mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Peach <>
Subject Re: Review Request 70678: Add containerizer support for masking paths.
Date Wed, 22 May 2019 20:25:46 GMT

This is an automatically generated e-mail. To reply, visit:

(Updated May 22, 2019, 8:25 p.m.)

Review request for mesos, Gilbert Song, Jason Lai, and Jie Yu.

Bugs: MESOS-9771

Repository: mesos


Add support to the `filesystem/linux` isolator for masking container
paths. Add a set of standard default paths to be masked, as derived
from commonly used container runtimes. These paths either expose
information about other system processes, or capabilities that
should not be exposed to untrusted containers.

We don't mask if the container is privileged, which is defined
as sharing the host's PID namespace. For nested containers, we
verify that the PID namespace is shared from the host all the way
up the tree.

Diffs (updated)

  include/mesos/slave/containerizer.proto 48ffa2e6bd1a03f3dc68a3a78d883855f14bf10c 
  src/slave/containerizer/mesos/isolators/filesystem/linux.cpp 725754f26855ea54ccf8cbcb288ee3b29e8ed4e7

  src/slave/containerizer/mesos/launch.cpp 88b97a572916defbe65692036be77395053eb8e8 
  src/tests/containerizer/linux_filesystem_isolator_tests.cpp 60e9ae5970a0a45314d0b3569556bef36d350d2b

  src/tests/containerizer/rootfs.cpp 48eb0108cf26729a0528528a1102247410cf80fe 




sudo make check (Fedora 30)


James Peach

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message