[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16219115#comment-16219115
]
Eric Yang commented on YARN-7197:
---------------------------------
[~ebadger] said:
{quote}
The user can just mount above the blacklist and they get access to exactly what
they want. This protects them from mounting the exact path in the blacklist,
but that doesn't really buy us anything if they can mount the parent directory.
If I can't prevent a file/directory underneath the parent directory from being
accessed, then I don't see the utility of the blacklist.
{quote}
Black list is not the inverse of white list in this context. Black list is
designed to prevent certain exact path to be mounted. Such as /dev, /proc,
/sys, and /run. In the examples above, allowing people to read yarn system
directory can leak credentials about other users. Allowing user to mount
/run/docker.socket can let user jail break docker container to become root.
Black list can prevent system api from being mounted to minimize attack
surface. Paranoid admin might configure docker to use socket path other than
/run/docker.socket, and put the customized location in black list. The same
applies to YARN system directories. Black list increases degree of difficulty
for host to be cracked by keeping programmable API away from inside the
containers.
> Add support for a volume blacklist for docker containers
> --------------------------------------------------------
>
> Key: YARN-7197
> URL: https://issues.apache.org/jira/browse/YARN-7197
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: Shane Kumpf
> Assignee: Eric Yang
> Attachments: YARN-7197.001.patch, YARN-7197.002.patch
>
>
> Docker supports bind mounting host directories into containers. Work is
> underway to allow admins to configure a whilelist of volume mounts. While
> this is a much needed and useful feature, it opens the door for
> misconfiguration that may lead to users being able to compromise or crash the
> system.
> One example would be allowing users to mount /run from a host running
> systemd, and then running systemd in that container, rendering the host
> mostly unusable.
> This issue is to add support for a default blacklist. The default blacklist
> would be where we put files and directories that if mounted into a container,
> are likely to have negative consequences. Users are encouraged not to remove
> items from the default blacklist, but may do so if necessary.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
