[
https://issues.apache.org/jira/browse/YARN-7221?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16399493#comment-16399493
]
Eric Badger commented on YARN-7221:
-----------------------------------
Hi [~eyang], I just tried out patch 006. I'm getting some weird behavior. I run
a job as my user "ebadger" with privileges and it succeeds. The containers are
all run as privileged containers and are entered with the user root. However,
immediately after running the container, I run {{sudo -U ebadger -n -l docker}}
and it says {{sudo: a password is required}}. This doesn't seem consistent
since I'm doing the exact same sudo check that the container-executor is doing.
{noformat}
[ebadger@foobar ~]$ export
vars="YARN_CONTAINER_RUNTIME_DOCKER_RUN_PRIVILEGED_CONTAINER=true,YARN_CONTAINER_RUNTIME_TYPE=docker,YARN_CONTAINER_RUNTIME_DOCKER_IMAGE=foo/rhel7";
$HADOOP_PREFIX/bin/hadoop jar
$HADOOP_PREFIX/share/hadoop/mapreduce/hadoop-mapreduce-examples-*.jar pi
-Dyarn.app.mapreduce.am.env=$vars -Dmapreduce.map.env=$vars
-Dmapreduce.reduce.env=$vars 10 100
WARNING: HADOOP_PREFIX has been replaced by HADOOP_HOME. Using value of
HADOOP_PREFIX.
Number of Maps = 10
Samples per Map = 100
Wrote input for Map #0
Wrote input for Map #1
Wrote input for Map #2
Wrote input for Map #3
Wrote input for Map #4
Wrote input for Map #5
Wrote input for Map #6
Wrote input for Map #7
Wrote input for Map #8
Wrote input for Map #9
Starting Job
2018-03-14 21:43:59,007 INFO [main] client.RMProxy
(RMProxy.java:newProxyInstance(133)) - Connecting to ResourceManager at
/127.0.0.1:8040
2018-03-14 21:43:59,278 INFO [main] client.AHSProxy
(AHSProxy.java:createAHSProxy(42)) - Connecting to Application History server
at /127.0.0.1:10200
2018-03-14 21:43:59,335 INFO [main] mapreduce.JobSubmissionFiles
(JobSubmissionFiles.java:getStagingDir(156)) - Permissions on staging directory
/tmp/hadoop-yarn/staging/ebadger/.staging are incorrect: rwxrwxrwx. Fixing
permissions to correct value rwx------
2018-03-14 21:43:59,465 INFO [main] mapreduce.JobResourceUploader
(JobResourceUploader.java:disableErasureCodingForPath(883)) - Disabling Erasure
Coding for path:
/tmp/hadoop-yarn/staging/ebadger/.staging/job_1521043593738_0007
2018-03-14 21:43:59,643 INFO [main] input.FileInputFormat
(FileInputFormat.java:listStatus(290)) - Total input files to process : 10
2018-03-14 21:43:59,698 INFO [main] mapreduce.JobSubmitter
(JobSubmitter.java:submitJobInternal(205)) - number of splits:10
2018-03-14 21:43:59,756 INFO [main] Configuration.deprecation
(Configuration.java:logDeprecation(1391)) -
yarn.resourcemanager.system-metrics-publisher.enabled is deprecated. Instead,
use yarn.system-metrics-publisher.enabled
2018-03-14 21:43:59,904 INFO [main] mapreduce.JobSubmitter
(JobSubmitter.java:printTokens(301)) - Submitting tokens for job:
job_1521043593738_0007
2018-03-14 21:43:59,907 INFO [main] mapreduce.JobSubmitter
(JobSubmitter.java:printTokens(302)) - Executing with tokens: []
2018-03-14 21:44:00,186 INFO [main] conf.Configuration
(Configuration.java:getConfResourceAsInputStream(2749)) - resource-types.xml
not found
2018-03-14 21:44:00,187 INFO [main] resource.ResourceUtils
(ResourceUtils.java:addResourcesFileToConf(418)) - Unable to find
'resource-types.xml'.
