[MESOS-9386] Implement Seccomp profile inheritance for POD containers - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Resolved
Priority: Major
Resolution: Won't Do
Affects Version/s: None
Fix Version/s: None
Component/s: containerization
Labels:
- mesosphere

Epic Link:
Seccomp Improvement
Story Points:
5

Description

Child containers inherit its parent container's Seccomp profile by default. Also, Seccomp profile can be overridden by a Framework for a particular child container by specifying a path to the Seccomp profile.

Mesos containerizer persists information about containers on disk via `ContainerLaunchInfo` proto, which includes `ContainerSeccompProfile` proto. Mesos containerizer should use this proto to load the parent's profile for a child container. When a child inherits the parent's Seccomp profile, Mesos agent doesn't have to re-read a Seccomp profile from the disk, which was used for the parent container. Otherwise, we would have to check that a file content hasn't changed since the last time the parent was launched.

Attachments

Activity

People

Assignee:: Andrei Budnik

Reporter:: Andrei Budnik

Shepherd:: Gilbert Song

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 14/Nov/18 16:38

Updated:: 28/Jan/19 13:47

Resolved:: 28/Jan/19 13:47