You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@mesos.apache.org by "James Peach (JIRA)" <ji...@apache.org> on 2017/11/13 16:30:00 UTC

[jira] [Assigned] (MESOS-8213) Private user namespaces for tasks

     [ https://issues.apache.org/jira/browse/MESOS-8213?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

James Peach reassigned MESOS-8213:
----------------------------------

    Assignee: James Peach

> Private user namespaces for tasks
> ---------------------------------
>
>                 Key: MESOS-8213
>                 URL: https://issues.apache.org/jira/browse/MESOS-8213
>             Project: Mesos
>          Issue Type: Improvement
>          Components: containerization, security
>            Reporter: James Peach
>            Assignee: James Peach
>
> Once MESOS-8142 implements generic user namespace support, we can improve security by adding another layer of user namespace that encapsulates just the final user task. This protects the kernel objects that are providing the containerization from the user task (since the private task namespace would no longer own the other namespaces).
> This still would not alter the ID mapping of the user namespace.
> This is a little tricky since we need to make the new namespace in the mess containerizer, so we need to take care of:
> * when to chroot
> * when to drop capabilities after entering the new namespace
> * supporting command, default and custom executors (does the latter make sense?)



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)