You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@mesos.apache.org by "Stephan Erb (JIRA)" <ji...@apache.org> on 2015/08/17 09:09:46 UTC

[jira] [Created] (MESOS-3277) Implement basic security isolators such as linux/apparmor or linux/seccomp

Stephan Erb created MESOS-3277:
----------------------------------

             Summary: Implement basic security isolators such as linux/apparmor or linux/seccomp
                 Key: MESOS-3277
                 URL: https://issues.apache.org/jira/browse/MESOS-3277
             Project: Mesos
          Issue Type: Story
          Components: containerization, isolation
            Reporter: Stephan Erb


As an operator of a Mesos cluster, I would like to gain some control over what is happening inside launched containers. Specifically, I want to make it a little bit more difficult for untrusted code to escape its container confinement (e.g., prevent access to certain kernel features, raw devices, ...)

Inspired by [LXC | https://github.com/lxc/lxc], Mesos could offer two new isolators:

* *linux/apparmor*: Isolator which applies an AppArmor security profile to  containers. A cluster-wide default profile could be similar to the [default  shipped by LXC|https://github.com/lxc/lxc/blob/master/config/apparmor/abstractions/container-base].
  
* *linux/seccomp*: Isolator based on the [seccomp syscall filter|https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt]. Seccomp is a mechanism for minimizing the exposed kernel surface by reducing the set of allowed syscalls. 







--
This message was sent by Atlassian JIRA
(v6.3.4#6332)