[
https://issues.apache.org/jira/browse/YARN-5534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15681421#comment-15681421
]
Daniel Templeton edited comment on YARN-5534 at 11/20/16 4:39 PM:
------------------------------------------------------------------
Thanks for posting the patch, [~luhuichun]. Sorry for taking so long to get
around to reviewing it. I apparently also misread the issue description the
first time.
Given that the current volume mounts only allow mounting directories from the
set of localized files, I'm not sure additional white listing is all that
useful. And given that YARN-5298 already mounts all the localized directories,
I'm not sure this JIRA will actually change anything.
What I originally thought I read, and what I think *would* be useful, is
allowing _arbitrary_ volume mounts from a whitelist, not just mounting
localized resources. For example, If I'm going to use a Docker image to
execute MR jobs, I have to install Hadoop in that image. When I upgrade my
cluster, I then have to upgrade or recreate all my Docker images. If the
Hadoop directories were mountable, I could let YARN mount them from the host
machine and not have to worry about it.
was (Author: templedf):
Thanks for posting the patch, [~luhuichun]. Sorry for taking so long to get
around to reviewing it. I apparently also misread the issue description the
first time.
Given that the current volume mounts only allow mounting directories from the
set of localized files, I'm sot sure additional white listing is all that
useful. And given that YARN-5298 already mounts all the localized directories,
I'm not sure this JIRA will actually change anything.
What I originally thought I read, and what I think *would* be useful, is
allowing _arbitrary_ volume mounts from a whitelist, not just mounting
localized resources. For example, If I'm going to use a Docker image to
execute MR jobs, I have to install Hadoop in that image. When I upgrade my
cluster, I then have to upgrade or recreate all my Docker images. If the
Hadoop directories were mountable, I could let YARN mount them in and not have
to worry about it.
> Allow whitelisted volume mounts
> --------------------------------
>
> Key: YARN-5534
> URL: https://issues.apache.org/jira/browse/YARN-5534
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: luhuichun
> Assignee: luhuichun
> Attachments: YARN-5534.001.patch
>
>
> Introduction
> Mounting files or directories from the host is one way of passing
> configuration and other information into a docker container.
> We could allow the user to set a list of mounts in the environment of
> ContainerLaunchContext (e.g. /dir1:/targetdir1,/dir2:/targetdir2).
> These would be mounted read-only to the specified target locations. This has
> been resolved in YARN-4595
> 2.Problem Definition
> Bug mounting arbitrary volumes into a Docker container can be a security risk.
> 3.Possible solutions
> one approach to provide safe mounts is to allow the cluster administrator to
> configure a set of parent directories as white list mounting directories.
> Add a property named yarn.nodemanager.volume-mounts.white-list, when
> container executor do mount checking, only the allowed directories or
> sub-directories can be mounted.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
