[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16242583#comment-16242583
]
Eric Yang commented on YARN-7197:
---------------------------------
[[email protected]]
{quote}
Unfortunately, I've recently encountered a scenario where this restriction
would have made the use case pretty difficult to get working. The issue goes
back to what I mentioned about systemd and API filesystems. There are valid
cases for mounting the docker socket, such as CI. Due to systemd running in the
container, /run is mounted as a tmpfs after the docker bind mount is handled,
hiding /run/docker.sock in the container, so docker in docker use cases that
also use systemd as the init process would not be possible (without
modifications to the docker daemon config on the host). If we do impose that
restriction by default, then we'll also need a way to disable it.
{quote}
There are a lot of painful lesson to run docker in docker. There is a good
blog about
[this|https://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/].
I had almost exact experience with the drawbacks.
We can run docker in parallel, which allows privileged container to mount
/run/docker.sock to spawn docker at top level docker image. If a normal user
mount /run/docker.sock into a non-privileged container, they should not have
access to control /run/docker.sock. Today, they may have access to
/run/docker.sock due to a bug for not pass in primary group, and allow
non-privileged user to become root group (YARN-7430). However, this
implementation will not safe guard toward docker instances spawned from inside
the container. It is possible to lose tracking of container spawned by
containers. Hence, be very careful about who you hand the keys over to spawn
privileged containers.
> Add support for a volume blacklist for docker containers
> --------------------------------------------------------
>
> Key: YARN-7197
> URL: https://issues.apache.org/jira/browse/YARN-7197
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: Shane Kumpf
> Assignee: Eric Yang
> Attachments: YARN-7197.001.patch, YARN-7197.002.patch,
> YARN-7197.003.patch, YARN-7197.004.patch, YARN-7197.005.patch
>
>
> Docker supports bind mounting host directories into containers. Work is
> underway to allow admins to configure a whilelist of volume mounts. While
> this is a much needed and useful feature, it opens the door for
> misconfiguration that may lead to users being able to compromise or crash the
> system.
> One example would be allowing users to mount /run from a host running
> systemd, and then running systemd in that container, rendering the host
> mostly unusable.
> This issue is to add support for a default blacklist. The default blacklist
> would be where we put files and directories that if mounted into a container,
> are likely to have negative consequences. Users are encouraged not to remove
> items from the default blacklist, but may do so if necessary.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
