[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16217638#comment-16217638
]
Eric Yang commented on YARN-7197:
---------------------------------
[~ebadger] Symlink are banned to prevent mistakes. I can lift the symlink
check and trust that system admin will always express physical path correctly
instead of symlink paths in black list. I found myself expressing
/var/run/utmp more often instead of /run/utmp, and double negative could slip
through undetected when symlinks are supported for black list.
I did not separate black list for read-only and read-write to reduce wordy
configurations that could generate security holes. For example, if someone
would like to mount /run as read only, and allow docket.socket to be used
inside container.
Should they specify?
{code}
white-listed-read-only: /run
white-listed-read-write: /run/docker.socket
black-listed-read-only:/run/docker.socket
black-listed-read-write: /run
{code}
Or?
{code}
white-listed-read-only: /run
white-listed-read-write: /run/docker.socket
black-listed-read-only:/run/docker.socket
{code}
Ideally, user should be able to specify the minimum to get the system to work:
{code}
white-listed-read-only: /run
white-listed-read-write: /run/docker.socket
{code}
or
{code}
white-listed-read-only: /run
black-listed-read-only: /run/docker.socket
{code}
> Add support for a volume blacklist for docker containers
> --------------------------------------------------------
>
> Key: YARN-7197
> URL: https://issues.apache.org/jira/browse/YARN-7197
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: Shane Kumpf
> Assignee: Eric Yang
> Attachments: YARN-7197.001.patch, YARN-7197.002.patch
>
>
> Docker supports bind mounting host directories into containers. Work is
> underway to allow admins to configure a whilelist of volume mounts. While
> this is a much needed and useful feature, it opens the door for
> misconfiguration that may lead to users being able to compromise or crash the
> system.
> One example would be allowing users to mount /run from a host running
> systemd, and then running systemd in that container, rendering the host
> mostly unusable.
> This issue is to add support for a default blacklist. The default blacklist
> would be where we put files and directories that if mounted into a container,
> are likely to have negative consequences. Users are encouraged not to remove
> items from the default blacklist, but may do so if necessary.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
