[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] sudo / package installation inside a docker container inside a user job

Thank you all, thank you Greg, these are good guidelines, explanations !




From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> On Behalf Of Greg Thain
Sent: Thursday, June 13, 2019 11:42 PM
To: htcondor-users@xxxxxxxxxxx
Subject: Re: [HTCondor-users] sudo / package installation inside a docker container inside a user job


On 6/13/19 4:14 PM, Gergely Debreczeni via HTCondor-users wrote:

Thanks, that is indeed a good advice! I’ll check and see whether it has any limitations for our use case.... But if I understood correctly “becoming root” inside a docker container should not harm the host OS in any manner... so why it is disabled in Condor ? Is there some security flaw there ?




There's a couple of reasons it is disabled by default in HTCondor.  First, Docker Universe bind-mounts the condor scratch sandbox directory into the container.  This allows condor filetransfer, condor_tail and other familiar condor tools and mechanisms to work. Without additional configuration, if we let the container run as root, a bad container could do things through the volume mount that show up in the host machine's filesystem.  Second, at the time of Docker Universe creation, we weren't 100% convinced that a docker container running as root could escape to the host.  There have been a couple of documented escapes, which the docker engineers have quickly patched.

If you trust your containers in your environment, on the worker node, you can set


and then the containers will be able to run setuid binaries.  Try setting this knob, and making your package installer inside your container (yum, apt-apt) sudo'able or maybe setuid, and you should be able to install package from within the container.




This e-mail and any files transmitted with it contain confidential and may contain privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized use, copying, disclosure or distribution of the material in this e-mail is strictly forbidden.