[jira] [Commented] (YARN-5534) Allow whitelisted volume mounts

[Eric Badger (JIRA)]

    [ 
https://issues.apache.org/jira/browse/YARN-5534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16255612#comment-16255612
 ] 

Eric Badger commented on YARN-5534:
-----------------------------------

Arbitrary docker images will need to be handled separately than what we 
consider to be "trusted" images more than just in the whitelisted volumes 
regard. These containers shouldn't be bind-mounting anything IMO and should be 
running without any capabilities. Even at that point, I'm not sure I'm 
comfortable allowing untrusted images run containers on the node, since the 
container will be running as root. This, of course, is unless we can figure out 
how to leverage user namespace remapping from Docker. 
https://docs.docker.com/engine/security/userns-remap/

Bottom line, if we are going to allow support for arbitrary images, I think we 
should open up a separate JIRA and create a complete plan over there with how 
we can utilize the current state of docker support while also creating a secure 
environment for these images to run.

> Allow whitelisted volume mounts 
> --------------------------------
>
>                 Key: YARN-5534
>                 URL: https://issues.apache.org/jira/browse/YARN-5534
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: luhuichun
>            Assignee: Shane Kumpf
>         Attachments: YARN-5534.001.patch, YARN-5534.002.patch, 
> YARN-5534.003.patch
>
>
> Introduction 
> Mounting files or directories from the host is one way of passing 
> configuration and other information into a docker container. 
> We could allow the user to set a list of mounts in the environment of 
> ContainerLaunchContext (e.g. /dir1:/targetdir1,/dir2:/targetdir2). 
> These would be mounted read-only to the specified target locations. This has 
> been resolved in YARN-4595
> 2.Problem Definition
> Bug mounting arbitrary volumes into a Docker container can be a security risk.
> 3.Possible solutions
> one approach to provide safe mounts is to allow the cluster administrator to 
> configure a set of parent directories as white list mounting directories.
>  Add a property named yarn.nodemanager.volume-mounts.white-list, when 
> container executor do mount checking, only the allowed directories or 
> sub-directories can be mounted. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org