Status: Patch Available
Affects Version/s: None
Fix Version/s: None
Mounting files or directories from the host is one way of passing configuration and other information into a docker container.
We could allow the user to set a list of mounts in the environment of ContainerLaunchContext (e.g. /dir1:/targetdir1,/dir2:/targetdir2).
These would be mounted read-only to the specified target locations. This has been resolved in
Bug mounting arbitrary volumes into a Docker container can be a security risk.
one approach to provide safe mounts is to allow the cluster administrator to configure a set of parent directories as white list mounting directories.
Add a property named yarn.nodemanager.volume-mounts.white-list, when container executor do mount checking, only the allowed directories or sub-directories can be mounted.