[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16218724#comment-16218724
]
Shane Kumpf commented on YARN-7197:
-----------------------------------
The way I saw this being useful was less about security/blocking access and
more about making an admin consider the consequences before allowing mounts
that are very likely to negatively impact the host; e.g. /run or /etc. It's a
way for the contributors to say "you'll probably shoot yourself in the foot in
you allow this mount, we don't recommend you do, but if you really want to
change the blacklist, you're the admin and can do what you want." While mounts
in here won't apply to all container types/use cases, it would force the admin
to pause and, hopefully, figure out why that mount is in the blacklist. For
example, If you mount /run r/w in a container running systemd, and the host is
also running systemd, there is a very good chance you can no longer log in to
the host system until a reboot happens. Let's hope I didn't just ask for 100k
of these containers and kill my whole cluster.
> Add support for a volume blacklist for docker containers
> --------------------------------------------------------
>
> Key: YARN-7197
> URL: https://issues.apache.org/jira/browse/YARN-7197
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: Shane Kumpf
> Assignee: Eric Yang
> Attachments: YARN-7197.001.patch, YARN-7197.002.patch
>
>
> Docker supports bind mounting host directories into containers. Work is
> underway to allow admins to configure a whilelist of volume mounts. While
> this is a much needed and useful feature, it opens the door for
> misconfiguration that may lead to users being able to compromise or crash the
> system.
> One example would be allowing users to mount /run from a host running
> systemd, and then running systemd in that container, rendering the host
> mostly unusable.
> This issue is to add support for a default blacklist. The default blacklist
> would be where we put files and directories that if mounted into a container,
> are likely to have negative consequences. Users are encouraged not to remove
> items from the default blacklist, but may do so if necessary.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
