[MESOS-7268] CNI isolator should mount network related /etc/* files in readonly mode - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.4.0
Component/s: containerization, network
Labels:
None

Description

The CNI isolator bind mounts, even for containers using host networking, several files from /etc, such as resolv.conf. These should be mounted as readonly inside the container to prevent users running inside the container as root from being able to affect the external machine.

Attachments

Activity

People

Assignee:: Silas Snider

Reporter:: Silas Snider

Shepherd:: Jie Yu

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 20/Mar/17 16:40

Updated:: 14/Jun/17 19:12

Resolved:: 14/Jun/17 19:12