[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] sudo / package installation inside a docker container inside a user job



On 6/13/19 4:14 PM, Gergely Debreczeni via HTCondor-users wrote:

Thanks, that is indeed a good advice! I’ll check and see whether it has any limitations for our use case.... But if I understood correctly “becoming root” inside a docker container should not harm the host OS in any manner... so why it is disabled in Condor ? Is there some security flaw there ?

 


Gergley:

There's a couple of reasons it is disabled by default in HTCondor.  First, Docker Universe bind-mounts the condor scratch sandbox directory into the container.  This allows condor filetransfer, condor_tail and other familiar condor tools and mechanisms to work. Without additional configuration, if we let the container run as root, a bad container could do things through the volume mount that show up in the host machine's filesystem.  Second, at the time of Docker Universe creation, we weren't 100% convinced that a docker container running as root could escape to the host.  There have been a couple of documented escapes, which the docker engineers have quickly patched.

If you trust your containers in your environment, on the worker node, you can set

DOCKER_DROP_ALL_CAPABILITIES = false

and then the containers will be able to run setuid binaries.  Try setting this knob, and making your package installer inside your container (yum, apt-apt) sudo'able or maybe setuid, and you should be able to install package from within the container.


-greg