Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-2999

Implement a linux/iptables isolator

    XMLWordPrintableJSON

    Details

    • Type: Story
    • Status: Accepted
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: containerization
    • Labels:

      Description

      As a user of Mesos, I would like to have control over inbound and outbound network communication of a launched Mesos container. The intention is to gain improved security and isolation of user processes on the network level.

      Example Usecases:

      • Preventing outgoing connections to external endpoints which have not been whitelisted (e.g., deny internet connections, only allow connections to this one production database but not the others, ...)
      • Prevent incoming connections from external systems or containers which have not been whitelisted (e.g., don't allow a rough or even hijacked services to interfere with another service)

      The last usecase is somewhat tricky due to the dynamic nature of a Mesos cluster but might be achieved using the available DiscoveryInfo (e.g., block all connections from foreign environments).

        Attachments

          Issue Links

          relates to

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. MESOS-2044 Use one IP address per container for network isolation

          • Major - Major loss of function.
          • Resolved

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                StephanErb Stephan Erb
              • Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated: