mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Peach <>
Subject Review Request 70678: Add containerizer support for masking paths.
Date Sun, 19 May 2019 23:22:35 GMT

This is an automatically generated e-mail. To reply, visit:

Review request for mesos, Gilbert Song, Jason Lai, and Jie Yu.

Bugs: MESOS-9771

Repository: mesos


Add support to the `filesystem/linux` isolator for masking container
paths. Add a set of standard default paths to be masked, as derived
from commonly used container runtimes. These paths either expose
information about other system processes, or capabilities that
should not be exposed to untristed containers.

We don't mask if the container is privileged, which is defined
as sharing the host's PID namespace. However, there is no way to
tell whether a nested container will ultimaty be privileged by
this definition.


  include/mesos/slave/containerizer.proto 48ffa2e6bd1a03f3dc68a3a78d883855f14bf10c 
  src/slave/containerizer/mesos/isolators/filesystem/linux.cpp 7b50258ef5480c1ea3f0016aace3b838395becfd

  src/slave/containerizer/mesos/launch.cpp 88b97a572916defbe65692036be77395053eb8e8 
  src/tests/containerizer/linux_filesystem_isolator_tests.cpp 60e9ae5970a0a45314d0b3569556bef36d350d2b

  src/tests/containerizer/rootfs.cpp 48eb0108cf26729a0528528a1102247410cf80fe 



sudo make check (Fedora 30)


James Peach

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message