Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-8272

Fall back to bind mounting container devices.

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 1.5.0
    • containerization
    • None

    Description

      When we use mknod to create device files within a container root, we require CAP_MKNOD in the root user namespace. If we have already entered a private user namespace, this fails with EPERM. To work around this, we can do what systemd-nspawn does (though for different reasons), which is to fall back bind mounting the device files into the chroot from the host.

      Attachments

        Issue Links

          blocks

          Improvement - An improvement or enhancement to an existing feature or task. MESOS-8142 Improve container security with user namespaces.

          • Major - Major loss of function.
          • Accepted

          Activity

            People

              jamespeach James Peach
              jamespeach James Peach
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: