[ https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16225026#comment-16225026 ]
Eric Badger commented on YARN-7197: ----------------------------------- {quote} Btw, docker doesn't support double mount like: docker run -it -v /mnt/hdfs/user:/home -v /tmp/empty:/home/yarn If /mnt/hdfs/user is already mounted, then yarn will show up. {quote} [~eyang], I'm seeing this to not be true in practice. If I mount /home to /home and then /home/ebadger to /tmp/foobar, then /home contains its normal contents except that /home/ebadger actually resolves to /tmp/foobar. I don't know how the internals work here or if this is "supposed to" work, but this is what happens on docker 1.12.6 on rhel7. {noformat} [ebadger@foobar home]$ ls -l /home/ebadger total 1336 -rw------- 1 ebadger users 1347072 Oct 11 13:58 busy drwxr-xr-x 2 ebadger users 4096 Oct 27 19:26 conf drwxr-xr-x 18 ebadger users 4096 Oct 27 19:36 hadoop drwxr-xr-x 4 ebadger users 4096 Oct 27 20:42 hadoop-run drwxr-xr-x 10 ebadger users 4096 Oct 27 19:23 protobuf-2.5.0 drwxr-xr-x 2 ebadger users 4096 Oct 27 18:27 scripts [ebadger@foobar home]$ ls -l /home/ total 4 drwx------ 9 ebadger users 4096 Oct 30 14:03 ebadger -rw-r--r-- 1 root root 0 Oct 30 14:12 user2 [ebadger@foobar home]$ ls -l /home/ebadger total 1336 -rw------- 1 ebadger users 1347072 Oct 11 13:58 busy drwxr-xr-x 2 ebadger users 4096 Oct 27 19:26 conf drwxr-xr-x 18 ebadger users 4096 Oct 27 19:36 hadoop drwxr-xr-x 4 ebadger users 4096 Oct 27 20:42 hadoop-run drwxr-xr-x 10 ebadger users 4096 Oct 27 19:23 protobuf-2.5.0 drwxr-xr-x 2 ebadger users 4096 Oct 27 18:27 scripts [ebadger@foobar home]$ ls -l /tmp/foobar/ total 0 -rw-r--r-- 1 ebadger users 0 Oct 30 14:00 fizzgig -rw-r--r-- 1 ebadger users 0 Oct 30 14:00 tempfile [ebadger@foobar home]$ sudo docker run --rm -it -v /home/:/home -v /tmp/foobar/:/home/ebadger docker.io/ubuntu:xenial /bin/bash root@d0b86e4da455:/home# ls -l /home total 4 drwxr-xr-x 2 xxxxx users 4096 Oct 30 14:00 ebadger -rw-r--r-- 1 root root 0 Oct 30 14:12 user2 root@d0b86e4da455:/home# ls -l /home/ebadger/ total 0 -rw-r--r-- 1 xxxxx users 0 Oct 30 14:00 fizzgig -rw-r--r-- 1 xxxxx users 0 Oct 30 14:00 tempfile {noformat} > Add support for a volume blacklist for docker containers > -------------------------------------------------------- > > Key: YARN-7197 > URL: https://issues.apache.org/jira/browse/YARN-7197 > Project: Hadoop YARN > Issue Type: Sub-task > Components: yarn > Reporter: Shane Kumpf > Assignee: Eric Yang > Attachments: YARN-7197.001.patch, YARN-7197.002.patch > > > Docker supports bind mounting host directories into containers. Work is > underway to allow admins to configure a whilelist of volume mounts. While > this is a much needed and useful feature, it opens the door for > misconfiguration that may lead to users being able to compromise or crash the > system. > One example would be allowing users to mount /run from a host running > systemd, and then running systemd in that container, rendering the host > mostly unusable. > This issue is to add support for a default blacklist. The default blacklist > would be where we put files and directories that if mounted into a container, > are likely to have negative consequences. Users are encouraged not to remove > items from the default blacklist, but may do so if necessary. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org