[jira] [Commented] (YARN-5534) Allow whitelisted volume mounts

Thu, 03 Aug 2017 10:18:55 -0700 

    [ 
https://issues.apache.org/jira/browse/YARN-5534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16113114#comment-16113114
 ] 

Miklos Szegedi commented on YARN-5534:
--------------------------------------

Thank you, [[email protected]] and [~vinodkv] for the details. As Shane 
said, Java knows the configuration letting launch the container and seeing it 
fail in C. If the system is sending so many invalid privileged requests that it 
affects system performance because of this, there is already something wrong 
with that system.
However, one more thing. While having a general config to enable/disable 
privileged is nice, I think eventually admins will need to specify the users 
that should be allowed to elevate to privileged. This can be applied probably 
on the whitelist as well. Sorry for raising too many design questions late in 
the development.

> Allow whitelisted volume mounts 
> --------------------------------
>
>                 Key: YARN-5534
>                 URL: https://issues.apache.org/jira/browse/YARN-5534
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: luhuichun
>            Assignee: Shane Kumpf
>         Attachments: YARN-5534.001.patch, YARN-5534.002.patch, 
> YARN-5534.003.patch
>
>
> Introduction 
> Mounting files or directories from the host is one way of passing 
> configuration and other information into a docker container. 
> We could allow the user to set a list of mounts in the environment of 
> ContainerLaunchContext (e.g. /dir1:/targetdir1,/dir2:/targetdir2). 
> These would be mounted read-only to the specified target locations. This has 
> been resolved in YARN-4595
> 2.Problem Definition
> Bug mounting arbitrary volumes into a Docker container can be a security risk.
> 3.Possible solutions
> one approach to provide safe mounts is to allow the cluster administrator to 
> configure a set of parent directories as white list mounting directories.
>  Add a property named yarn.nodemanager.volume-mounts.white-list, when 
> container executor do mount checking, only the allowed directories or 
> sub-directories can be mounted. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to