mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Peach <>
Subject Re: Review Request 70678: Add containerizer support for masking paths.
Date Mon, 20 May 2019 01:41:56 GMT

This is an automatically generated e-mail. To reply, visit:

(Updated May 20, 2019, 1:41 a.m.)

Review request for mesos, Gilbert Song, Jason Lai, and Jie Yu.

Bugs: MESOS-9771

Repository: mesos

Description (updated)

Add support to the `filesystem/linux` isolator for masking container
paths. Add a set of standard default paths to be masked, as derived
from commonly used container runtimes. These paths either expose
information about other system processes, or capabilities that
should not be exposed to untristed containers.

We don't mask if the container is privileged, which is defined as
sharing the host's PID namespace. For nested containers, we verify
that the PID namespace is shared from the host annd the way up
the tree.

Diffs (updated)

  include/mesos/slave/containerizer.proto 48ffa2e6bd1a03f3dc68a3a78d883855f14bf10c 
  src/slave/containerizer/mesos/isolators/filesystem/linux.cpp 7b50258ef5480c1ea3f0016aace3b838395becfd

  src/slave/containerizer/mesos/launch.cpp 88b97a572916defbe65692036be77395053eb8e8 
  src/tests/containerizer/linux_filesystem_isolator_tests.cpp 60e9ae5970a0a45314d0b3569556bef36d350d2b

  src/tests/containerizer/rootfs.cpp 48eb0108cf26729a0528528a1102247410cf80fe 




sudo make check (Fedora 30)


James Peach

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message