[
https://issues.apache.org/jira/browse/YARN-5534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15684542#comment-15684542
]
Shane Kumpf commented on YARN-5534:
-----------------------------------
Thanks for the patch [~luhuichun]!
I agree with [~templedf]. YARN-4595 only allows for mounting localized
resources, which isn't flexible enough for what we need here. We'd like to
eliminate issues such as YARN-5042 (mounting /sys/fs/cgroup in every container)
every time we have a similar need. Another example would be /dev/urandom, which
is commonly mounted into containers that generate keys.
The current implementation is moving towards allowing subdirectories under a
white listed mount to be mounted into the docker container. What is the use
case for allowing subdirectories vs forcing the user supplied mount to match
the white list entry?
Here are some items to address in the future patch:
1)
{code}
+
+ public static final String NM_WHITE_LIST_VOLUME_MOUNT =
+ NM_PREFIX + "white-list-volume-mount";
+
{code}
The configuration should be under the {{DOCKER_CONTAINER_RUNTIME_PREFIX}}.
2)
{code}
if (!path.isAbsolute()) {
throw new ContainerExecutionException("Mount must be absolute: " +
- mount);
+ mount);
}
if (Files.isSymbolicLink(path)) {
throw new ContainerExecutionException("Mount cannot be a symlink: " +
- mount);
+ mount);
{code}
Can you fix the formatting changes here?
3)
{code}
+ private boolean isSubDirectory(File parent, File child){
+ try {
+ parent = parent.getCanonicalFile();
+ child = child.getCanonicalFile();
+ File parentFile = child;
+ while (parentFile != null){
+ if (parent.equals(parentFile)){
+ return true;
+ }
+ parentFile = parentFile.getParentFile();
+ }
+ } catch (IOException e) {
+ e.printStackTrace();
+ }
+ return false;
}
{code}
Assuming we need subdirectories, I would expect a subdirectory check has been
implemented elsewhere in the code base and doesn't need to be defined again,
but I didn't find it in my non-exhaustive search. Perhaps someone else can
chime in if they know of one. Otherwise, maybe it would be good to add this to
a utility class vs leaving it in the runtime?
> Allow whitelisted volume mounts
> --------------------------------
>
> Key: YARN-5534
> URL: https://issues.apache.org/jira/browse/YARN-5534
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: luhuichun
> Assignee: luhuichun
> Attachments: YARN-5534.001.patch
>
>
> Introduction
> Mounting files or directories from the host is one way of passing
> configuration and other information into a docker container.
> We could allow the user to set a list of mounts in the environment of
> ContainerLaunchContext (e.g. /dir1:/targetdir1,/dir2:/targetdir2).
> These would be mounted read-only to the specified target locations. This has
> been resolved in YARN-4595
> 2.Problem Definition
> Bug mounting arbitrary volumes into a Docker container can be a security risk.
> 3.Possible solutions
> one approach to provide safe mounts is to allow the cluster administrator to
> configure a set of parent directories as white list mounting directories.
> Add a property named yarn.nodemanager.volume-mounts.white-list, when
> container executor do mount checking, only the allowed directories or
> sub-directories can be mounted.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
