[YARN-7197] Add support for a volume blacklist for docker containers - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Resolved
Priority: Major
Resolution: Won't Fix
Affects Version/s: None
Fix Version/s: None
Component/s: yarn
Labels:
- Docker

Description

Docker supports bind mounting host directories into containers. Work is underway to allow admins to configure a whilelist of volume mounts. While this is a much needed and useful feature, it opens the door for misconfiguration that may lead to users being able to compromise or crash the system.

One example would be allowing users to mount /run from a host running systemd, and then running systemd in that container, rendering the host mostly unusable.

This issue is to add support for a default blacklist. The default blacklist would be where we put files and directories that if mounted into a container, are likely to have negative consequences. Users are encouraged not to remove items from the default blacklist, but may do so if necessary.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

YARN-7197.005.patch
02/Nov/17 18:00
13 kB
Eric Yang
YARN-7197.004.patch
01/Nov/17 23:39
14 kB
Eric Yang
YARN-7197.003.patch
01/Nov/17 16:18
14 kB
Eric Yang
YARN-7197.002.patch
23/Oct/17 17:00
7 kB
Eric Yang
YARN-7197.001.patch
17/Oct/17 00:45
7 kB
Eric Yang

Activity

People

Assignee:: Unassigned

Reporter:: Shane Kumpf

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Due:: 31/Oct/17

Created:: 14/Sep/17 19:47

Updated:: 11/Jul/18 21:46

Resolved:: 11/Jul/18 21:46