Details
Description
After /proc/sys gets remounted as read-only in a Mesos container, its mount options becomes ro,relatime only. It needs to share other mount options of /proc, including nosuid,noexec,nodev for security reasons.
Additional questions: shall we also sandbox other important system mount points, like Systemd does with ProtectSystem= (or at least ProtectKernelTunables=) and Docker does with docker run without --privileged?