[jira] [Commented] (MESOS-7653) Support launching slave using unprivileged user.

Sat, 10 Jun 2017 08:39:04 -0700 

    [ 
https://issues.apache.org/jira/browse/MESOS-7653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16045582#comment-16045582
 ] 

James Peach commented on MESOS-7653:
------------------------------------

Some other related approaches

- use user namespaces to start an unprivileged agent that can create new 
containers within that
- privilege-separate the agent from a long-running containerizer process so 
only the containerizer runs with privilege

> Support launching slave using unprivileged user.
> ------------------------------------------------
>
>                 Key: MESOS-7653
>                 URL: https://issues.apache.org/jira/browse/MESOS-7653
>             Project: Mesos
>          Issue Type: Improvement
>            Reporter: Jie Yu
>            Priority: Minor
>
> This ticket captures the work needed to support launching agent using 
> unprivileged user.
> 1) The agent binary needs to have file capabilities set. Given agent needs to 
> manipulate cgroups (if using linux launcher or cgroups isolator) and clone 
> namespaces (if using linux launcher), CAP_SYS_ADMIN capability must be in 
> agent process's effective set. Either the "Effective" bit should be set on 
> the agent binary so that the permitted capabilities gained on exec'ing the 
> binary will be put into the effective set of the agent process automatically, 
> or the agent will raise the capability itself as long as the capabilities are 
> in the permitted set.
> 2) Since the launch of the user task will be done by `mesos-containerizer` 
> binary. Either the agent will raise ambient capabilities (using prctl 
> PR_CAP_AMBIENT_RAISE), or we need to make sure `mesos-containerizer` binary 
> have file capabilities set so that it is able to do thing like `setuid` after 
> agent exec'ed the helper. That means the agent process should have those 
> required capabilities in its inheritable set (at least) and permitted set if 
> ambient capabilities route is chosen.
> 3) If linux capabilities isolator is enabled, in order for the framework to 
> gain any capabilities they like, the process launching the agent process 
> should have all capabilities in its inheritable set and its bounding set so 
> that those capabilities can be regain later.
> http://man7.org/linux/man-pages/man7/capabilities.7.html



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to