Shane Kumpf created YARN-7197:
---------------------------------
Summary: Add support for a volume blacklist for docker containers
Key: YARN-7197
URL: https://issues.apache.org/jira/browse/YARN-7197
Project: Hadoop YARN
Issue Type: Sub-task
Components: yarn
Reporter: Shane Kumpf
Docker supports bind mounting host directories into containers. Work is
underway to allow admin's to configure a whilelist of user mounts. While this
is a much needed and useful feature, it opens the door for misconfiguration
that may lead to users' being able to compromise or crash the system.
One example would be allowing users to mount /run from a host running systemd,
and then running systemd in that container, rendering the host mostly unusable.
This issue is to add support for a default blacklist. The default blacklist
would be where we put files and directories that if mounted into a container,
are likely to have negative consequences. Users are encouraged not to remove
items from the default blacklist, but may do so if necessary.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
