Jie Yu created MESOS-7653:
-----------------------------
Summary: Support launching slave using unprivileged user.
Key: MESOS-7653
URL: https://issues.apache.org/jira/browse/MESOS-7653
Project: Mesos
Issue Type: Improvement
Reporter: Jie Yu
Priority: Minor
This ticket captures the work needed to support launching agent using
unprivileged user.
1) The agent binary needs to have file capabilities set. Given agent needs to
manipulate cgroups (if using linux launcher or cgroups isolator) and clone
namespaces (if using linux launcher), CAP_SYS_ADMIN capability must be in agent
process's effective set. Either the "Effective" bit should be set on the agent
binary so that the permitted capabilities gained on exec'ing the binary will be
put into the effective set of the agent process automatically, or the agent
will raise the capability itself as long as the capabilities are in the
permitted set.
2) Since the launch of the user task will be done by `mesos-containerizer`
binary. Either the agent will raise ambient capabilities (using prctl
PR_CAP_AMBIENT_RAISE), or we need to make sure `mesos-containerizer` binary
have file capabilities set so that it is able to do thing like `setuid` after
agent exec'ed the helper. That means the agent process should have those
required capabilities in its inheritable set (at least) and permitted set if
ambient capabilities route is chosen.
3) If linux capabilities isolator is enabled, in order for the framework to
gain any capabilities they like, the process launching the agent process should
have all capabilities in its inheritable set and its bounding set so that those
capabilities can be regain later.
http://man7.org/linux/man-pages/man7/capabilities.7.html
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
