[
https://issues.apache.org/jira/browse/YARN-7815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16344052#comment-16344052
]
Miklos Szegedi commented on YARN-7815:
--------------------------------------
Thank you [~jlowe] for the response. I agree with 1. and 2. above. Since 3.
would expose container tokensĀ of other containers to the current container, how
about mounting the app dir as read-write and mounting an empty directory to
containers other than the current one? This is a bit more work (yes, a bit more
hacky...) but it would achieve the accepted level of security with backward
compatibility.
{code:java}
# mkdir app
# mkdir /empty
# mkdir app/container1
# mkdir app/container2
# mkdir app/container3
# docker run -t -i -v /root/app:/app:rw -v /empty:/app/container1:ro -v
/root/app/container2:/app/container2:rw -v /empty:/app/container3:ro -bash
bash-4.4# touch /app/a.txt
bash-4.4# touch /app/container1/a.txt
touch: /app/container1/a.txt: Read-only file system
bash-4.4# touch /app/container2/a.txt
bash-4.4# touch /app/container3/a.txt
touch: /app/container3/a.txt: Read-only file system
# {code}
> Mount the filecache as read-only in Docker containers
> -----------------------------------------------------
>
> Key: YARN-7815
> URL: https://issues.apache.org/jira/browse/YARN-7815
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Shane Kumpf
> Assignee: Shane Kumpf
> Priority: Major
>
> Currently, when using the Docker runtime, the filecache directories are
> mounted read-write into the Docker containers. Read write access is not
> necessary. We should make this more restrictive by changing that mount to
> read-only.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
