
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16167890#comment-16167890
]
Eric Badger commented on YARN-7197:
---
{quote}
For example, if a system admin would like to
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16167752#comment-16167752
]
Shane Kumpf commented on YARN-7197:
---
[~ebadger] - Thanks for the feedback. I had similar
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16167123#comment-16167123
]
Eric Yang commented on YARN-7197:
-
[~ebadger] This is similar to firewall rules. We need a
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16166937#comment-16166937
]
Eric Badger commented on YARN-7197:
---
Hi [~shaneku...@gmail.com], [~eyang]. I'm not sure I
[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16166916#comment-16166916
]
Eric Yang commented on YARN-7197:
-
Consider the following scenarios:
# Docker container wi
51 matches
Mail list logo
