[jira] [Comment Edited] (MESOS-1593) Add DockerInfo Configuration

Benjamin Hindman (JIRA) Tue, 15 Jul 2014 17:17:26 -0700

    [ 
https://issues.apache.org/jira/browse/MESOS-1593?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14062918#comment-14062918
 ]


Benjamin Hindman edited comment on MESOS-1593 at 7/16/14 12:15 AM:
-------------------------------------------------------------------

IIUC, Docker forces us to launch containers as root (I'd be pleasantly 
surprised if there was another way). The Docker daemon runs as root (which it 
must, because it's doing things like manipulating cgroups) and I believe the 
process that it forks within the container is thus root by default.

Assuming the above, the best we can do is use --user=foo, but an image must be 
set up to actually have that user! We can definitely do authz on that user, 
although it's a little different than a user running on the host and I'm not 
sure exactly what doing authz buys us?

(Eventually I believe the hope is that containers will be safe enough that 
giving them root from within their container will be safe, even if it's not 
today.)


was (Author: benjaminhindman):
IIUC, Docker forces us to launch containers as root (I'd be pleasantly 
surprised if there was another way). The Docker daemon runs as root (which it 
must, because it's doing things like manipulating cgroups) and I believe the 
process that it forks within the container is thus root by default.

So, the best we can do is use --user=foo, but an image must be set up to 
actually have that user! We can definitely do authz on that user, although it's 
a little different than a user running on the host and I'm not sure exactly 
what doing authz buys us.

(Eventually I believe the hope is that containers will be safe enough that 
giving them root from within their container will be safe, even if it's not 
today.)

> Add DockerInfo Configuration
> ----------------------------
>
>                 Key: MESOS-1593
>                 URL: https://issues.apache.org/jira/browse/MESOS-1593
>             Project: Mesos
>          Issue Type: Task
>            Reporter: Timothy Chen
>            Assignee: Timothy Chen
>
> We want to add a new proto message to encapsulate all Docker related 
> configurations into DockerInfo.
> Here is the document that describes the design for DockerInfo:
> https://github.com/tnachen/mesos/wiki/DockerInfo-design



--
This message was sent by Atlassian JIRA
(v6.2#6252)

[jira] [Comment Edited] (MESOS-1593) Add DockerInfo Configuration

Reply via email to