Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-8142

Improve container security with user namespaces.

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Accepted
    • Major
    • Resolution: Unresolved
    • None
    • None
    • containerization, security
    • None

    Description

      As a first pass at supporting user namespaces, figure out how we can use them to improve container security when running untrusted tasks.

      This ticket is specifically targeting how to build a user namespace hierarchy and excluding any sort of ID mapping for the container images.

      Attachments

        Issue Links

          is blocked by

          Bug - A problem which impairs or prevents the functions of the product. MESOS-8272 Fall back to bind mounting container devices.

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. MESOS-8286 Making bind mounts readonly fails with user namespaces.

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          is related to

          Bug - A problem which impairs or prevents the functions of the product. MESOS-8155 subprocess clone argument should return a Try<pid_t>

          • Trivial - Cosmetic problem like misspelt words or misaligned text.
          • Open

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. MESOS-4936 Improve container security for Mesos containerizer.

          • Major - Major loss of function.
          • Accepted
          is required by

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. MESOS-2952 Provide user namespaces for privileged access inside containers

          • Major - Major loss of function.
          • Accepted
          relates to

          Improvement - An improvement or enhancement to an existing feature or task. MESOS-8213 Private user namespaces for tasks

          • Major - Major loss of function.
          • Open

          Activity

            People

              jamespeach James Peach
              jamespeach James Peach
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated: