[
https://issues.apache.org/jira/browse/YARN-7221?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16429360#comment-16429360
]
Shane Kumpf commented on YARN-7221:
-----------------------------------
Thanks for the patch, [~eyang]. Sorry I'm just getting a chance to review. I
tested out this feature and didn't find any issues.
{quote}do we agree on the last change to check submitting user for sudo
privileges instead of
yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user
{quote}
I agree with that approach. This is inline with the existing privileged
container ACL checks in the runtime.
Two minor comments on the current patch:
# In the privileged case, I think we can omit adding the {{--group-add}} to
the cmd file
# The checkstyle issue is valid and should be addressed
I'll note that I would have preferred if we did not set the user in the cmd
file in this case, as having the cmd file represent the actual docker command
that will be executed was a useful feature for troubleshooting purposes. This
is breaking down the more we conditionally remove in c-e. However, let's move
forward with the current approach of passing the user via the cmd file, to
limit additional change here.
> Add security check for privileged docker container
> --------------------------------------------------
>
> Key: YARN-7221
> URL: https://issues.apache.org/jira/browse/YARN-7221
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: security
> Affects Versions: 3.0.0, 3.1.0
> Reporter: Eric Yang
> Assignee: Eric Yang
> Priority: Major
> Attachments: YARN-7221.001.patch, YARN-7221.002.patch,
> YARN-7221.003.patch, YARN-7221.004.patch, YARN-7221.005.patch,
> YARN-7221.006.patch, YARN-7221.007.patch, YARN-7221.008.patch,
> YARN-7221.009.patch, YARN-7221.010.patch, YARN-7221.011.patch,
> YARN-7221.012.patch, YARN-7221.013.patch, YARN-7221.014.patch,
> YARN-7221.015.patch, YARN-7221.016.patch, YARN-7221.017.patch,
> YARN-7221.018.patch, YARN-7221.019.patch, YARN-7221.020.patch
>
>
> When a docker is running with privileges, majority of the use case is to have
> some program running with root then drop privileges to another user. i.e.
> httpd to start with privileged and bind to port 80, then drop privileges to
> www user.
> # We should add security check for submitting users, to verify they have
> "sudo" access to run privileged container.
> # We should remove --user=uid:gid for privileged containers.
>
> Docker can be launched with --privileged=true, and --user=uid:gid flag. With
> this parameter combinations, user will not have access to become root user.
> All docker exec command will be drop to uid:gid user to run instead of
> granting privileges. User can gain root privileges if container file system
> contains files that give user extra power, but this type of image is
> considered as dangerous. Non-privileged user can launch container with
> special bits to acquire same level of root power. Hence, we lose control of
> which image should be run with --privileges, and who have sudo rights to use
> privileged container images. As the result, we should check for sudo access
> then decide to parameterize --privileged=true OR --user=uid:gid. This will
> avoid leading developer down the wrong path.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
