Details
-
Story
-
Status: Accepted
-
Major
-
Resolution: Unresolved
-
None
-
None
Description
As an operator of a Mesos cluster, I would like to gain some control over what is happening inside launched containers. Specifically, I want to make it a little bit more difficult for untrusted code to escape its container confinement (e.g., prevent access to certain kernel features, raw devices, ...)
Inspired by LXC , Mesos could offer two new isolators:
- linux/apparmor: Isolator which applies an AppArmor security profile to containers. A cluster-wide default profile could be similar to the default shipped by LXC.
- linux/seccomp: Isolator based on the seccomp syscall filter. Seccomp is a mechanism for minimizing the exposed kernel surface by reducing the set of allowed syscalls.
Attachments
Issue Links
- is related to
-
MESOS-4936 Improve container security for Mesos containerizer.
-
- Accepted
-
-
MESOS-6581 Add Seccomp support at Mesos Agent level
-
- Resolved
-