You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by jp...@apache.org on 2019/07/21 08:06:48 UTC
[mesos] 03/03: Added documentation for the `linux/nnp` isolator.
This is an automated email from the ASF dual-hosted git repository.
jpeach pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit d304acbf456577446430a2a2f262c01bd26a0630
Author: Jacob Janco <jj...@gmail.com>
AuthorDate: Sat Jul 20 23:35:31 2019 -0700
Added documentation for the `linux/nnp` isolator.
Review: https://reviews.apache.org/r/71107/
---
CHANGELOG | 4 ++++
docs/isolators/linux-nnp.md | 15 +++++++++++++++
docs/mesos-containerizer.md | 1 +
docs/upgrades.md | 4 ++++
4 files changed, 24 insertions(+)
diff --git a/CHANGELOG b/CHANGELOG
index 3c53089..8fbf927 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -18,6 +18,10 @@ This release contains the following highlights:
added. This causes the agent to ignore any runtime configuration
present in Docker images.
+ * [MESOS-9770] - Add no-new-privileges isolator. An additional
+ Linux isolator has been added to support enabling the no_new_privs
+ process control flag.
+
* [MESOS-9771] - The Mesos containerizer now masks sensitive paths
in `/proc` for containers that do not share the host's PID namespace.
diff --git a/docs/isolators/linux-nnp.md b/docs/isolators/linux-nnp.md
new file mode 100644
index 0000000..1b5806c
--- /dev/null
+++ b/docs/isolators/linux-nnp.md
@@ -0,0 +1,15 @@
+---
+title: Apache Mesos - Linux NNP (no\_new\_privs) Isolator in Mesos Containerizer
+layout: documentation
+---
+
+# Linux NNP Support in Mesos Containerizer
+
+This document describes the `linux/nnp` isolator. This isolator sets the
+[no\_new\_privs](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)
+flag for all containers launched using the [MesosContainerizer](../mesos-containerizer.md).
+
+The `no_new_privs` flag disables the ability of container tasks to acquire any additional
+privileges by means of executing a child process e.g. through invocation of `setuid` or
+`setgid` programs. To enable the `linux/nnp` isolator, append `linux/nnp` to the
+[`--isolation`](../configuration/agent.md#isolation) flag when starting the Mesos agent.
diff --git a/docs/mesos-containerizer.md b/docs/mesos-containerizer.md
index e799761..3231cb9 100644
--- a/docs/mesos-containerizer.md
+++ b/docs/mesos-containerizer.md
@@ -49,6 +49,7 @@ Mesos supports the following built-in isolators.
- [gpu/nvidia](gpu-support.md)
- [linux/capabilities](isolators/linux-capabilities.md)
- [linux/devices](isolators/linux-devices.md)
+- [linux/nnp](isolators/linux-nnp.md)
- [linux/seccomp](isolators/linux-seccomp.md)
- [namespaces/ipc](isolators/namespaces-ipc.md)
- [namespaces/pid](isolators/namespaces-pid.md)
diff --git a/docs/upgrades.md b/docs/upgrades.md
index 0493e18..2be13fb 100644
--- a/docs/upgrades.md
+++ b/docs/upgrades.md
@@ -48,6 +48,7 @@ We categorize the changes as follows:
<td style="word-wrap: break-word; overflow-wrap: break-word;"><!--Mesos Core-->
<ul style="padding-left:10px;">
+ <li>A <a href="#1-9-x-linux-nnp-isolator">Linux NNP isolator</a></li>
<li>A <a href="#1-9-x-hostname-validation-scheme">hostname_validation_scheme</a></li>
<li>C <a href="#1-9-x-client-certificate-verification">TLS certificate verification behaviour</a></li>
</ul>
@@ -508,6 +509,9 @@ We categorize the changes as follows:
## Upgrading from 1.8.x to 1.9.x ##
+<a name="1-9-x-linux-nnp-isolator"></a>
+ * A new [`linux/nnp`](isolators/linux-nnp.md) isolator has been added. The isolator supports setting of the `no_new_privs` bit in the container, preventing tasks from acquiring additional privileges.
+
<a name="1-9-x-docker-ignore-runtime"></a>
* A new [`--docker_ignore_runtime`](configuration/agent.md#docker_ignore_runtime) flag has been added. This causes the agent to ignore any runtime configuration present in Docker images.