[jira] [Commented] (MESOS-7523) Whitelist devices in bulk on a per-container basis
[ https://issues.apache.org/jira/browse/MESOS-7523?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16808606#comment-16808606 ] James DeFelice commented on MESOS-7523: --- Yes, still relevant. But the need is more along the lines of "some kinds of privileged containers need access to the entire devices tree". Or, in other words, the "devices" cgroup settings should allow some kinds of privileged containers full access to /dev. There are multiple people that have asked for this and the current workarounds are quite ugly (and not very secure). > Whitelist devices in bulk on a per-container basis > -- > > Key: MESOS-7523 > URL: https://issues.apache.org/jira/browse/MESOS-7523 > Project: Mesos > Issue Type: Improvement >Reporter: James DeFelice >Priority: Major > Labels: containerization, csi-post-mvp, mesosphere, > mesosphere-dss-post-ga, storage > > Continuation of the work in MESOS-6791 > It should be possible to whitelist a range (R) of devices such that R may be > exposed to a container launched by an agent. Not all containers should have > access to R by default, only those containers whose ContainerInfo specifies > such access. > For example, it may be useful to whitelist the range of devices matching the > glob expressions `/dev/\{s,h,xv}d\[a-z]*` and `/dev/dm-\*` and > `/dev/mapper/\*` for a container that intends to manage storage devices. > /cc [~jieyu] -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MESOS-7523) Whitelist devices in bulk on a per-container basis
[ https://issues.apache.org/jira/browse/MESOS-7523?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16736915#comment-16736915 ] Benjamin Bannier commented on MESOS-7523: - [~jdef] , is this still relevant? If not we should probably at least remove its link to MESOS-8428 and track it as a more general containerization improvement. > Whitelist devices in bulk on a per-container basis > -- > > Key: MESOS-7523 > URL: https://issues.apache.org/jira/browse/MESOS-7523 > Project: Mesos > Issue Type: Improvement >Reporter: James DeFelice >Priority: Major > Labels: csi-post-mvp, mesosphere, storage > > Continuation of the work in MESOS-6791 > It should be possible to whitelist a range (R) of devices such that R may be > exposed to a container launched by an agent. Not all containers should have > access to R by default, only those containers whose ContainerInfo specifies > such access. > For example, it may be useful to whitelist the range of devices matching the > glob expressions `/dev/\{s,h,xv}d\[a-z]*` and `/dev/dm-\*` and > `/dev/mapper/\*` for a container that intends to manage storage devices. > /cc [~jieyu] -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MESOS-7523) Whitelist devices in bulk on a per-container basis
[ https://issues.apache.org/jira/browse/MESOS-7523?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16281445#comment-16281445 ] Adam B commented on MESOS-7523: --- [~jieyu] Is this completed already? If so, please close the ticket with FixVersion 1.5.0 linking to the commits. If not, please set the TargetVersion for 1.5.0 (now!), 1.6.0, or close it as Won't Do. > Whitelist devices in bulk on a per-container basis > -- > > Key: MESOS-7523 > URL: https://issues.apache.org/jira/browse/MESOS-7523 > Project: Mesos > Issue Type: Bug >Reporter: James DeFelice > Labels: mesosphere, storage > > Continuation of the work in MESOS-6791 > It should be possible to whitelist a range (R) of devices such that R may be > exposed to a container launched by an agent. Not all containers should have > access to R by default, only those containers whose ContainerInfo specifies > such access. > For example, it may be useful to whitelist the range of devices matching the > glob expressions `/dev/\{s,h,xv}d\[a-z]*` and `/dev/dm-\*` and > `/dev/mapper/\*` for a container that intends to manage storage devices. > /cc [~jieyu] -- This message was sent by Atlassian JIRA (v6.4.14#64029)