2018-03-14 21:44:00,640 INFO [main] impl.YarnClientImpl
(YarnClientImpl.java:submitApplication(306)) - Submitted application
application_1521043593738_0007
2018-03-14 21:44:00,769 INFO [main] mapreduce.Job (Job.java:submit(1574)) -
The url to track the job:
http://foo.bar.com:8088/proxy/application_1521043593738_0007/
2018-03-14 21:44:00,775 INFO [main] mapreduce.Job
(Job.java:monitorAndPrintJob(1619)) - Running job: job_1521043593738_0007
2018-03-14 21:44:15,054 INFO [main] mapreduce.Job
(Job.java:monitorAndPrintJob(1640)) - Job job_1521043593738_0007 running in
uber mode : false
2018-03-14 21:44:15,056 INFO [main] mapreduce.Job
(Job.java:monitorAndPrintJob(1647)) - map 0% reduce 0%
2018-03-14 21:44:27,209 INFO [main] mapreduce.Job
(Job.java:monitorAndPrintJob(1647)) - map 30% reduce 0%
2018-03-14 21:44:46,435 INFO [main] mapreduce.Job
(Job.java:monitorAndPrintJob(1647)) - map 40% reduce 0%
2018-03-14 21:44:48,452 INFO [main] mapreduce.Job
(Job.java:monitorAndPrintJob(1647)) - map 60% reduce 0%
2018-03-14 21:45:12,849 INFO [main] mapreduce.Job
(Job.java:monitorAndPrintJob(1647)) - map 80% reduce 0%
2018-03-14 21:45:21,940 INFO [main] mapreduce.Job
(Job.java:monitorAndPrintJob(1647)) - map 80% reduce 27%
2018-03-14 21:45:26,979 INFO [main] mapreduce.Job
(Job.java:monitorAndPrintJob(1647)) - map 100% reduce 27%
2018-03-14 21:45:27,988 INFO [main] mapreduce.Job
(Job.java:monitorAndPrintJob(1647)) - map 100% reduce 30%
2018-03-14 21:45:28,999 INFO [main] mapreduce.Job
(Job.java:monitorAndPrintJob(1647)) - map 100% reduce 100%
2018-03-14 21:45:29,020 INFO [main] mapreduce.Job
(Job.java:monitorAndPrintJob(1658)) - Job job_1521043593738_0007 completed
successfully
2018-03-14 21:45:29,208 INFO [main] mapreduce.Job
(Job.java:monitorAndPrintJob(1665)) - Counters: 53
File System Counters
FILE: Number of bytes read=226
FILE: Number of bytes written=2473922
FILE: Number of read operations=0
FILE: Number of large read operations=0
FILE: Number of write operations=0
HDFS: Number of bytes read=2670
HDFS: Number of bytes written=215
HDFS: Number of read operations=45
HDFS: Number of large read operations=0
HDFS: Number of write operations=3
Job Counters
Launched map tasks=10
Launched reduce tasks=1
Data-local map tasks=10
Total time spent by all maps in occupied slots (ms)=211822
Total time spent by all reduces in occupied slots (ms)=75000
Total time spent by all map tasks (ms)=105911
Total time spent by all reduce tasks (ms)=37500
Total vcore-milliseconds taken by all map tasks=105911
Total vcore-milliseconds taken by all reduce tasks=37500
Total megabyte-milliseconds taken by all map tasks=216905728
Total megabyte-milliseconds taken by all reduce tasks=76800000
Map-Reduce Framework
Map input records=10
Map output records=20
Map output bytes=180
Map output materialized bytes=280
Input split bytes=1490
Combine input records=0
Combine output records=0
Reduce input groups=2
Reduce shuffle bytes=280
Reduce input records=20
Reduce output records=0
Spilled Records=40
Shuffled Maps =10
Failed Shuffles=0
Merged Map outputs=10
GC time elapsed (ms)=2262
CPU time spent (ms)=11300
Physical memory (bytes) snapshot=3245035520
Virtual memory (bytes) snapshot=36229881856
Total committed heap usage (bytes)=2859466752
Peak Map Physical memory (bytes)=317394944
Peak Map Virtual memory (bytes)=3304771584
Peak Reduce Physical memory (bytes)=192380928
Peak Reduce Virtual memory (bytes)=3289198592
Shuffle Errors
BAD_ID=0
CONNECTION=0
IO_ERROR=0
WRONG_LENGTH=0
WRONG_MAP=0
WRONG_REDUCE=0
File Input Format Counters
Bytes Read=1180
File Output Format Counters
Bytes Written=97
Job Finished in 90.353 seconds
Estimated value of Pi is 3.14800000000000000000
[ebadger@foobar ~]$ sudo -U ebadger -n -l docker
sudo: a password is required
{noformat}
> Add security check for privileged docker container
> --------------------------------------------------
>
> Key: YARN-7221
> URL: https://issues.apache.org/jira/browse/YARN-7221
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: security
> Affects Versions: 3.0.0, 3.1.0
> Reporter: Eric Yang
> Assignee: Eric Yang
> Priority: Major
> Attachments: YARN-7221.001.patch, YARN-7221.002.patch,
> YARN-7221.003.patch, YARN-7221.004.patch, YARN-7221.005.patch,
> YARN-7221.006.patch
>
>
> When a docker is running with privileges, majority of the use case is to have
> some program running with root then drop privileges to another user. i.e.
> httpd to start with privileged and bind to port 80, then drop privileges to
> www user.
> # We should add security check for submitting users, to verify they have
> "sudo" access to run privileged container.
> # We should remove --user=uid:gid for privileged containers.
>
> Docker can be launched with --privileged=true, and --user=uid:gid flag. With
> this parameter combinations, user will not have access to become root user.
> All docker exec command will be drop to uid:gid user to run instead of
> granting privileges. User can gain root privileges if container file system
> contains files that give user extra power, but this type of image is
> considered as dangerous. Non-privileged user can launch container with
> special bits to acquire same level of root power. Hence, we lose control of
> which image should be run with --privileges, and who have sudo rights to use
> privileged container images. As the result, we should check for sudo access
> then decide to parameterize --privileged=true OR --user=uid:gid. This will
> avoid leading developer down the wrong path.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
