You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@mesos.apache.org by "Vinod Kone (JIRA)" <ji...@apache.org> on 2019/04/05 15:50:00 UTC

[jira] [Commented] (MESOS-9693) Add master validation for SeccompInfo.

    [ https://issues.apache.org/jira/browse/MESOS-9693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16810961#comment-16810961 ] 

Vinod Kone commented on MESOS-9693:
-----------------------------------

In addition to the points raised above, there is also an upgrade compatibility issue with implementing this.

If a framework's task doesn't work when seccomp is enabled (e.g., a kubelet task that needs to run as unconfined so that it can launch k8s pods that are seccomp confined by docker seccomp profile), then the framework needs to be first upgraded to use seccomp unconfined option. Now if this framework was running already on non-seccomp enabled cluster, the upgraded framework needs to still keep running even with seccomp disabled. After framework upgrade, mesos agent can be upgraded to enable seccomp and this won't affect the framework. So Mesos cannot reject such a task but just ignore it.

[~gilbert] [~abudnik] Should we close this as "Won't do"?

> Add master validation for SeccompInfo.
> --------------------------------------
>
>                 Key: MESOS-9693
>                 URL: https://issues.apache.org/jira/browse/MESOS-9693
>             Project: Mesos
>          Issue Type: Task
>            Reporter: Gilbert Song
>            Assignee: Andrei Budnik
>            Priority: Major
>
> 1. if seccomp is not enabled, we should return failure if any fw specify seccompInfo and return appropriate status update.
> 2. at most one field of profile_name and unconfined should be set. better to validate in master



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)