Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-9768

Allow operators to mount the container rootfs with the `nosuid` flag

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: containerization
    • Labels:
      None
    • Target Version/s:

      Description

      If cluster users are allowed to launch containers with arbitrary images, those images may container setuid programs. For security reasons (auditing, privilege escalation), operators may wish to ensure that setuid programs cannot be used within a container.

       

      We should provide a way for operators to be able to specify that container volumes (including `/`0 should be mounted with the `nosuid` flag.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              jamespeach James Peach
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated: