Stephan Erb created MESOS-3277:
----------------------------------
Summary: Implement basic security isolators such as linux/apparmor
or linux/seccomp
Key: MESOS-3277
URL: https://issues.apache.org/jira/browse/MESOS-3277
Project: Mesos
Issue Type: Story
Components: containerization, isolation
Reporter: Stephan Erb
As an operator of a Mesos cluster, I would like to gain some control over what
is happening inside launched containers. Specifically, I want to make it a
little bit more difficult for untrusted code to escape its container
confinement (e.g., prevent access to certain kernel features, raw devices, ...)
Inspired by [LXC | https://github.com/lxc/lxc], Mesos could offer two new
isolators:
* *linux/apparmor*: Isolator which applies an AppArmor security profile to
containers. A cluster-wide default profile could be similar to the [default
shipped by
LXC|https://github.com/lxc/lxc/blob/master/config/apparmor/abstractions/container-base].
* *linux/seccomp*: Isolator based on the [seccomp syscall
filter|https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt].
Seccomp is a mechanism for minimizing the exposed kernel surface by reducing
the set of allowed syscalls.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
