You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@mesos.apache.org by Marc Roos <M....@f1-outsourcing.eu> on 2019/10/14 11:32:28 UTC
Don't understand how to use mesos capabilities
Don't understand how to use mesos capabilities as described here[0]
1. removed caps from ping with
setcap 'cap_net_raw=-p' /usr/bin/ping
2. linux/capabilities in the isolators,
3. mesos-slave running as root,
4. did not set effective_capabilities nor bounding_capabilities
5. Running kernel 3.10.0-957.27.2.el7.x86_64
6. Looks like the task json is correctly configured (output from tasks
endpoint)
},
"container": {
"type": "MESOS",
"linux_info": {
"effective_capabilities": {
"capabilities": [
"NET_RAW"
]
}
}
Yet when I run the task with the command "capsh --print ; ping -c 2
localhost ; sleep 120" I am getting such outputs of capsh[1] yet the
ping refuses with "ping: socket: Operation not permitted"
[1]
Current: = cap_net_raw+eip cap_net_admin,cap_syslog+i
Bounding set =cap_net_admin,cap_net_raw,cap_syslog
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
uid=99(nobody)
gid=99(nobody)
groups=99(nobody)
Current: = cap_net_raw+eip
Bounding set =cap_net_raw
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
uid=99(nobody)
gid=99(nobody)
groups=99(nobody)
[0]
http://mesos.apache.org/documentation/latest/isolators/linux-capabilities/