[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16242631#comment-16242631
]
Eric Yang commented on YARN-7197:
---------------------------------
[[email protected]]
{quote}
I'm aware of the differences between mounting the socket and true "docker in
docker" as well as the impact of privileged containers. My point was that not
allowing arbitrary destination paths within the container for mounts makes some
use cases more difficult than needed. HBase running in a container that expects
to find /etc/hbase/conf/hbase-site.xml and we want to mount that file from the
distributed cache, if you'd prefer.
{quote}
System configuration is safer than user's own configuration because system
administrator is the only one who optimized the properties for the target
hardware. User's configuration as superset of configuration is a nice to have
feature for developer that knows their data well. I don't object to have both.
I am not in favor for creating many bind-mount paths for black listed items
when user did not ask for them. There is too many down side to create
obstruction inside container in the name of security.
> Add support for a volume blacklist for docker containers
> --------------------------------------------------------
>
> Key: YARN-7197
> URL: https://issues.apache.org/jira/browse/YARN-7197
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: Shane Kumpf
> Assignee: Eric Yang
> Attachments: YARN-7197.001.patch, YARN-7197.002.patch,
> YARN-7197.003.patch, YARN-7197.004.patch, YARN-7197.005.patch
>
>
> Docker supports bind mounting host directories into containers. Work is
> underway to allow admins to configure a whilelist of volume mounts. While
> this is a much needed and useful feature, it opens the door for
> misconfiguration that may lead to users being able to compromise or crash the
> system.
> One example would be allowing users to mount /run from a host running
> systemd, and then running systemd in that container, rendering the host
> mostly unusable.
> This issue is to add support for a default blacklist. The default blacklist
> would be where we put files and directories that if mounted into a container,
> are likely to have negative consequences. Users are encouraged not to remove
> items from the default blacklist, but may do so if necessary.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
