You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "James Peach (JIRA)" <ji...@apache.org> on 2019/05/07 04:08:00 UTC
[jira] [Created] (MESOS-9769) Add direct containerized support for
filesystem operations
James Peach created MESOS-9769:
----------------------------------
Summary: Add direct containerized support for filesystem operations
Key: MESOS-9769
URL: https://issues.apache.org/jira/browse/MESOS-9769
Project: Mesos
Issue Type: Improvement
Components: containerization
Reporter: James Peach
When setting up the container filesystems, we use `pre_exec_commands` to make ABI symlinks and other things. The problem with this is that, depending of the order of operations, we may not have the full security policy in place yet, but since we are running in the context of the container's mount namespaces, the programs we execute are under the control of whoever built the container image.
[~jieyu] and I previously discussed adding filesystem operations to the `ContainerLaunchInfo`. Just `ln` would be sufficient for the `cgroups` and `linux/filesystem` isolators. Secrets and port mapping isolators need more, so we should discuss and file new tickets if necessary.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)