[
https://issues.apache.org/jira/browse/YARN-5534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16111552#comment-16111552
]
Vinod Kumar Vavilapalli commented on YARN-5534:
-----------------------------------------------
bq. Quick question, should not white-list-volume-mounts be a setting in
container-executor.cfg instead of yarn-site.xml?
The config should be there in both the places - yarn-site.xml as well as
container-executor.cfg so that the java code can read from yarn-site.xml (if
needed) and C code from container-executor.cfg and the C code can double check
what's coming in from the java land with what is there in
container-executor.cfg which is an official blessing by root.
bq. Once YARN-6033 is committed, I plan to rewrite it to do invocations via a
config file and we can add the checks into the container-executor.cfg.
bq. if we check in this jira with yarn-site.xml as the location for the
whitelist, we have to keep it backward compatible throughout the lifecycle of
3.0. I would wait with this jira until your container-executor changes get in.
YARN-6033 simplifies the configuration management, and there is existing
configuration outside of this patch that YARN-6033 should give a compatibility
story for. So YARN-6033 doesn't need to be a blocker for this JIRA, me thinks.
If YARN-6033 also makes it into 3.0, which it should, the new config added in
JIRA can simply be removed.
> Allow whitelisted volume mounts
> --------------------------------
>
> Key: YARN-5534
> URL: https://issues.apache.org/jira/browse/YARN-5534
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: luhuichun
> Assignee: Shane Kumpf
> Attachments: YARN-5534.001.patch, YARN-5534.002.patch,
> YARN-5534.003.patch
>
>
> Introduction
> Mounting files or directories from the host is one way of passing
> configuration and other information into a docker container.
> We could allow the user to set a list of mounts in the environment of
> ContainerLaunchContext (e.g. /dir1:/targetdir1,/dir2:/targetdir2).
> These would be mounted read-only to the specified target locations. This has
> been resolved in YARN-4595
> 2.Problem Definition
> Bug mounting arbitrary volumes into a Docker container can be a security risk.
> 3.Possible solutions
> one approach to provide safe mounts is to allow the cluster administrator to
> configure a set of parent directories as white list mounting directories.
> Add a property named yarn.nodemanager.volume-mounts.white-list, when
> container executor do mount checking, only the allowed directories or
> sub-directories can be mounted.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
