----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/66034/#review199281 -----------------------------------------------------------
I feel that the complexity of this code justifies better user doc, possibly when we create a new isolator for this? Also, how much of each mount should be allow to reconfigure? Should this behavior be dictated for every user of Mesos containerizer? src/linux/fs.cpp Lines 686-692 (original), 686-692 (patched) <https://reviews.apache.org/r/66034/#comment279584> Can we move the `TODO` to the sentence about follow-up? The sentence `These special filesystem mount points need to be bind-mounted prior to all other ...` is a comment on requirement which your follow up work would not change. - Zhitao Li On March 15, 2018, 6:24 p.m., Jason Lai wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/66034/ > ----------------------------------------------------------- > > (Updated March 15, 2018, 6:24 p.m.) > > > Review request for mesos, Eric Chung, Gilbert Song, Ian Downes, Jie Yu, James > Peach, and Zhitao Li. > > > Bugs: MESOS-8654 > https://issues.apache.org/jira/browse/MESOS-8654 > > > Repository: mesos > > > Description > ------- > > Several entries under the proc FS within Mesos containers need to be > remounted as readonly for improved security reasons. > > The list should include the important ones introduced by Systemd's > `ProtectKernelTunables` option: > > * `/proc/bus` > * `/proc/fs` > * `/proc/irq` > * `/proc/sys` > * `/proc/sysrq-trigger` > > It is particularly necessary to remount `/proc/sysrq-trigger` as > read-only. Otherwise, it would be possible for processes running in > containers as `root` to perform privileged operations, such as host > reboot. > > Extra mount options should include `nosuid,noexec,nodev` (see also > `mount(2)` for detailed explanations of the options). > > > Diffs > ----- > > src/linux/fs.cpp ed26f80ef7315809a1df9f2c50b4fe3445810f8a > > > Diff: https://reviews.apache.org/r/66034/diff/1/ > > > Testing > ------- > > The mount table of the container launched by the patched version of > `mesos-containerizer launch` include the entries listed below, with > `nosuid,noexec,nodev` mount options: > ``` > $ sudo unshare -m -p -f /usr/local/libexec/mesos/mesos-containerizer launch > --launch_info="$(jq -c . launch_info.json)" --runtime_directory="$(pwd)" > Marked '/' as rslave > Prepared mount > '{"flags":20480,"source":"\/etc\/hostname","target":"\/home\/jlai\/containers\/rootfs\/etc\/hostname"}' > Prepared mount > '{"flags":20480,"source":"\/etc\/hosts","target":"\/home\/jlai\/containers\/rootfs\/etc\/hosts"}' > Prepared mount > '{"flags":20480,"source":"\/etc\/resolv.conf","target":"\/home\/jlai\/containers\/rootfs\/etc\/resolv.conf"}' > Changing root to /home/jlai/containers/rootfs > bash-4.4# findmnt -a > TARGET SOURCE FSTYPE OPTIONS > / alpine overlay > rw,relatime,lowerdir=overlay/lower,upperdir=overlay/upper,workdir=overlay/work > |-/etc/hostname /dev/dm-0[/etc/hostname] ext4 > rw,noatime,errors=panic,data=ordered > |-/etc/hosts /dev/dm-0[/etc/hosts] ext4 > rw,noatime,errors=panic,data=ordered > |-/etc/resolv.conf /dev/dm-0[/etc/resolv.conf] ext4 > rw,noatime,errors=panic,data=ordered > |-/proc proc proc > rw,nosuid,nodev,noexec,relatime > | |-/proc/bus proc[/bus] proc > ro,nosuid,nodev,noexec,relatime > | |-/proc/fs proc[/fs] proc > ro,nosuid,nodev,noexec,relatime > | |-/proc/irq proc[/irq] proc > ro,nosuid,nodev,noexec,relatime > | |-/proc/sys proc[/sys] proc > ro,nosuid,nodev,noexec,relatime > | `-/proc/sysrq-trigger proc[/sysrq-trigger] proc > ro,nosuid,nodev,noexec,relatime > |-/sys sysfs sysfs > ro,nosuid,nodev,noexec,relatime > `-/dev tmpfs tmpfs > rw,nosuid,noexec,mode=755 > |-/dev/pts devpts devpts > rw,nosuid,noexec,relatime,mode=600,ptmxmode=666 > `-/dev/shm tmpfs tmpfs rw,nosuid,nodev > ``` > > > Thanks, > > Jason Lai > >