You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "Stephan Erb (JIRA)" <ji...@apache.org> on 2015/08/17 09:09:46 UTC
[jira] [Created] (MESOS-3277) Implement basic security isolators
such as linux/apparmor or linux/seccomp
Stephan Erb created MESOS-3277:
----------------------------------
Summary: Implement basic security isolators such as linux/apparmor or linux/seccomp
Key: MESOS-3277
URL: https://issues.apache.org/jira/browse/MESOS-3277
Project: Mesos
Issue Type: Story
Components: containerization, isolation
Reporter: Stephan Erb
As an operator of a Mesos cluster, I would like to gain some control over what is happening inside launched containers. Specifically, I want to make it a little bit more difficult for untrusted code to escape its container confinement (e.g., prevent access to certain kernel features, raw devices, ...)
Inspired by [LXC | https://github.com/lxc/lxc], Mesos could offer two new isolators:
* *linux/apparmor*: Isolator which applies an AppArmor security profile to containers. A cluster-wide default profile could be similar to the [default shipped by LXC|https://github.com/lxc/lxc/blob/master/config/apparmor/abstractions/container-base].
* *linux/seccomp*: Isolator based on the [seccomp syscall filter|https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt]. Seccomp is a mechanism for minimizing the exposed kernel surface by reducing the set of allowed syscalls.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)