This is an automated email from the ASF dual-hosted git repository. jpeach pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/mesos.git
commit d304acbf456577446430a2a2f262c01bd26a0630 Author: Jacob Janco <[email protected]> AuthorDate: Sat Jul 20 23:35:31 2019 -0700 Added documentation for the `linux/nnp` isolator. Review: https://reviews.apache.org/r/71107/ --- CHANGELOG | 4 ++++ docs/isolators/linux-nnp.md | 15 +++++++++++++++ docs/mesos-containerizer.md | 1 + docs/upgrades.md | 4 ++++ 4 files changed, 24 insertions(+) diff --git a/CHANGELOG b/CHANGELOG index 3c53089..8fbf927 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -18,6 +18,10 @@ This release contains the following highlights: added. This causes the agent to ignore any runtime configuration present in Docker images. + * [MESOS-9770] - Add no-new-privileges isolator. An additional + Linux isolator has been added to support enabling the no_new_privs + process control flag. + * [MESOS-9771] - The Mesos containerizer now masks sensitive paths in `/proc` for containers that do not share the host's PID namespace. diff --git a/docs/isolators/linux-nnp.md b/docs/isolators/linux-nnp.md new file mode 100644 index 0000000..1b5806c --- /dev/null +++ b/docs/isolators/linux-nnp.md @@ -0,0 +1,15 @@ +--- +title: Apache Mesos - Linux NNP (no\_new\_privs) Isolator in Mesos Containerizer +layout: documentation +--- + +# Linux NNP Support in Mesos Containerizer + +This document describes the `linux/nnp` isolator. This isolator sets the +[no\_new\_privs](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt) +flag for all containers launched using the [MesosContainerizer](../mesos-containerizer.md). + +The `no_new_privs` flag disables the ability of container tasks to acquire any additional +privileges by means of executing a child process e.g. through invocation of `setuid` or +`setgid` programs. To enable the `linux/nnp` isolator, append `linux/nnp` to the +[`--isolation`](../configuration/agent.md#isolation) flag when starting the Mesos agent. diff --git a/docs/mesos-containerizer.md b/docs/mesos-containerizer.md index e799761..3231cb9 100644 --- a/docs/mesos-containerizer.md +++ b/docs/mesos-containerizer.md @@ -49,6 +49,7 @@ Mesos supports the following built-in isolators. - [gpu/nvidia](gpu-support.md) - [linux/capabilities](isolators/linux-capabilities.md) - [linux/devices](isolators/linux-devices.md) +- [linux/nnp](isolators/linux-nnp.md) - [linux/seccomp](isolators/linux-seccomp.md) - [namespaces/ipc](isolators/namespaces-ipc.md) - [namespaces/pid](isolators/namespaces-pid.md) diff --git a/docs/upgrades.md b/docs/upgrades.md index 0493e18..2be13fb 100644 --- a/docs/upgrades.md +++ b/docs/upgrades.md @@ -48,6 +48,7 @@ We categorize the changes as follows: <td style="word-wrap: break-word; overflow-wrap: break-word;"><!--Mesos Core--> <ul style="padding-left:10px;"> + <li>A <a href="#1-9-x-linux-nnp-isolator">Linux NNP isolator</a></li> <li>A <a href="#1-9-x-hostname-validation-scheme">hostname_validation_scheme</a></li> <li>C <a href="#1-9-x-client-certificate-verification">TLS certificate verification behaviour</a></li> </ul> @@ -508,6 +509,9 @@ We categorize the changes as follows: ## Upgrading from 1.8.x to 1.9.x ## +<a name="1-9-x-linux-nnp-isolator"></a> + * A new [`linux/nnp`](isolators/linux-nnp.md) isolator has been added. The isolator supports setting of the `no_new_privs` bit in the container, preventing tasks from acquiring additional privileges. + <a name="1-9-x-docker-ignore-runtime"></a> * A new [`--docker_ignore_runtime`](configuration/agent.md#docker_ignore_runtime) flag has been added. This causes the agent to ignore any runtime configuration present in Docker images.
