[ https://issues.apache.org/jira/browse/YARN-5534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16093026#comment-16093026 ]
Shane Kumpf commented on YARN-5534: ----------------------------------- Thanks [~ebadger] and [~templedf] for the feedback. {quote}I was thinking of the current code where we are bind-mounting "/sys/fs/cgroup" for every container.{quote} Part of the point of the mount whitelist is so we can remove the hard coded /sys/fs/cgroup mount. That really doesn't apply to all containers, for instance CentOS 6, and actually introduces odd behavior on systems with many cores. {quote}For my use case, we would always want to bind mount "/var/run/nscd" so that users can do lookups inside of the container and utilize the host's configs and cache. With the current state of affairs over in YARN-4266, if we enter the container as a UID:GID pair, MRAppMaster will fail if we don't bind-mount "/var/run/nscd".{quote} I think we could solve the need above through documentation, but I can understand the convenience of having an auto bind mount list. IMO, I think that feature might be better suited as a separate patch though, since it will essentially bypass the whitelist. > Allow whitelisted volume mounts > -------------------------------- > > Key: YARN-5534 > URL: https://issues.apache.org/jira/browse/YARN-5534 > Project: Hadoop YARN > Issue Type: Sub-task > Components: yarn > Reporter: luhuichun > Assignee: Shane Kumpf > Attachments: YARN-5534.001.patch, YARN-5534.002.patch > > > Introduction > Mounting files or directories from the host is one way of passing > configuration and other information into a docker container. > We could allow the user to set a list of mounts in the environment of > ContainerLaunchContext (e.g. /dir1:/targetdir1,/dir2:/targetdir2). > These would be mounted read-only to the specified target locations. This has > been resolved in YARN-4595 > 2.Problem Definition > Bug mounting arbitrary volumes into a Docker container can be a security risk. > 3.Possible solutions > one approach to provide safe mounts is to allow the cluster administrator to > configure a set of parent directories as white list mounting directories. > Add a property named yarn.nodemanager.volume-mounts.white-list, when > container executor do mount checking, only the allowed directories or > sub-directories can be mounted. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org