Details

    • Type: Sub-task
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.0, 3.1.0
    • Fix Version/s: 3.2.0, 3.1.1
    • Component/s: security
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      When a docker is running with privileges, majority of the use case is to have some program running with root then drop privileges to another user. i.e. httpd to start with privileged and bind to port 80, then drop privileges to www user.

      1. We should add security check for submitting users, to verify they have "sudo" access to run privileged container.
      2. We should remove --user=uid:gid for privileged containers.

      Docker can be launched with --privileged=true, and --user=uid:gid flag. With this parameter combinations, user will not have access to become root user. All docker exec command will be drop to uid:gid user to run instead of granting privileges. User can gain root privileges if container file system contains files that give user extra power, but this type of image is considered as dangerous. Non-privileged user can launch container with special bits to acquire same level of root power. Hence, we lose control of which image should be run with --privileges, and who have sudo rights to use privileged container images. As the result, we should check for sudo access then decide to parameterize --privileged=true OR --user=uid:gid. This will avoid leading developer down the wrong path.

        Attachments

        1. YARN-7221.001.patch
          9 kB
          Eric Yang
        2. YARN-7221.002.patch
          9 kB
          Eric Yang
        3. YARN-7221.003.patch
          8 kB
          Eric Yang
        4. YARN-7221.004.patch
          8 kB
          Eric Yang
        5. YARN-7221.005.patch
          9 kB
          Eric Yang
        6. YARN-7221.006.patch
          10 kB
          Eric Yang
        7. YARN-7221.007.patch
          11 kB
          Eric Yang
        8. YARN-7221.008.patch
          11 kB
          Eric Yang
        9. YARN-7221.009.patch
          12 kB
          Eric Yang
        10. YARN-7221.010.patch
          12 kB
          Eric Yang
        11. YARN-7221.011.patch
          12 kB
          Eric Yang
        12. YARN-7221.012.patch
          12 kB
          Eric Yang
        13. YARN-7221.013.patch
          12 kB
          Eric Yang
        14. YARN-7221.014.patch
          12 kB
          Eric Yang
        15. YARN-7221.015.patch
          32 kB
          Eric Yang
        16. YARN-7221.016.patch
          32 kB
          Eric Yang
        17. YARN-7221.017.patch
          32 kB
          Eric Yang
        18. YARN-7221.018.patch
          32 kB
          Eric Yang
        19. YARN-7221.019.patch
          33 kB
          Eric Yang
        20. YARN-7221.020.patch
          33 kB
          Eric Yang
        21. YARN-7221.021.patch
          35 kB
          Eric Yang
        22. YARN-7221.022.patch
          35 kB
          Eric Yang

          Issue Links

            Activity

              People

              • Assignee:
                eyang Eric Yang
                Reporter:
                eyang Eric Yang
              • Votes:
                0 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: