[
https://issues.apache.org/jira/browse/MESOS-1593?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14062918#comment-14062918
]
Benjamin Hindman commented on MESOS-1593:
-----------------------------------------
IIUC, Docker forces us to launch containers as root (I'd be pleasantly
surprised if there was another way). The Docker daemon runs as root (which it
must, because it's doing things like manipulating cgroups) and I believe the
process that it forks within the container is thus root by default.
So, the best we can do is use --user=foo, but an image must be set up to
actually have that user! We can definitely do authz on that user, although it's
a little different than a user running on the host and I'm not sure exactly
what doing authz buys us.
(Eventually I believe the hope is that containers will be safe enough that
giving them root from within their container will be safe, even if it's not
today.)
> Add DockerInfo Configuration
> ----------------------------
>
> Key: MESOS-1593
> URL: https://issues.apache.org/jira/browse/MESOS-1593
> Project: Mesos
> Issue Type: Task
> Reporter: Timothy Chen
> Assignee: Timothy Chen
>
> We want to add a new proto message to encapsulate all Docker related
> configurations into DockerInfo.
> Here is the document that describes the design for DockerInfo:
> https://github.com/tnachen/mesos/wiki/DockerInfo-design
--
This message was sent by Atlassian JIRA
(v6.2#6252)
