Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-3277

Implement basic security isolators such as linux/apparmor or linux/seccomp

    XMLWordPrintableJSON

Details

    • Story
    • Status: Accepted
    • Major
    • Resolution: Unresolved
    • None
    • None
    • containerization

    Description

      As an operator of a Mesos cluster, I would like to gain some control over what is happening inside launched containers. Specifically, I want to make it a little bit more difficult for untrusted code to escape its container confinement (e.g., prevent access to certain kernel features, raw devices, ...)

      Inspired by LXC , Mesos could offer two new isolators:

      • linux/apparmor: Isolator which applies an AppArmor security profile to containers. A cluster-wide default profile could be similar to the default shipped by LXC.
      • linux/seccomp: Isolator based on the seccomp syscall filter. Seccomp is a mechanism for minimizing the exposed kernel surface by reducing the set of allowed syscalls.

      Attachments

        Issue Links

          is related to

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. MESOS-4936 Improve container security for Mesos containerizer.

          • Major - Major loss of function.
          • Accepted

          Task - A task that needs to be done. MESOS-6581 Add Seccomp support at Mesos Agent level

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              StephanErb Stephan Erb
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated: