[
https://issues.apache.org/jira/browse/YARN-8986?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16690665#comment-16690665
]
Eric Yang commented on YARN-8986:
---------------------------------
{code}char *docker_network_command = make_string("%s network inspect %s
--format='{{.Driver}}'", docker_binary, network_name);{code}
This is not ok unless you verify the network_name against the allowed list in
the container-executor.cfg. Otherwise, bot generated .cmd file can damage host
system using network_name by abusing popen created shell. The same applies to
add_ports_mapping_to_command. The pattern should be checked in C side to
prevent randomly generated .cmd file from abusing parameter passing.
> publish all exposed ports to random ports when using bridge network
> -------------------------------------------------------------------
>
> Key: YARN-8986
> URL: https://issues.apache.org/jira/browse/YARN-8986
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Affects Versions: 3.1.1
> Reporter: Charo Zhang
> Assignee: Charo Zhang
> Priority: Minor
> Labels: Docker
> Attachments: YARN-8986.patch
>
>
> it's better to publish all exposed ports to random ports(-P) or support port
> mapping(-p) for bridge network when using bridge network for docker container.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
