[jira] [Commented] (YARN-8986) publish all exposed ports to random ports when using bridge network

Fri, 16 Nov 2018 09:12:40 -0800 


    [ 
https://issues.apache.org/jira/browse/YARN-8986?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16689675#comment-16689675
 ] 

Eric Yang commented on YARN-8986:
---------------------------------

[~Charo Zhang] {quote}1, network name is only allowed by 
yarn.nodemanager.runtime.linux.docker.allowed-container-networks configuration, 
so i think "null >/dev/null && rm -rf *" can not pass to the commmand.{quote}

What you said is true most of the time.  There is a chance that YARN user can 
be compromised and bot has figured out a path in node manager to write a .cmd 
file, and run container-executor.  When this happens network name is no longer 
checked, and this path could be abused.  Another side effect of grep is the 
matching is imprecise, consider that the allowed network is bridge.  There is 
another network called bridges.  The second one will be matched in the 
generated output, which is not what we want.  

{quote}
2, Another reason, i didn't find a better way to get network type except 
command with pipe.
{quote}

The command can be changed to:

{code}
docker network ls --format "{{.Name}}"  --filter driver=bridge
{code}

This will produce network names which are using bridge driver.  This avoid to 
use grep and awk in the popen command to reduce the risk.

> publish all exposed ports to random ports when using bridge network
> -------------------------------------------------------------------
>
>                 Key: YARN-8986
>                 URL: https://issues.apache.org/jira/browse/YARN-8986
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>    Affects Versions: 3.1.1
>            Reporter: Charo Zhang
>            Assignee: Charo Zhang
>            Priority: Minor
>              Labels: Docker
>             Fix For: 3.1.2
>
>         Attachments: YARN-8986.patch
>
>
> it's better to publish all exposed ports to random ports(-P) or support port 
> mapping(-p) for bridge network when using bridge network for docker container.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to