[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16241257#comment-16241257
]
Eric Yang edited comment on YARN-7197 at 11/7/17 12:54 AM:
-----------------------------------------------------------
{quote}
{code}
docker run -it -v /etc:/home/test/etc --mount
'type=bind,source=/var/empty/sshd,target=/home/test/etc/shadow,readonly'
centos:latest bash
{code}
{quote}
This case will fail, unless developer change their rules to be more specific of
which sub-directory that they like to mount. They can refine their
configuration to:
{code}
docker run -v /etc/hadoop/conf:/home/test/conf/hadoop centos:latest bash
{code}
Result in:
{code}
docker run -it -v /etc/hadoop/conf:/home/test/conf/hadoop centos:latest bash
{code}
Black list doesn't get included because path diverged.
If I make empty file and sockets, and mount those, it seems a bit over kill,
and harder to secure because yarn user isn't root. There might be some
limitation to make the same ownership file in yarn working directory to map to
container. Therefore, we fail fast and let developer and system admin resolve
this on their own. Is this a fair compromise?
was (Author: eyang):
{quote}
{code}
docker run -it -v /etc:/home/test/etc --mount
'type=bind,source=/var/empty/sshd,target=/home/test/etc/shadow,readonly'
centos:latest bash
{code}
{quote}
This case will fail, unless developer change their rules to be more specific of
which sub-directory that they like to mount. If I make empty file and sockets,
and mount those, it seems a bit over kill, and harder to secure because yarn
user isn't root. There might be some limitation to make the same ownership
file in yarn working directory to map to container. Therefore, we fail fast
and let developer and system admin resolve this on their own. Is this a fair
compromise?
> Add support for a volume blacklist for docker containers
> --------------------------------------------------------
>
> Key: YARN-7197
> URL: https://issues.apache.org/jira/browse/YARN-7197
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: Shane Kumpf
> Assignee: Eric Yang
> Attachments: YARN-7197.001.patch, YARN-7197.002.patch,
> YARN-7197.003.patch, YARN-7197.004.patch, YARN-7197.005.patch
>
>
> Docker supports bind mounting host directories into containers. Work is
> underway to allow admins to configure a whilelist of volume mounts. While
> this is a much needed and useful feature, it opens the door for
> misconfiguration that may lead to users being able to compromise or crash the
> system.
> One example would be allowing users to mount /run from a host running
> systemd, and then running systemd in that container, rendering the host
> mostly unusable.
> This issue is to add support for a default blacklist. The default blacklist
> would be where we put files and directories that if mounted into a container,
> are likely to have negative consequences. Users are encouraged not to remove
> items from the default blacklist, but may do so if necessary.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
