[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] sudo / package installation inside a docker container inside a user job

On 6/13/19 4:14 PM, Gergely Debreczeni via HTCondor-users wrote:

Thanks, that is indeed a good advice! I’ll check and see whether it has any limitations for our use case.... But if I understood correctly “becoming root” inside a docker container should not harm the host OS in any manner... so why it is disabled in Condor ? Is there some security flaw there ?



There's a couple of reasons it is disabled by default in HTCondor.  First, Docker Universe bind-mounts the condor scratch sandbox directory into the container.  This allows condor filetransfer, condor_tail and other familiar condor tools and mechanisms to work. Without additional configuration, if we let the container run as root, a bad container could do things through the volume mount that show up in the host machine's filesystem.  Second, at the time of Docker Universe creation, we weren't 100% convinced that a docker container running as root could escape to the host.  There have been a couple of documented escapes, which the docker engineers have quickly patched.

If you trust your containers in your environment, on the worker node, you can set


and then the containers will be able to run setuid binaries.  Try setting this knob, and making your package installer inside your container (yum, apt-apt) sudo'able or maybe setuid, and you should be able to install package from within the container.