Eric Yang created YARN-7516:
-------------------------------
Summary: Security check for untrusted docker image
Key: YARN-7516
URL: https://issues.apache.org/jira/browse/YARN-7516
Project: Hadoop YARN
Issue Type: Improvement
Reporter: Eric Yang
Hadoop YARN Services can support using private docker registry image or docker
image from docker hub. In current implementation, Hadoop security is enforced
through username and group membership, and enforce uid:gid consistency in
docker container and distributed file system. There is cloud use case for
having ability to run untrusted docker image on the same cluster for testing.
The basic requirement for untrusted container is to ensure all kernel and root
privileges are dropped, and there is no interaction with distributed file
system to avoid contamination. We can probably enforce detection of untrusted
docker image by checking the following:
# If docker image is from public docker hub repository, the container is
automatically flagged as insecure, and disk volume mount are disabled
automatically, and drop all kernel capabilities.
# If docker image is from private repository in docker hub, and there is a
white list to allow the private repository, disk volume mount is allowed,
kernel capabilities follows the allowed list.
# If docker image is from private trusted repository with image name like
"private.registry.local:5000/centos", and white list allows this private
trusted repository. Disk volume mount is allowed, kernel capabilities follows
the allowed list.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-dev-h...@hadoop.apache.org
