Repository: mesos
Updated Branches:
  refs/heads/master c7dab59bf -> 70bddc989

Added documentation for mesos-containerizer Linux capabilities support.



Branch: refs/heads/master
Commit: 70bddc989dda3e7fcc6958eaaaae2ad341aace59
Parents: c7dab59
Author: Benjamin Bannier <>
Authored: Tue Oct 18 15:49:31 2016 -0700
Committer: Jie Yu <>
Committed: Tue Oct 18 16:00:25 2016 -0700

 docs/       | 16 ++++++++++++
 docs/  | 53 ++++++++++++++++++++++++++++++++++++++++
 docs/ |  4 +++
 3 files changed, 73 insertions(+)
diff --git a/docs/ b/docs/
index c83a58e..efe3e9b 100644
--- a/docs/
+++ b/docs/
@@ -996,6 +996,22 @@ cgroup.
+    --allowed_capabilities=VALUE
+  </td>
+  <td>
+The value needs to be a JSON-formatted string of Linux capabilities
+that the agent should allow. Note that if no Linux capabilities
+isolation is enabled (<code>linux/capabilities</code> is not present
+in the arguments to <code>--isolation</code>), this flags is ignored.
+"capabilities": [NET_RAW, MKNOD]
+  </td>
+  <td>
diff --git a/docs/ b/docs/
new file mode 100644
index 0000000..b79aa8c
--- /dev/null
+++ b/docs/
@@ -0,0 +1,53 @@
+# Linux Capabilities Support in Mesos Containerizer
+This document describes the `linux/capabilities` isolator. The
+isolator adds support for controlling [Linux
+of containers launched using the
+The Linux capabilities isolator allows operators to control which
+privileged operations Mesos tasks may perform. Operators can specify
+which capabilities to allow for containers executing on an agent;
+containers on the other hand can expose which capabilities they need.
+See the protobuf definition of `CapabilityInfo::Capability` for the
+list of currently exposed capabilities.
+## Agent setup
+The Linux capabilities isolator is loaded when `linux/capabilities` is
+present in the agent's `--isolation` flag.
+Capabilities which should be allowed are passed with the
+`--allowed_capabilities` flag. This isolator requires the
+`CAP_SETPCAP` capability so agent processes typically need to be
+started as root. A possible agent startup invocation could be
+sudo mesos-agent --master=<master ip> --ip=<agent ip>
+  --work_dir=/var/lib/mesos
+  --isolation=linux/capabilities[,other isolation flags]
+  --allowed_capabilities='{"capabilities":[NET_RAW,MKNOD]}'
+An empty list for `--allowed_capabilities` signifies that no
+capabilities are allowed, while an absent `--allowed_capabilities` flag
+signifies that all capabilities are allowed.
+## Task setup
+In order for a Mesos task to acquire allowed capabilities it needs to
+declare required capabilities in the `LinuxInfo` of its
+A Mesos task can only request capabilities which are allowed for the
+agent; a task requesting unallowed capabilities will be rejected.
+If an empty list of capabilities is given the Mesos task will drop all
+capabilities; if the optional `capability_info` field is not set the
+container will be able to acquire the capabilities of the Mesos task's
diff --git a/docs/ b/docs/
index 7654462..2bff35f 100644
--- a/docs/
+++ b/docs/
@@ -285,3 +285,7 @@ This is described in a [separate 
 ### The `network/cni` Isolator
 This is described in a [separate document](
+### The `linux/capabilities` Isolator
+This is described in a [separate document](

Reply via email to