[
https://issues.apache.org/jira/browse/MESOS-9768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16842819#comment-16842819
]
Yan Xu commented on MESOS-9768:
-------------------------------
What we are primarily interested in is to set it for for the {{overlay}}
backend but there are multiple backend options. Seems like a common flag
--{{image_mount_options}} could be applicable to {{bind}} backend as well
(maybe {{aufs}} too? [~gilbert]). It doesn't apply to the {{copy}} backend of
course.
One could argue that since this is a security concern, perhaps one flag to
control all mounts (volumes) make sense but I am afraid that'll be very broad
and increase the complexity. Also AFAIK you can also just set {{nosuid}} on the
underlying partition for these cases. It's overlayfs that doesn't honor it so
we have to protect it this way.
We can probably start off with a generic flag --{{image_mount_options}} but use
documentation to indicate what backends are applicable/supported.
[~jamespeach] [~gilbert] [~jieyu] WDYT?
> Allow operators to mount the container rootfs with the `nosuid` flag
> --------------------------------------------------------------------
>
> Key: MESOS-9768
> URL: https://issues.apache.org/jira/browse/MESOS-9768
> Project: Mesos
> Issue Type: Improvement
> Components: containerization
> Reporter: James Peach
> Priority: Major
>
> If cluster users are allowed to launch containers with arbitrary images,
> those images may container setuid programs. For security reasons (auditing,
> privilege escalation), operators may wish to ensure that setuid programs
> cannot be used within a container.
>
> We should provide a way for operators to be able to specify that container
> volumes (including `/`0 should be mounted with the `nosuid` flag.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
