This is an automated email from the ASF dual-hosted git repository. gilbert pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/mesos.git
commit c6f3334c43e95f6486942256f77ed2aa926c4d1b Author: Andrei Budnik <[email protected]> AuthorDate: Tue Mar 5 15:00:53 2019 -0800 Added `unconfined` flag to `SeccompInfo` message. This patch introduces `unconfined` flag that can be used by a framework to explicitly disable Seccomp filtering for a particular container. Review: https://reviews.apache.org/r/70108/ --- docs/isolators/linux-seccomp.md | 4 +++- include/mesos/mesos.proto | 7 +++++++ include/mesos/v1/mesos.proto | 7 +++++++ src/slave/containerizer/mesos/isolators/linux/seccomp.cpp | 12 ++++++++++++ 4 files changed, 29 insertions(+), 1 deletion(-) diff --git a/docs/isolators/linux-seccomp.md b/docs/isolators/linux-seccomp.md index 7594526..dc027c0 100644 --- a/docs/isolators/linux-seccomp.md +++ b/docs/isolators/linux-seccomp.md @@ -53,4 +53,6 @@ sudo mesos-agent --master=<master ip> --ip=<agent ip> In order for a Mesos task to override the agent's default Seccomp profile, it should declare the required profile in the `LinuxInfo` field of its -`ContainerInfo`. +`ContainerInfo`. E.g., if the agent is launched with the default Seccomp +profile enabled, a framework can disable Seccomp for a particular task by +setting an `unconfined` field in the corresponding `SeccompInfo`. diff --git a/include/mesos/mesos.proto b/include/mesos/mesos.proto index 48f30b3..d373a1d 100644 --- a/include/mesos/mesos.proto +++ b/include/mesos/mesos.proto @@ -3214,6 +3214,13 @@ message SeccompInfo { // relative to the directory containing Seccomp profiles, // which is specified on the agent via the `--seccomp_config_dir` flag. optional string profile_name = 1; + + // If set to `true`, Seccomp is not applied to the container. + // If not set or set to `false`, the container is launched with + // the profile specified in the `profile_name` field. + // + // NOTE: `profile_name` should not be specified if `unconfined` set to `true`. + optional bool unconfined = 2; } diff --git a/include/mesos/v1/mesos.proto b/include/mesos/v1/mesos.proto index e07dd9e..e53596f 100644 --- a/include/mesos/v1/mesos.proto +++ b/include/mesos/v1/mesos.proto @@ -3207,6 +3207,13 @@ message SeccompInfo { // relative to the directory containing Seccomp profiles, // which is specified on the agent via the `--seccomp_config_dir` flag. optional string profile_name = 1; + + // If set to `true`, Seccomp is not applied to the container. + // If not set or set to `false`, the container is launched with + // the profile specified in the `profile_name` field. + // + // NOTE: `profile_name` should not be specified if `unconfined` set to `true`. + optional bool unconfined = 2; } diff --git a/src/slave/containerizer/mesos/isolators/linux/seccomp.cpp b/src/slave/containerizer/mesos/isolators/linux/seccomp.cpp index 1c94e12..f0c58c1 100644 --- a/src/slave/containerizer/mesos/isolators/linux/seccomp.cpp +++ b/src/slave/containerizer/mesos/isolators/linux/seccomp.cpp @@ -93,6 +93,16 @@ Future<Option<ContainerLaunchInfo>> LinuxSeccompIsolatorProcess::prepare( const auto& seccomp = containerConfig.container_info().linux_info().seccomp(); + const bool unconfined = + seccomp.has_unconfined() ? seccomp.unconfined() : false; + + // Validate Seccomp configuration. + if (unconfined && seccomp.has_profile_name()) { + return Failure( + "Invalid Seccomp configuration: 'profile_name' given even " + "though 'unconfined' Seccomp setting is enabled"); + } + if (seccomp.has_profile_name()) { const auto path = path::join(flags.seccomp_config_dir.get(), seccomp.profile_name()); @@ -105,6 +115,8 @@ Future<Option<ContainerLaunchInfo>> LinuxSeccompIsolatorProcess::prepare( } profile = customProfile.get(); + } else if (unconfined) { + return None(); } else { return Failure("Missing Seccomp profile name"); }
