Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
Once MESOS-8142 implements generic user namespace support, we can improve security by adding another layer of user namespace that encapsulates just the final user task. This protects the kernel objects that are providing the containerization from the user task (since the private task namespace would no longer own the other namespaces).
This still would not alter the ID mapping of the user namespace.
This is a little tricky since we need to make the new namespace in the mess containerizer, so we need to take care of:
- when to chroot
- when to drop capabilities after entering the new namespace
- supporting command, default and custom executors (does the latter make sense?)
Attachments
Issue Links
- is related to
-
MESOS-8142 Improve container security with user namespaces.
- Accepted