[
https://issues.apache.org/jira/browse/MESOS-7653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16867331#comment-16867331
]
longfei commented on MESOS-7653:
--------------------------------
We worked around cgroups, but root privilege is still needed to provison docker
images/mount overlayfs/chroot...
We don't want to run mesos-slave with root privilege because:
# Users may submit malicious commands, for instance, "rm -rf /",
# Our tasks may depends on some other processes. If we create a file/dir as
root, others can not write to it.
I know switch-user may help but we want it to be more restricted.
Our solution: We create cgroups_root as root and chown it to an unprivileged
user(say A). The "geteuid() == 0" check for cgroups is also disabled, so we
are able to run mesos slave as user A.
It worked fine until we want to do some filesystem isolation, which requires
filesystem/linux isolator.
I found that CAP_SYS_ADMIN/CAP_MKNOD/CAP_SYS_CHROOT(maybe more) are required.
So is it possible for a user with (only) those capabilities to run mesos-slave?
> Support launching slave using unprivileged user.
> ------------------------------------------------
>
> Key: MESOS-7653
> URL: https://issues.apache.org/jira/browse/MESOS-7653
> Project: Mesos
> Issue Type: Improvement
> Reporter: Jie Yu
> Priority: Minor
>
> This ticket captures the work needed to support launching agent using
> unprivileged user.
> 1) The agent binary needs to have file capabilities set. Given agent needs to
> manipulate cgroups (if using linux launcher or cgroups isolator) and clone
> namespaces (if using linux launcher), CAP_SYS_ADMIN capability must be in
> agent process's effective set. Either the "Effective" bit should be set on
> the agent binary so that the permitted capabilities gained on exec'ing the
> binary will be put into the effective set of the agent process automatically,
> or the agent will raise the capability itself as long as the capabilities are
> in the permitted set.
> 2) Since the launch of the user task will be done by `mesos-containerizer`
> binary. Either the agent will raise ambient capabilities (using prctl
> PR_CAP_AMBIENT_RAISE), or we need to make sure `mesos-containerizer` binary
> have file capabilities set so that it is able to do thing like `setuid` after
> agent exec'ed the helper. That means the agent process should have those
> required capabilities in its inheritable set (at least) and permitted set if
> ambient capabilities route is chosen.
> 3) If linux capabilities isolator is enabled, in order for the framework to
> gain any capabilities they like, the process launching the agent process
> should have all capabilities in its inheritable set and its bounding set so
> that those capabilities can be regain later.
> http://man7.org/linux/man-pages/man7/capabilities.7.html
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
