> On July 12, 2019, 5:46 p.m., Andrei Budnik wrote: > > src/slave/containerizer/mesos/isolators/linux/nnp.cpp > > Lines 71 (patched) > > <https://reviews.apache.org/r/70757/diff/7/?file=2154555#file2154555line71> > > > > What happens if a framework explicitly set `no_new_privileges` flag to > > `false` in the `ContainerLaunchInfo`? Does the isolator handle such case? > > James Peach wrote: > In that case, the containerizer would do nothing (i.e. default NNP > status). This would have the same end result, but I agree that it's worth > being explicit here. > > Andrei Budnik wrote: > At this point, the NNP isolator does not support overriding of a NNP bit > by a framework? > > Here is an example of how `linux/seccomp` isolator handles `seccomp` flag > provided by a framework: > https://github.com/apache/mesos/blob/master/src/slave/containerizer/mesos/isolators/linux/seccomp.cpp#L98-L103
Dropping this issue from chat on slack: jpeach: We need the operator to take some action to enable NNP, we can't just turn it on since that might break things. The way I had been thinking about this was that the action would be enabling the NNP isolator. However, when we make it configurable by frameworks, that action is no longer definitive (i.e. there's no way to be explicit about what you want the default to be for frameworks that don't set the field). This is why I was suggesting that the seccomp isolator deal with the configurable part, since NNP is usually associated with seccomp as well. jpeach [19 hours ago] However, if we follow this reasoning, it takes us back to our original aim for the NNP isolator, which was to unconditionally set the NNP flag. Taking this approach, we can add the configurable parts later. - Jacob ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/70757/#review216562 ----------------------------------------------------------- On July 17, 2019, 7:19 p.m., Jacob Janco wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/70757/ > ----------------------------------------------------------- > > (Updated July 17, 2019, 7:19 p.m.) > > > Review request for mesos, Andrei Budnik, Gilbert Song, Jie Yu, and James > Peach. > > > Bugs: MESOS-9770 > https://issues.apache.org/jira/browse/MESOS-9770 > > > Repository: mesos > > > Description > ------- > > Added docs for the NNP isolator. > > > Diffs > ----- > > CHANGELOG 164465a71c660ab9f01fb18d43076afc4b892ad5 > docs/isolators/linux-nnp.md PRE-CREATION > docs/mesos-containerizer.md e79976111ec8e9cc8e8d44b5f1b8d6e2c7e072d6 > > > Diff: https://reviews.apache.org/r/70757/diff/9/ > > > Testing > ------- > > > Thanks, > > Jacob Janco > >
