[jira] [Updated] (YARN-7197) Add support for a volume blacklist for docker containers

["Eric Yang (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Eric Yang updated YARN-7197:
----------------------------
    Attachment: YARN-7197.001.patch

Basic check for black list requires exact match of path to ban.  The evaluation order is white list first, then black list.  This is assuming majority of the volumes can be mounted, and there are only a few system protected area, which can not be mounted.

> Add support for a volume blacklist for docker containers
> --------------------------------------------------------
>
>                 Key: YARN-7197
>                 URL: https://issues.apache.org/jira/browse/YARN-7197
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: Shane Kumpf
>         Attachments: YARN-7197.001.patch
>
>
> Docker supports bind mounting host directories into containers. Work is underway to allow admins to configure a whilelist of volume mounts. While this is a much needed and useful feature, it opens the door for misconfiguration that may lead to users being able to compromise or crash the system. 
> One example would be allowing users to mount /run from a host running systemd, and then running systemd in that container, rendering the host mostly unusable.
> This issue is to add support for a default blacklist. The default blacklist would be where we put files and directories that if mounted into a container, are likely to have negative consequences. Users are encouraged not to remove items from the default blacklist, but may do so if necessary.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org