Jie Yu created MESOS-7653: ----------------------------- Summary: Support launching slave using unprivileged user. Key: MESOS-7653 URL: https://issues.apache.org/jira/browse/MESOS-7653 Project: Mesos Issue Type: Improvement Reporter: Jie Yu Priority: Minor
This ticket captures the work needed to support launching agent using unprivileged user. 1) The agent binary needs to have file capabilities set. Given agent needs to manipulate cgroups (if using linux launcher or cgroups isolator) and clone namespaces (if using linux launcher), CAP_SYS_ADMIN capability must be in agent process's effective set. Either the "Effective" bit should be set on the agent binary so that the permitted capabilities gained on exec'ing the binary will be put into the effective set of the agent process automatically, or the agent will raise the capability itself as long as the capabilities are in the permitted set. 2) Since the launch of the user task will be done by `mesos-containerizer` binary. Either the agent will raise ambient capabilities (using prctl PR_CAP_AMBIENT_RAISE), or we need to make sure `mesos-containerizer` binary have file capabilities set so that it is able to do thing like `setuid` after agent exec'ed the helper. That means the agent process should have those required capabilities in its inheritable set (at least) and permitted set if ambient capabilities route is chosen. 3) If linux capabilities isolator is enabled, in order for the framework to gain any capabilities they like, the process launching the agent process should have all capabilities in its inheritable set and its bounding set so that those capabilities can be regain later. http://man7.org/linux/man-pages/man7/capabilities.7.html -- This message was sent by Atlassian JIRA (v6.3.15#6346)