[
https://issues.apache.org/jira/browse/YARN-5534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16089694#comment-16089694
]
Shane Kumpf commented on YARN-5534:
-----------------------------------
[~ebadger] - sorry for the delay here. I'm actively working on this.
Couple of comments on the approach:
# YARN-4595 addressed read-only mounts for local resources. I'm planning to
consolidate the mount whitelist and local resource mounts into a single ENV
variable.
# Local resources will be implicitly added to the whitelist in read-only mode.
# There is currently an issue with multiple mounts and MapReduce due to how
environment variables are parsed. See YARN-6830.
# The admin will define a comma separated list of <src>:<mode> (ro or rw)
mounts, the requesting user will supply <src>:<dest>:<mode> - mode must be
equal to or lesser than the admin defined mode (i.e. admin defines mount as rw,
user can bind mount as rw OR ro).
One question here, does any feel there is value in allowing the admin to
restrict the destination mount point within the container? I can't think of a
use case for this, and expect most admins would likely just wildcard the field
for all the mounts. Currently, the plan for the admin supplied whitelist does
not include restricting the destination within the container.
> Allow whitelisted volume mounts
> --------------------------------
>
> Key: YARN-5534
> URL: https://issues.apache.org/jira/browse/YARN-5534
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: luhuichun
> Assignee: Shane Kumpf
> Attachments: YARN-5534.001.patch, YARN-5534.002.patch
>
>
> Introduction
> Mounting files or directories from the host is one way of passing
> configuration and other information into a docker container.
> We could allow the user to set a list of mounts in the environment of
> ContainerLaunchContext (e.g. /dir1:/targetdir1,/dir2:/targetdir2).
> These would be mounted read-only to the specified target locations. This has
> been resolved in YARN-4595
> 2.Problem Definition
> Bug mounting arbitrary volumes into a Docker container can be a security risk.
> 3.Possible solutions
> one approach to provide safe mounts is to allow the cluster administrator to
> configure a set of parent directories as white list mounting directories.
> Add a property named yarn.nodemanager.volume-mounts.white-list, when
> container executor do mount checking, only the allowed directories or
> sub-directories can be mounted.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
