[ https://issues.apache.org/jira/browse/MESOS-9771?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16834402#comment-16834402 ]
James Peach commented on MESOS-9771: ------------------------------------ Since {{/proc/keys}} gets masked, we should probably mask {{/proc/key-users}} too. Weird that I don't see other containerizers doing that. My main concern with this change is compatibility with containerized services like CSI, that may need privileged access to the host. Masking all these paths for this kind of service could break them. There are a few possible solutions: 1. Skip the masking based on properties of the launch, e.g. whether the Docker {{privileged}} flag is set, or whether the container is joining the host's PID namespace. 2. Add a flag that specified the set of paths to mask, so that operators can whack it with configuration. 3. Unconditionally do the masking. If we go down the path of (2), then operators who need privileged containers to see this information will be stranded, so my preference would be something closer to (1). If we prefer (3), then we already unconditionally make certain container paths read-only, which could be regarded as precedent. /cc [~jieyu] [~gilbert] [~jasonlai] > Mask sensitive procfs paths. > ---------------------------- > > Key: MESOS-9771 > URL: https://issues.apache.org/jira/browse/MESOS-9771 > Project: Mesos > Issue Type: Improvement > Components: containerization > Reporter: James Peach > Priority: Major > > We already have a set of procfs paths that we mark read-only in the > containerizer, but there are additional paths that are considered sensitive > by other containerizers and are masked altogether: > {noformat} > "/proc/asound" > "/proc/acpi" > "/proc/kcore" > "/proc/keys" > "/proc/latency_stats" > "/proc/timer_list" > "/proc/timer_stats" > "/proc/sched_debug" > "/sys/firmware" > "/proc/scsi" > {noformat} > Masking is done by mounting {{/dev/null}} on files, and an empty, readonly > {{tmpfs}} on directories. -- This message was sent by Atlassian JIRA (v7.6.3#76005)