Design doc: Securing Mesos Containers Using Capabilities

[Jojy Varghese <jo...@mesosphere.io>]

Hi all,
 	As Mesos is adding more features to its Unified Containerizer[1], ability to run Mesos containers in a secure environment has been one of the top priorities. As an initial step, we could use Posix capabilities[2] to create a secure sandbox to run the Mesos containers.
	Please review the design doc that proposes how we can secure Mesos containers using capabilities:

https://docs.google.com/document/d/1YiTift8TQla2vq3upQr7K-riQ_pQ-FKOCOsysQJROGc/edit?usp=sharing <https://docs.google.com/document/d/1YiTift8TQla2vq3upQr7K-riQ_pQ-FKOCOsysQJROGc/edit?usp=sharing>


Thanks,
Jojy


[1] http://mesos.apache.org/documentation/latest/mesos-containerizer/ <http://mesos.apache.org/documentation/latest/mesos-containerizer/>
[2] https://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2/capfaq-0.2.txt <https://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2/capfaq-0.2.txt>