[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16242481#comment-16242481
]
Shane Kumpf commented on YARN-7197:
-----------------------------------
{quote}
Would it be too restrictive to enforce that a whitelist mount must have the
same path in the image as it does in the host? Then we can't have users
swapping out /etc for some custom directory. I looked briefly at the current
whitelist mount support and that appears to be how it works.
{quote}
Unfortunately, I've recently encountered a scenario where this restriction
would have made the use case pretty difficult to get working. The issue goes
back to what I mentioned about systemd and API filesystems. There are valid
cases for mounting the docker socket, such as CI. Due to systemd running in the
container, {{/run}} is mounted as a tmpfs after the docker bind mount is
handled, _hiding_ {{/run/docker.sock}} in the container, so _docker in docker_
use cases that also use systemd as the init process would not be possible
(without modifications to the docker daemon config on the host). If we do
impose that restriction by default, then we'll also need a way to disable it.
> Add support for a volume blacklist for docker containers
> --------------------------------------------------------
>
> Key: YARN-7197
> URL: https://issues.apache.org/jira/browse/YARN-7197
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: Shane Kumpf
> Assignee: Eric Yang
> Attachments: YARN-7197.001.patch, YARN-7197.002.patch,
> YARN-7197.003.patch, YARN-7197.004.patch, YARN-7197.005.patch
>
>
> Docker supports bind mounting host directories into containers. Work is
> underway to allow admins to configure a whilelist of volume mounts. While
> this is a much needed and useful feature, it opens the door for
> misconfiguration that may lead to users being able to compromise or crash the
> system.
> One example would be allowing users to mount /run from a host running
> systemd, and then running systemd in that container, rendering the host
> mostly unusable.
> This issue is to add support for a default blacklist. The default blacklist
> would be where we put files and directories that if mounted into a container,
> are likely to have negative consequences. Users are encouraged not to remove
> items from the default blacklist, but may do so if necessary.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
