[ https://issues.apache.org/jira/browse/YARN-5534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16111552#comment-16111552 ]
Vinod Kumar Vavilapalli commented on YARN-5534: ----------------------------------------------- bq. Quick question, should not white-list-volume-mounts be a setting in container-executor.cfg instead of yarn-site.xml? The config should be there in both the places - yarn-site.xml as well as container-executor.cfg so that the java code can read from yarn-site.xml (if needed) and C code from container-executor.cfg and the C code can double check what's coming in from the java land with what is there in container-executor.cfg which is an official blessing by root. bq. Once YARN-6033 is committed, I plan to rewrite it to do invocations via a config file and we can add the checks into the container-executor.cfg. bq. if we check in this jira with yarn-site.xml as the location for the whitelist, we have to keep it backward compatible throughout the lifecycle of 3.0. I would wait with this jira until your container-executor changes get in. YARN-6033 simplifies the configuration management, and there is existing configuration outside of this patch that YARN-6033 should give a compatibility story for. So YARN-6033 doesn't need to be a blocker for this JIRA, me thinks. If YARN-6033 also makes it into 3.0, which it should, the new config added in JIRA can simply be removed. > Allow whitelisted volume mounts > -------------------------------- > > Key: YARN-5534 > URL: https://issues.apache.org/jira/browse/YARN-5534 > Project: Hadoop YARN > Issue Type: Sub-task > Components: yarn > Reporter: luhuichun > Assignee: Shane Kumpf > Attachments: YARN-5534.001.patch, YARN-5534.002.patch, > YARN-5534.003.patch > > > Introduction > Mounting files or directories from the host is one way of passing > configuration and other information into a docker container. > We could allow the user to set a list of mounts in the environment of > ContainerLaunchContext (e.g. /dir1:/targetdir1,/dir2:/targetdir2). > These would be mounted read-only to the specified target locations. This has > been resolved in YARN-4595 > 2.Problem Definition > Bug mounting arbitrary volumes into a Docker container can be a security risk. > 3.Possible solutions > one approach to provide safe mounts is to allow the cluster administrator to > configure a set of parent directories as white list mounting directories. > Add a property named yarn.nodemanager.volume-mounts.white-list, when > container executor do mount checking, only the allowed directories or > sub-directories can be mounted. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org