[
https://issues.apache.org/jira/browse/MESOS-7523?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16808606#comment-16808606
]
James DeFelice commented on MESOS-7523:
---------------------------------------
Yes, still relevant. But the need is more along the lines of "some kinds of
privileged containers need access to the entire devices tree". Or, in other
words, the "devices" cgroup settings should allow some kinds of privileged
containers full access to /dev. There are multiple people that have asked for
this and the current workarounds are quite ugly (and not very secure).
> Whitelist devices in bulk on a per-container basis
> --------------------------------------------------
>
> Key: MESOS-7523
> URL: https://issues.apache.org/jira/browse/MESOS-7523
> Project: Mesos
> Issue Type: Improvement
> Reporter: James DeFelice
> Priority: Major
> Labels: containerization, csi-post-mvp, mesosphere,
> mesosphere-dss-post-ga, storage
>
> Continuation of the work in MESOS-6791
> It should be possible to whitelist a range (R) of devices such that R may be
> exposed to a container launched by an agent. Not all containers should have
> access to R by default, only those containers whose ContainerInfo specifies
> such access.
> For example, it may be useful to whitelist the range of devices matching the
> glob expressions `/dev/\{s,h,xv}d\[a-z]*` and `/dev/dm-\*` and
> `/dev/mapper/\*` for a container that intends to manage storage devices.
> /cc [~jieyu]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
