[
https://issues.apache.org/jira/browse/YARN-7516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16323121#comment-16323121
]
Eric Badger commented on YARN-7516:
-----------------------------------
{noformat:title=host}
-bash-4.2$ ls /dev | column -c 160
autofs md3 sdc1 tty10
tty4 ttyS2
block md4 sdc2 tty11
tty40 ttyS3
bsg mem sdd tty12
tty41 uhid
btrfs-control mqueue sdd1 tty13
tty42 uinput
bus net sdd2 tty14
tty43 urandom
char network_latency sde tty15
tty44 usbmon0
console network_throughput sde1 tty16
tty45 usbmon1
core null sde2 tty17
tty46 usbmon2
cpu nvram sdf tty18
tty47 usbmon3
cpu_dma_latency oldmem sdf1 tty19
tty48 usbmon4
crash port sdf2 tty2
tty49 vcs
disk ppp sdg tty20
tty5 vcs1
dri ptmx sdg1 tty21
tty50 vcs2
fb0 ptp0 sdh tty22
tty51 vcs3
fd pts sdh1 tty23
tty52 vcs4
full random sg0 tty24
tty53 vcs5
fuse raw sg1 tty25
tty54 vcs6
hpet rtc sg2 tty26
tty55 vcsa
hugepages rtc0 sg3 tty27
tty56 vcsa1
hwrng sda sg4 tty28
tty57 vcsa2
initctl sda1 sg5 tty29
tty58 vcsa3
input sda2 sg6 tty3
tty59 vcsa4
ipmi0 sda3 sg7 tty30
tty6 vcsa5
kmsg sda4 shm tty31
tty60 vcsa6
kvm sda5 snapshot tty32
tty61 vfio
log sdb snd tty33
tty62 vga_arbiter
loop-control sdb1 stderr tty34
tty63 vhci
mapper sdb2 stdin tty35
tty7 vhost-net
mcelog sdb3 stdout tty36
tty8 zero
md0 sdb4 tty tty37
tty9
md1 sdb5 tty0 tty38
ttyS0
md2 sdc tty1 tty39
ttyS1
{noformat}
bq. Are you able to run mount command to attach your host disk partition to the
container image?
Yes, I am able to mount disks on the host inside of the container and access
their contents
> Security check for untrusted docker image
> -----------------------------------------
>
> Key: YARN-7516
> URL: https://issues.apache.org/jira/browse/YARN-7516
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Eric Yang
> Assignee: Eric Yang
> Attachments: YARN-7516.001.patch, YARN-7516.002.patch,
> YARN-7516.003.patch, YARN-7516.004.patch, YARN-7516.005.patch,
> YARN-7516.006.patch, YARN-7516.007.patch
>
>
> Hadoop YARN Services can support using private docker registry image or
> docker image from docker hub. In current implementation, Hadoop security is
> enforced through username and group membership, and enforce uid:gid
> consistency in docker container and distributed file system. There is cloud
> use case for having ability to run untrusted docker image on the same cluster
> for testing.
> The basic requirement for untrusted container is to ensure all kernel and
> root privileges are dropped, and there is no interaction with distributed
> file system to avoid contamination. We can probably enforce detection of
> untrusted docker image by checking the following:
> # If docker image is from public docker hub repository, the container is
> automatically flagged as insecure, and disk volume mount are disabled
> automatically, and drop all kernel capabilities.
> # If docker image is from private repository in docker hub, and there is a
> white list to allow the private repository, disk volume mount is allowed,
> kernel capabilities follows the allowed list.
> # If docker image is from private trusted registry with image name like
> "private.registry.local:5000/centos", and white list allows this private
> trusted repository. Disk volume mount is allowed, kernel capabilities
> follows the allowed list.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
