> On June 11, 2017, 6:23 p.m., Jie Yu wrote: > > src/slave/flags.cpp > > Line 608 (original), 603 (patched) > > <https://reviews.apache.org/r/59554/diff/3/?file=1747645#file1747645line608> > > > > Is that still true? I think that depends on if bounding is set or not.
I think it is still true that leaving the `effective_capabilities` clear and running as root means you intend to allow ALL capabilities. If you also set the `bounding_capabilities` then you are additionally expressing the intent to bound the capabilities, but that doesn't make the original intent untrue. I'm not sure that this is the right place to discuss how the various features interact, though I definitely agree that that topic should be discussed and explained clearly. - James ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/59554/#review177575 ----------------------------------------------------------- On June 5, 2017, 4:57 p.m., James Peach wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/59554/ > ----------------------------------------------------------- > > (Updated June 5, 2017, 4:57 p.m.) > > > Review request for mesos, Jie Yu and Jiang Yan Xu. > > > Bugs: MESOS-7477 > https://issues.apache.org/jira/browse/MESOS-7477 > > > Repository: mesos > > > Description > ------- > > Since the `--allowed_capabilities` flag was being used to actually > grant capabilities, rename it to `--effective_capabilities` which better > conveys the intention and semantics of this flag. > > > Diffs > ----- > > docs/configuration.md ed510fa638878b71e7fcff4850152a8a8622127e > docs/linux_capabilities.md b588aff6842a14bbf7ff5c35931cac61f9019805 > src/slave/containerizer/mesos/isolators/linux/capabilities.cpp > 60d22aa877c1ab62a08222e5efe8800e337684da > src/slave/flags.hpp 2f9d52e94c2c31e95208cd8b0640a5de2d2a61fd > src/slave/flags.cpp 93c8ffb5c822cf6c99071be7aca52a6b3d187619 > src/tests/containerizer/linux_capabilities_isolator_tests.cpp > 40376a03fdb8f931f8d3f83b1c3fa6207e02c1d1 > > > Diff: https://reviews.apache.org/r/59554/diff/3/ > > > Testing > ------- > > make check (Fedora 25) > > > Thanks, > > James Peach > >
