You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@mesos.apache.org by "James Peach (JIRA)" <ji...@apache.org> on 2019/05/07 04:08:00 UTC

[jira] [Created] (MESOS-9769) Add direct containerized support for filesystem operations

James Peach created MESOS-9769:
----------------------------------

             Summary: Add direct containerized support for filesystem operations
                 Key: MESOS-9769
                 URL: https://issues.apache.org/jira/browse/MESOS-9769
             Project: Mesos
          Issue Type: Improvement
          Components: containerization
            Reporter: James Peach


When setting up the container filesystems, we use `pre_exec_commands` to make ABI symlinks and other things. The problem with this is that, depending of the order of operations, we may not have the full security policy in place yet, but since we are running in the context of the container's mount namespaces, the programs we execute are under the control of whoever built the container image.

[~jieyu] and I previously discussed adding filesystem operations to the `ContainerLaunchInfo`. Just `ln` would be sufficient for the `cgroups` and `linux/filesystem` isolators. Secrets and port mapping isolators need more, so we should discuss and file new tickets if necessary.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)