[jira] [Commented] (YARN-7197) Add support for a volume blacklist for docker containers

Tue, 24 Oct 2017 11:21:52 -0700 

    [ 
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16217393#comment-16217393
 ] 

Eric Badger commented on YARN-7197:
-----------------------------------

{noformat}
  // symlinks are banned.
  if (strcmp(normalized_path, requested) != 0) {
    return -1;
  }
{noformat}
Why are we outright banning symlinks? We allow them in the whitelist, so I 
don't see why this should be any different. 

{noformat}
      permitted_rw |= check_banned_mounts((const char **) banned_mounts, 
mount_src);
      permitted_ro |= check_banned_mounts((const char **) banned_mounts, 
mount_src);
{noformat}
This looks a little weird since permitted_rw and permitted_ro are ints. I guess 
it works since (1 |= -1) == -1, but it might lead to confusion down the road. 
It would also be nice to know whether the mount was blocked via the whitelist 
or the blacklist.

> Add support for a volume blacklist for docker containers
> --------------------------------------------------------
>
>                 Key: YARN-7197
>                 URL: https://issues.apache.org/jira/browse/YARN-7197
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: Shane Kumpf
>            Assignee: Eric Yang
>         Attachments: YARN-7197.001.patch, YARN-7197.002.patch
>
>
> Docker supports bind mounting host directories into containers. Work is 
> underway to allow admins to configure a whilelist of volume mounts. While 
> this is a much needed and useful feature, it opens the door for 
> misconfiguration that may lead to users being able to compromise or crash the 
> system. 
> One example would be allowing users to mount /run from a host running 
> systemd, and then running systemd in that container, rendering the host 
> mostly unusable.
> This issue is to add support for a default blacklist. The default blacklist 
> would be where we put files and directories that if mounted into a container, 
> are likely to have negative consequences. Users are encouraged not to remove 
> items from the default blacklist, but may do so if necessary.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to