[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16225228#comment-16225228
]
Eric Yang commented on YARN-7197:
---------------------------------
[~ebadger] My mistakes, normal directory works. I was doing test like this:
{code}
docker run -it -v /home/:/home -v /dev/null:/home/yarn centos:7 bash
{code}
Therefore replacing black listed source mount point with {{/dev/null}} isn't a
universal solution. If we mount a empty directory from container working
directory, like Jason was suggesting, it could prevent unauthorized people from
getting into protected area.
One danger fact is that the user can make a mistake in configuration, and user
can loose all the data that was placed into the empty directory without warning.
I think we should fail the container creation, if black listed directory is
detected. Mounting from parent of black list directory will depends on
filesystem acl to enforce the permission. Having ability to substitute a
subdirectory with empty directory is a feature, not a security hole, but it
shouldn't be done without user's consent.
> Add support for a volume blacklist for docker containers
> --------------------------------------------------------
>
> Key: YARN-7197
> URL: https://issues.apache.org/jira/browse/YARN-7197
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: Shane Kumpf
> Assignee: Eric Yang
> Attachments: YARN-7197.001.patch, YARN-7197.002.patch
>
>
> Docker supports bind mounting host directories into containers. Work is
> underway to allow admins to configure a whilelist of volume mounts. While
> this is a much needed and useful feature, it opens the door for
> misconfiguration that may lead to users being able to compromise or crash the
> system.
> One example would be allowing users to mount /run from a host running
> systemd, and then running systemd in that container, rendering the host
> mostly unusable.
> This issue is to add support for a default blacklist. The default blacklist
> would be where we put files and directories that if mounted into a container,
> are likely to have negative consequences. Users are encouraged not to remove
> items from the default blacklist, but may do so if necessary.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
