You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@mesos.apache.org by Marc Roos <M....@f1-outsourcing.eu> on 2019/10/14 11:32:28 UTC

Don't understand how to use mesos capabilities



Don't understand how to use mesos capabilities as described here[0]


1. removed caps from ping with
setcap 'cap_net_raw=-p' /usr/bin/ping
2. linux/capabilities in the isolators, 
3. mesos-slave running as root, 
4. did not set effective_capabilities nor bounding_capabilities
5. Running kernel 3.10.0-957.27.2.el7.x86_64
6. Looks like the task json is correctly configured (output from tasks 
endpoint)
      },
      "container": {
        "type": "MESOS",
        "linux_info": {
          "effective_capabilities": {
            "capabilities": [
              "NET_RAW"
            ]
          }
        }

Yet when I run the task with the command "capsh --print ; ping -c 2 
localhost ; sleep 120" I am getting such outputs of capsh[1] yet the 
ping refuses with "ping: socket: Operation not permitted" 


[1]  
Current: = cap_net_raw+eip cap_net_admin,cap_syslog+i
Bounding set =cap_net_admin,cap_net_raw,cap_syslog
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=99(nobody)
gid=99(nobody)
groups=99(nobody)

Current: = cap_net_raw+eip
Bounding set =cap_net_raw
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=99(nobody)
gid=99(nobody)
groups=99(nobody)



[0]
http://mesos.apache.org/documentation/latest/isolators/linux-capabilities/