[jira] [Commented] (YARN-7197) Add support for a volume blacklist for docker containers

[Eric Badger (JIRA)]

    [ 
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16225026#comment-16225026
 ] 

Eric Badger commented on YARN-7197:
-----------------------------------

{quote}
Btw, docker doesn't support double mount like:
docker run -it -v /mnt/hdfs/user:/home -v /tmp/empty:/home/yarn
If /mnt/hdfs/user is already mounted, then yarn will show up.
{quote}
[~eyang], I'm seeing this to not be true in practice. If I mount /home to /home 
and then /home/ebadger to /tmp/foobar, then /home contains its normal contents 
except that /home/ebadger actually resolves to /tmp/foobar. I don't know how 
the internals work here or if this is "supposed to" work, but this is what 
happens on docker 1.12.6 on rhel7. 
{noformat}
[ebadger@foobar home]$ ls -l /home/ebadger
total 1336
-rw-------  1 ebadger users 1347072 Oct 11 13:58 busy
drwxr-xr-x  2 ebadger users    4096 Oct 27 19:26 conf
drwxr-xr-x 18 ebadger users    4096 Oct 27 19:36 hadoop
drwxr-xr-x  4 ebadger users    4096 Oct 27 20:42 hadoop-run
drwxr-xr-x 10 ebadger users    4096 Oct 27 19:23 protobuf-2.5.0
drwxr-xr-x  2 ebadger users    4096 Oct 27 18:27 scripts
[ebadger@foobar home]$ ls -l /home/
total 4
drwx------ 9 ebadger users 4096 Oct 30 14:03 ebadger
-rw-r--r-- 1 root    root     0 Oct 30 14:12 user2
[ebadger@foobar home]$ ls -l /home/ebadger
total 1336
-rw-------  1 ebadger users 1347072 Oct 11 13:58 busy
drwxr-xr-x  2 ebadger users    4096 Oct 27 19:26 conf
drwxr-xr-x 18 ebadger users    4096 Oct 27 19:36 hadoop
drwxr-xr-x  4 ebadger users    4096 Oct 27 20:42 hadoop-run
drwxr-xr-x 10 ebadger users    4096 Oct 27 19:23 protobuf-2.5.0
drwxr-xr-x  2 ebadger users    4096 Oct 27 18:27 scripts
[ebadger@foobar home]$ ls -l /tmp/foobar/
total 0
-rw-r--r-- 1 ebadger users 0 Oct 30 14:00 fizzgig
-rw-r--r-- 1 ebadger users 0 Oct 30 14:00 tempfile
[ebadger@foobar home]$ sudo docker run --rm -it -v /home/:/home -v 
/tmp/foobar/:/home/ebadger docker.io/ubuntu:xenial /bin/bash
root@d0b86e4da455:/home# ls -l /home
total 4
drwxr-xr-x 2 xxxxx users 4096 Oct 30 14:00 ebadger
-rw-r--r-- 1 root  root     0 Oct 30 14:12 user2
root@d0b86e4da455:/home# ls -l /home/ebadger/
total 0
-rw-r--r-- 1 xxxxx users 0 Oct 30 14:00 fizzgig
-rw-r--r-- 1 xxxxx users 0 Oct 30 14:00 tempfile
{noformat}

> Add support for a volume blacklist for docker containers
> --------------------------------------------------------
>
>                 Key: YARN-7197
>                 URL: https://issues.apache.org/jira/browse/YARN-7197
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: Shane Kumpf
>            Assignee: Eric Yang
>         Attachments: YARN-7197.001.patch, YARN-7197.002.patch
>
>
> Docker supports bind mounting host directories into containers. Work is 
> underway to allow admins to configure a whilelist of volume mounts. While 
> this is a much needed and useful feature, it opens the door for 
> misconfiguration that may lead to users being able to compromise or crash the 
> system. 
> One example would be allowing users to mount /run from a host running 
> systemd, and then running systemd in that container, rendering the host 
> mostly unusable.
> This issue is to add support for a default blacklist. The default blacklist 
> would be where we put files and directories that if mounted into a container, 
> are likely to have negative consequences. Users are encouraged not to remove 
> items from the default blacklist, but may do so if necessary.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org