[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16217854#comment-16217854
]
Eric Yang commented on YARN-7197:
---------------------------------
[~ebadger] You are correct on all points, and mounting parent directory will
allow container to include directories that are supposedly in the banned list.
File system ACL is the only protection to verify uid:gid are indeed authorized
to access the included area.
The black list is designed to filter out more sinister attack against the
system.
For example, system admin configures:
{code}
white-listed-read-write: /mnt/hdfs/user
black-listed: /mnt/hdfs/user/yarn
{code}
This will prevent aughty junior developer from doing:
{code}
docker run -u yarn:yarn -it -v /mnt/hdfs/user/yarn:/tmp centos:latest bash
{code}
and this works:
{code}
docker run -u 501:501 -it -v /mnt/hdfs/user:/home centos:latest bash
{code}
The black list feature is not designed to make a subdirectory disappear.
Docker still depends on file system acl to enforce security. This feature is
only good for blocking a certain system directories from developers to protect
host OS and Hadoop. This is also the reason that system admin keep black list
secrets from naughty developers.
> Add support for a volume blacklist for docker containers
> --------------------------------------------------------
>
> Key: YARN-7197
> URL: https://issues.apache.org/jira/browse/YARN-7197
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: Shane Kumpf
> Assignee: Eric Yang
> Attachments: YARN-7197.001.patch, YARN-7197.002.patch
>
>
> Docker supports bind mounting host directories into containers. Work is
> underway to allow admins to configure a whilelist of volume mounts. While
> this is a much needed and useful feature, it opens the door for
> misconfiguration that may lead to users being able to compromise or crash the
> system.
> One example would be allowing users to mount /run from a host running
> systemd, and then running systemd in that container, rendering the host
> mostly unusable.
> This issue is to add support for a default blacklist. The default blacklist
> would be where we put files and directories that if mounted into a container,
> are likely to have negative consequences. Users are encouraged not to remove
> items from the default blacklist, but may do so if necessary.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
