Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-8213

Private user namespaces for tasks

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • containerization, security
    • None

    Description

      Once MESOS-8142 implements generic user namespace support, we can improve security by adding another layer of user namespace that encapsulates just the final user task. This protects the kernel objects that are providing the containerization from the user task (since the private task namespace would no longer own the other namespaces).

      This still would not alter the ID mapping of the user namespace.

      This is a little tricky since we need to make the new namespace in the mess containerizer, so we need to take care of:

      • when to chroot
      • when to drop capabilities after entering the new namespace
      • supporting command, default and custom executors (does the latter make sense?)

      Attachments

        Issue Links

          is related to

          Improvement - An improvement or enhancement to an existing feature or task. MESOS-8142 Improve container security with user namespaces.

          • Major - Major loss of function.
          • Accepted

          Activity

            People

              jamespeach James Peach
              jamespeach James Peach
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated: