[jira] [Comment Edited] (MESOS-9768) Allow operators to mount the container rootfs with the `nosuid` flag

James Peach (JIRA) Mon, 06 May 2019 20:57:21 -0700


    [ 
https://issues.apache.org/jira/browse/MESOS-9768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16834357#comment-16834357
 ]


James Peach edited comment on MESOS-9768 at 5/7/19 3:56 AM:
------------------------------------------------------------

/cc [~jieyu] [~gilbert]


was (Author: jamespeach):
/cc [~jieyu] @gilbert

> Allow operators to mount the container rootfs with the `nosuid` flag
> --------------------------------------------------------------------
>
>                 Key: MESOS-9768
>                 URL: https://issues.apache.org/jira/browse/MESOS-9768
>             Project: Mesos
>          Issue Type: Improvement
>          Components: containerization
>            Reporter: James Peach
>            Priority: Major
>
> If cluster users are allowed to launch containers with arbitrary images, 
> those images may container setuid programs. For security reasons (auditing, 
> privilege escalation), operators may wish to ensure that setuid programs 
> cannot be used within a container.
>  
> We should provide a way for operators to be able to specify that container 
> volumes (including `/`0 should be mounted with the `nosuid` flag.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Comment Edited] (MESOS-9768) Allow operators to mount the container rootfs with the `nosuid` flag

Reply via email to