[
https://issues.apache.org/jira/browse/MESOS-9768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16844438#comment-16844438
]
James Peach commented on MESOS-9768:
------------------------------------
{quote}
What we are primarily interested in is to set it for for the overlay backend
but there are multiple backend options. Seems like a common flag
--image_mount_options could be applicable to bind backend as well (maybe aufs
too? Gilbert Song). It doesn't apply to the copy backend of course.
{quote}
I think that the main mount options that applies to non-overlayfs backends is
{{MS_RDONLY}}. Since you only get one image provisioner backend, I think that a
single global option is OK. Each backend can error out it there are any mount
options provided that it can't support.
Making this a per-container option is more complex. We can table the issue of
mount flags for non-image volumes here, since I expect that the configuration
for that will be different.
> Allow operators to mount the container rootfs with the `nosuid` flag
> --------------------------------------------------------------------
>
> Key: MESOS-9768
> URL: https://issues.apache.org/jira/browse/MESOS-9768
> Project: Mesos
> Issue Type: Improvement
> Components: containerization
> Reporter: James Peach
> Priority: Major
>
> If cluster users are allowed to launch containers with arbitrary images,
> those images may container setuid programs. For security reasons (auditing,
> privilege escalation), operators may wish to ensure that setuid programs
> cannot be used within a container.
>
> We should provide a way for operators to be able to specify that container
> volumes (including `/`0 should be mounted with the `nosuid` flag.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
