You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "Eric Yang (JIRA)" <ji...@apache.org> on 2018/03/19 05:32:00 UTC
[jira] [Comment Edited] (YARN-7516) Security check for trusted
docker image
[ https://issues.apache.org/jira/browse/YARN-7516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16404396#comment-16404396 ]
Eric Yang edited comment on YARN-7516 at 3/19/18 5:31 AM:
----------------------------------------------------------
Hi [~leftnoteasy],
If a user specifies a docker image that is not part of privileged-containers.registries, the image can run as root or user, but all capabilities dropped to protect the user from acquiring root power using malicious binaries. All mount points are also skipped to ensure that jailed user does not get out the container. If the docker image is part of privileged-container registry, then there are two modes that user can launch the container. User can run the image with --privileged and also have ability to mount external disks, and user appears as root. User can also run the image as himself. This is the reason that security check affects non-privileged container to safe guard the host system.
was (Author: eyang):
Hi [~leftnoteasy],
If a user specifies a docker image that is not part of privileged-containers.registries, the image can run as root or user, but all capabilities dropped to protect the user from acquiring root power using malicious binaries. All mount points are also skipped to ensure that jailed user does not get out the container. If the docker image is part of privileged-container registry, then there are two modes that user can launch the container. User can run the image with --privileged and also have ability to mount external disks, and user appears as root. User can also run the image as himself. This is the reason that security check affect non-privileged container to safe guard the host system.
> Security check for trusted docker image
> ---------------------------------------
>
> Key: YARN-7516
> URL: https://issues.apache.org/jira/browse/YARN-7516
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Eric Yang
> Assignee: Eric Yang
> Priority: Major
> Fix For: 3.1.0
>
> Attachments: YARN-7516.001.patch, YARN-7516.002.patch, YARN-7516.003.patch, YARN-7516.004.patch, YARN-7516.005.patch, YARN-7516.006.patch, YARN-7516.007.patch, YARN-7516.008.patch, YARN-7516.009.patch, YARN-7516.010.patch, YARN-7516.011.patch, YARN-7516.012.patch, YARN-7516.013.patch, YARN-7516.014.patch, YARN-7516.015.patch, YARN-7516.016.patch, YARN-7516.017.patch, YARN-7516.018.patch
>
>
> Hadoop YARN Services can support using private docker registry image or docker image from docker hub. In current implementation, Hadoop security is enforced through username and group membership, and enforce uid:gid consistency in docker container and distributed file system. There is cloud use case for having ability to run untrusted docker image on the same cluster for testing.
> The basic requirement for untrusted container is to ensure all kernel and root privileges are dropped, and there is no interaction with distributed file system to avoid contamination. We can probably enforce detection of untrusted docker image by checking the following:
> # If docker image is from public docker hub repository, the container is automatically flagged as insecure, and disk volume mount are disabled automatically, and drop all kernel capabilities.
> # If docker image is from private repository in docker hub, and there is a white list to allow the private repository, disk volume mount is allowed, kernel capabilities follows the allowed list.
> # If docker image is from private trusted registry with image name like "private.registry.local:5000/centos", and white list allows this private trusted repository. Disk volume mount is allowed, kernel capabilities follows the allowed list.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org