[jira] [Commented] (MESOS-7605) UCR doesn't isolate uts namespace w/ host networking

Tue, 11 Jul 2017 12:04:17 -0700 

    [ 
https://issues.apache.org/jira/browse/MESOS-7605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16082706#comment-16082706
 ] 

James DeFelice commented on MESOS-7605:
---------------------------------------

Re-opening this ticket for further discussion.

If there are no container networks, there is no UTS namespace isolation, as per:

https://github.com/apache/mesos/blob/9b69c09310cdb6d7cfca1284f60c3f1b422c77cc/src/slave/containerizer/mesos/isolators/network/cni/cni.cpp#L655

without such isolation, calls to `sethostname` from a container will impact the 
host netns, as per:

https://linux.die.net/man/2/sethostname

and

https://linux.die.net/man/1/unshare

{quote}
UTS namespace

setting hostname, domainname will not affect rest of the system (CLONE_NEWUTS 
flag),
{quote}

This is distinctly different from the Docker experience. It also implies that 
it's impossible to give a container permission to **bind** to a host network 
port without also giving it permission to **change the host's network name**. 
This feels like a security hole to me.

> UCR doesn't isolate uts namespace w/ host networking
> ----------------------------------------------------
>
>                 Key: MESOS-7605
>                 URL: https://issues.apache.org/jira/browse/MESOS-7605
>             Project: Mesos
>          Issue Type: Improvement
>          Components: containerization
>            Reporter: James DeFelice
>              Labels: mesosphere
>
> Docker's {{run}} command supports a {{--hostname}} parameter which impacts 
> container isolation, even in {{host}} network mode: (via 
> https://docs.docker.com/engine/reference/run/)
> {quote}
> Even in host network mode a container has its own UTS namespace by default. 
> As such --hostname is allowed in host network mode and will only change the 
> hostname inside the container. Similar to --hostname, the --add-host, --dns, 
> --dns-search, and --dns-option options can be used in host network mode.
> {quote}
> I see no evidence that UCR offers a similar isolation capability.
> Related: the {{ContainerInfo}} protobuf has a {{hostname}} field which was 
> initially added to support the Docker containerizer's use of the 
> {{--hostname}} Docker {{run}} flag.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to