[ https://issues.apache.org/jira/browse/MESOS-7653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16045582#comment-16045582 ]
James Peach commented on MESOS-7653: ------------------------------------ Some other related approaches - use user namespaces to start an unprivileged agent that can create new containers within that - privilege-separate the agent from a long-running containerizer process so only the containerizer runs with privilege > Support launching slave using unprivileged user. > ------------------------------------------------ > > Key: MESOS-7653 > URL: https://issues.apache.org/jira/browse/MESOS-7653 > Project: Mesos > Issue Type: Improvement > Reporter: Jie Yu > Priority: Minor > > This ticket captures the work needed to support launching agent using > unprivileged user. > 1) The agent binary needs to have file capabilities set. Given agent needs to > manipulate cgroups (if using linux launcher or cgroups isolator) and clone > namespaces (if using linux launcher), CAP_SYS_ADMIN capability must be in > agent process's effective set. Either the "Effective" bit should be set on > the agent binary so that the permitted capabilities gained on exec'ing the > binary will be put into the effective set of the agent process automatically, > or the agent will raise the capability itself as long as the capabilities are > in the permitted set. > 2) Since the launch of the user task will be done by `mesos-containerizer` > binary. Either the agent will raise ambient capabilities (using prctl > PR_CAP_AMBIENT_RAISE), or we need to make sure `mesos-containerizer` binary > have file capabilities set so that it is able to do thing like `setuid` after > agent exec'ed the helper. That means the agent process should have those > required capabilities in its inheritable set (at least) and permitted set if > ambient capabilities route is chosen. > 3) If linux capabilities isolator is enabled, in order for the framework to > gain any capabilities they like, the process launching the agent process > should have all capabilities in its inheritable set and its bounding set so > that those capabilities can be regain later. > http://man7.org/linux/man-pages/man7/capabilities.7.html -- This message was sent by Atlassian JIRA (v6.3.15#6346)