Stephan Erb created MESOS-2999:
----------------------------------
Summary: Implement a linux/iptables isolator
Key: MESOS-2999
URL: https://issues.apache.org/jira/browse/MESOS-2999
Project: Mesos
Issue Type: Story
Components: containerization, isolation
Reporter: Stephan Erb
As a user of Mesos, I would like to have control over inbound and outbound
network communication of a launched Mesos container. The intention is to gain
improved security and isolation of user processes on the network level.
*Example Usecases*:
* Preventing outgoing connections to external endpoints which have not been
whitelisted (e.g., deny internet connections, only allow connections to this
one production database but not the others, ...)
* Prevent incoming connections from external systems or containers which have
not been whitelisted (e.g., don't allow a rough or even hijacked services to
interfere with another service)
The last usecase is somewhat tricky due to the dynamic nature of a Mesos
cluster but might be achieved using the available
[DiscoveryInfo|https://github.com/apache/mesos/blob/master/docs/app-framework-development-guide.md#service-discovery]
(e.g., block all connections from foreign environments).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
