> On Oct. 20, 2016, 7:24 p.m., Jie Yu wrote: > > src/slave/containerizer/mesos/launch.cpp, lines 592-603 > > <https://reviews.apache.org/r/53062/diff/1/?file=1542360#file1542360line592> > > > > This won't work because data services explicitly want to get limit > > above what's configured. > > Benjamin Bannier wrote: > Wouldn't we poke a giant hole into the system if we allowed unpriviledged > tasks to set arbitrary rlimits from potentially `root` the agent might be > running as without any checks on the agent side? AFAICT above code allows > non-priviledged tasks to only lower limits, while priviledged tasks can still > set any limits, which should be safe and enables rlimits for a large class of > frameworks. > > Note that we set rlimits before we potentially drop capabilities like > `CAP_SYS_RESOURCE`. I now mention this fact explicitly in the comment. > > Once we implement agent functionality to check against limiting rlimits > we might be able to open up above restriction.
Well, agent will also allow a framework to launch a container under root. I think we delibretaly wants to allow that. The authn/authnz problem should be handled in authn/anthz module. I want to allow a task running under non-privileged user to be able to increase the hard rlimit. This is required by many data services. Also, this is what runc does (and OCI specifies). - Jie ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/53062/#review153441 ----------------------------------------------------------- On Oct. 20, 2016, 10:38 p.m., Benjamin Bannier wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/53062/ > ----------------------------------------------------------- > > (Updated Oct. 20, 2016, 10:38 p.m.) > > > Review request for mesos and Jie Yu. > > > Bugs: MESOS-6426 > https://issues.apache.org/jira/browse/MESOS-6426 > > > Repository: mesos > > > Description > ------- > > This commit adds a new launch flag `--rlimits` which can be used to > specify POSIX resource limits for the container. The resource limits > are set as the user, so to increase resource limits beyond configured > system limits additional priviledges might be needed. > > > Diffs > ----- > > src/slave/containerizer/mesos/launch.hpp > f8bac0650965a49562b9910bf6140ded8dbb69ac > src/slave/containerizer/mesos/launch.cpp > 4a41aaf103f5a9bc6f7a798f63f491fc7cf11f7e > > Diff: https://reviews.apache.org/r/53062/diff/ > > > Testing > ------- > > Tested as part of https://reviews.apache.org/r/53078/. > > > Thanks, > > Benjamin Bannier > >
