-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59552/
-----------------------------------------------------------
(Updated June 16, 2017, 4:39 a.m.)
Review request for mesos, Jie Yu and Jiang Yan Xu.
Changes
-------
Rebased and addressed review feedback.
Bugs: MESOS-7476
https://issues.apache.org/jira/browse/MESOS-7476
Repository: mesos
Description (updated)
-------
The linux/capabilities isolator implements the `--allowed_capabilities`
option by granting all the allowed capabilities. This change explicitly
populates the only the bounding capabilities in the case where
`--bounding_capabilities` has been set but the task itself has not been
granted any effective capabilities. This improves the security of tasks
since it is now possible to configure the bounding set without actually
granting privilege to the task.
Removed 2 capabilities isolator test cases. These test cases depended on
the framework-specified effective capabilities also setting the bounding
set. Now that the operator flag always determines the bounding set,
these test cases are no longer valid.
Diffs (updated)
-----
src/slave/containerizer/mesos/isolators/linux/capabilities.cpp
60d22aa877c1ab62a08222e5efe8800e337684da
src/slave/containerizer/mesos/launch.cpp
f48d294a0a832dfe248c4a83849ee5a63cb76bce
src/tests/containerizer/linux_capabilities_isolator_tests.cpp
40376a03fdb8f931f8d3f83b1c3fa6207e02c1d1
Diff: https://reviews.apache.org/r/59552/diff/7/
Changes: https://reviews.apache.org/r/59552/diff/6-7/
Testing
-------
make check (Fedora 25)
Thanks,
James Peach
