You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@mesos.apache.org by "James Peach (JIRA)" <ji...@apache.org> on 2017/06/10 15:38:18 UTC

[jira] [Commented] (MESOS-7653) Support launching slave using unprivileged user.

    [ https://issues.apache.org/jira/browse/MESOS-7653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16045582#comment-16045582 ] 

James Peach commented on MESOS-7653:
------------------------------------

Some other related approaches

- use user namespaces to start an unprivileged agent that can create new containers within that
- privilege-separate the agent from a long-running containerizer process so only the containerizer runs with privilege

> Support launching slave using unprivileged user.
> ------------------------------------------------
>
>                 Key: MESOS-7653
>                 URL: https://issues.apache.org/jira/browse/MESOS-7653
>             Project: Mesos
>          Issue Type: Improvement
>            Reporter: Jie Yu
>            Priority: Minor
>
> This ticket captures the work needed to support launching agent using unprivileged user.
> 1) The agent binary needs to have file capabilities set. Given agent needs to manipulate cgroups (if using linux launcher or cgroups isolator) and clone namespaces (if using linux launcher), CAP_SYS_ADMIN capability must be in agent process's effective set. Either the "Effective" bit should be set on the agent binary so that the permitted capabilities gained on exec'ing the binary will be put into the effective set of the agent process automatically, or the agent will raise the capability itself as long as the capabilities are in the permitted set.
> 2) Since the launch of the user task will be done by `mesos-containerizer` binary. Either the agent will raise ambient capabilities (using prctl PR_CAP_AMBIENT_RAISE), or we need to make sure `mesos-containerizer` binary have file capabilities set so that it is able to do thing like `setuid` after agent exec'ed the helper. That means the agent process should have those required capabilities in its inheritable set (at least) and permitted set if ambient capabilities route is chosen.
> 3) If linux capabilities isolator is enabled, in order for the framework to gain any capabilities they like, the process launching the agent process should have all capabilities in its inheritable set and its bounding set so that those capabilities can be regain later.
> http://man7.org/linux/man-pages/man7/capabilities.7.html



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)