You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "Jie Yu (JIRA)" <ji...@apache.org> on 2017/06/17 04:19:00 UTC
[jira] [Comment Edited] (MESOS-7477) Support ambient capabilities.
[ https://issues.apache.org/jira/browse/MESOS-7477?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16052676#comment-16052676 ]
Jie Yu edited comment on MESOS-7477 at 6/17/17 4:18 AM:
--------------------------------------------------------
commit 519a3f8b7707663e6000f3593b8cae912cdd559c
Author: James Peach <jp...@apache.org>
Date: Fri Jun 16 20:45:09 2017 -0700
Additional linux/capabilities isolator documentation.
Linux capabilities are somewhat involved, so add some additional
exposition of how the linux/capabilites isolator handles them.
Review: https://reviews.apache.org/r/59186/
commit 7492bdac326e106a79dabd40c59c5b322fee0e73
Author: James Peach <jp...@apache.org>
Date: Fri Jun 16 20:45:05 2017 -0700
Synchronize capabilities flags documentation.
Review: https://reviews.apache.org/r/59806/
commit 1496243d46ec47b9885a267f0291cbd11e25bf8c
Author: James Peach <jp...@apache.org>
Date: Fri Jun 16 20:45:03 2017 -0700
Rename the `--allowed_capabilities` flag to `--effective_capabilities`.
Since the `--allowed_capabilities` flag was being used to actually
grant capabilities, rename it to `--effective_capabilities` which better
conveys the intention and semantics of this flag.
Review: https://reviews.apache.org/r/59554/
commit 32e605ed8fb3669edf34caba3cf711d57d3e4f9e
Author: James Peach <jp...@apache.org>
Date: Fri Jun 16 20:45:01 2017 -0700
Add ambient capabilities to launched tasks.
In the absence of ambient capabilities, capabilities in the
effective set do not survive across execve(2). This means
that tasks attempting to make use of the LinuxInfo capability
support also need to ensure that file capabilities are set on
the file that is ultimately executed. Supporting ambient
capabilities allows the effective capabilities to survive
execve(2), so it is now possible to launch a task with limited
privilege elevations.
Review: https://reviews.apache.org/r/59553/
commit 4ee86647a45d09528124e9ab0fa732758ac4d7ec
Author: James Peach <jp...@apache.org>
Date: Fri Jun 16 20:44:59 2017 -0700
Add ambient capability support.
Add support for the ambient capability so that we can make
effective capabilities survive across execve(2).
Review: https://reviews.apache.org/r/59185/
was (Author: jieyu):
commit 32e605ed8fb3669edf34caba3cf711d57d3e4f9e
Author: James Peach <jp...@apache.org>
Date: Fri Jun 16 20:45:01 2017 -0700
Add ambient capabilities to launched tasks.
In the absence of ambient capabilities, capabilities in the
effective set do not survive across execve(2). This means
that tasks attempting to make use of the LinuxInfo capability
support also need to ensure that file capabilities are set on
the file that is ultimately executed. Supporting ambient
capabilities allows the effective capabilities to survive
execve(2), so it is now possible to launch a task with limited
privilege elevations.
Review: https://reviews.apache.org/r/59553/
commit 4ee86647a45d09528124e9ab0fa732758ac4d7ec
Author: James Peach <jp...@apache.org>
Date: Fri Jun 16 20:44:59 2017 -0700
Add ambient capability support.
Add support for the ambient capability so that we can make
effective capabilities survive across execve(2).
Review: https://reviews.apache.org/r/59185/
> Support ambient capabilities.
> -----------------------------
>
> Key: MESOS-7477
> URL: https://issues.apache.org/jira/browse/MESOS-7477
> Project: Mesos
> Issue Type: Improvement
> Reporter: James Peach
> Assignee: James Peach
> Fix For: 1.4.0
>
>
> Add support for ambient capabilities so that capabilities granted in the {{LaunchTask}} message can be made active in the task without the requirement for matching file-based capabilities.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)