seccomp for better mesos sandboxes?
I was reading a Docker security article this morning: https://opensource.com/business/15/3/docker-security-future ... and there's talk about leveraging libseccomp bindings to enhance Docker container security. It seems to me that similar security concerns probably exist for mesos deployments (using Docker or not). Has anyone thought of integrating something like this to further isolate mesos container sandboxes? For reference: https://github.com/seccomp/libseccomp -James
Re: Denver Mesos User Group
Excellent, thanks for taking the lead here! I've added Denver to our list of User Groups -- we're now up to 12 world-wide! http://mesos.apache.org/community/user-groups/ Dave On Thu, Mar 26, 2015, at 06:16 AM, Paul Otto wrote: Hi all, I am excited to announce that the Denver Mesos User Group has been created! We will be organizing our first meeting shortly! http://www.meetup.com/Denver-Mesos-User-Group Regards, Paul Paul Otto Principal DevOps Architect, Co-founder Otto Ops LLC | _OttoOps.com_ 970.343.4561 office 720.381.2383 cell
Slave recovery not recovering tasks when using systemd
Dear Mesos Users, I just wanted to point out a solved issue (https://issues.apache.org/jira/browse/MESOS-2419 https://issues.apache.org/jira/browse/MESOS-2419) where the systemd default behaviour prevents tasks from recovering. The problem is that the default KillMode for systemd processes is cgroup (http://www.freedesktop.org/software/systemd/man/systemd.kill.html http://www.freedesktop.org/software/systemd/man/systemd.kill.html) and hence all child processes are killed when the slave stops. Explicitly setting the KillMode to process allows the executors to survive and reconnect. Feel free to check our configuration at: https://github.com/mesosphere/mesos-deb-packaging/blob/master/systemd/slave.systemd https://github.com/mesosphere/mesos-deb-packaging/blob/master/systemd/slave.systemd Thanks, Joerg
Re: Slave recovery not recovering tasks when using systemd
On Thursday, March 26, 2015, Joerg Schad jo...@mesosphere.io wrote: Dear Mesos Users, I just wanted to point out a solved issue ( https://issues.apache.org/jira/browse/MESOS-2419) where the *systemd* default behaviour prevents tasks from recovering. The problem is that the default KillMode for systemd processes is *cgroup* (http://www.freedesktop.org/software/systemd/man/systemd.kill.html) and hence all child processes are killed when the slave stops. Explicitly setting the KillMode to *process* allows the executors to survive and reconnect. Feel free to check our configuration at: https://github.com/mesosphere/mesos-deb-packaging/blob/master/systemd/slave.systemd Thanks for the heads up! Will the RHEL7 packages be updated in the mesosphere repository to account for this? -- Text by Jeff, typos by iPhone
