[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16226626#comment-16226626
]
Shane Kumpf commented on YARN-7197:
-----------------------------------
My initial thought was that the empty directory bind mounted (Solution 3) would
work nicely to achieve this goal, but I believe that could be problematic as
well. A bulk of the top level directories being discussed as blacklist
candidates are "API filesystems", for example /run. While containers != VMs,
containers will be used similarly and as a result will run systemd. Systemd
manages "API Filesystems" if they don't exist. However, in the case of an empty
/run bind mount, systemd will not create the tmpfs /run, which can lead to
broken behavior for units leveraging tmpfiles. This is one case I'm aware of,
but I would not be surprised to find other issues on non-systemd systems. Given
the discussions on how the proposed solutions may surprise users and doesn't
necessarily prevent attack, I'm starting to believe documentation about the
dangers of white listing top-level mounts might be most appropriate, as Jason
mentioned earlier.
> Add support for a volume blacklist for docker containers
> --------------------------------------------------------
>
> Key: YARN-7197
> URL: https://issues.apache.org/jira/browse/YARN-7197
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: Shane Kumpf
> Assignee: Eric Yang
> Attachments: YARN-7197.001.patch, YARN-7197.002.patch
>
>
> Docker supports bind mounting host directories into containers. Work is
> underway to allow admins to configure a whilelist of volume mounts. While
> this is a much needed and useful feature, it opens the door for
> misconfiguration that may lead to users being able to compromise or crash the
> system.
> One example would be allowing users to mount /run from a host running
> systemd, and then running systemd in that container, rendering the host
> mostly unusable.
> This issue is to add support for a default blacklist. The default blacklist
> would be where we put files and directories that if mounted into a container,
> are likely to have negative consequences. Users are encouraged not to remove
> items from the default blacklist, but may do so if necessary.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
