There is one big improvement that has to happen before Docker becomes ready for most enterprise users to deploy it on YARN. That’s the support of user ID namespaces within Docker, which will ensure that an application with root-level permissions can’t compromise the host and therefore make it unsafe or hamstring performance for others containers.
Once that’s done, Hadoop users should be able to start launching Docker containers on YARN and be fairly confident there won’t be any inherent security risks hanging around.
Docker supports isolation of all resources except the UIDs. UID namespaces are critical to restricting access to the resources of a host. In the absence of support for UID namespaces, processes in a Docker container running with root privileges can compromise the security of the host or other containers on the host.
UID namespace is one of the most complex of Linux’s isolation mechanisms. While it is very powerful, this complexity is at odds with Docker philosophy of simplicity.
$ touch /tmp/uid100000 $ sudo chown 100000:100000 /tmp/uid100000 $ sudo docker run --uidmap="0:100000:10000" -v="/tmp:/mnt:rw" -i -t ubuntu ls -lh /mnt/uid100000 -rw-r--r--. 1 root root 0 Mar 10 19:16 /mnt/uid100000
The file has a UID of 100000 on the host but appears as root-owned in the container. Similarly, the
ls -lh process runs as root in the container but appears as UID 100000 in
ps au on the host.
Before starting the container, the UIDs and GIDs of its files are translated to their real values on the host (100000 range). The time taken for the translation (a second or two for the above image) can be avoided by using a pre-translated image.
Creating an image with translated UIDs is simple.
root@userns ~ # docker commit $(docker run -d -x --private-uids ubuntu true) ubuntu-private-uids
It may take several seconds to translate the UIDs of all files in the image to a default UID range on the host and commit the product as a new image. The image can then be used without
-x to avoid the translation latency.
root@userns ~ # docker run --private-uids -i -t ubuntu-private-uids bash root ~ /# id uid=0(root) gid=0(root) groups=0(root) root ~ /# ls -lhd / drwxr-xr-x 49 root root 4.0K Mar 20 14:22 /
Even though UID appears to be ‘0’, the process really runs as UID 100000 on the host. Similarly the real UID of
/ on the host would be 100000.