mesos-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Benjamin Hindman (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (MESOS-1593) Add DockerInfo Configuration
Date Wed, 16 Jul 2014 00:17:05 GMT

    [ https://issues.apache.org/jira/browse/MESOS-1593?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14062918#comment-14062918
] 

Benjamin Hindman edited comment on MESOS-1593 at 7/16/14 12:15 AM:
-------------------------------------------------------------------

IIUC, Docker forces us to launch containers as root (I'd be pleasantly surprised if there
was another way). The Docker daemon runs as root (which it must, because it's doing things
like manipulating cgroups) and I believe the process that it forks within the container is
thus root by default.

Assuming the above, the best we can do is use --user=foo, but an image must be set up to actually
have that user! We can definitely do authz on that user, although it's a little different
than a user running on the host and I'm not sure exactly what doing authz buys us?

(Eventually I believe the hope is that containers will be safe enough that giving them root
from within their container will be safe, even if it's not today.)


was (Author: benjaminhindman):
IIUC, Docker forces us to launch containers as root (I'd be pleasantly surprised if there
was another way). The Docker daemon runs as root (which it must, because it's doing things
like manipulating cgroups) and I believe the process that it forks within the container is
thus root by default.

So, the best we can do is use --user=foo, but an image must be set up to actually have that
user! We can definitely do authz on that user, although it's a little different than a user
running on the host and I'm not sure exactly what doing authz buys us.

(Eventually I believe the hope is that containers will be safe enough that giving them root
from within their container will be safe, even if it's not today.)

> Add DockerInfo Configuration
> ----------------------------
>
>                 Key: MESOS-1593
>                 URL: https://issues.apache.org/jira/browse/MESOS-1593
>             Project: Mesos
>          Issue Type: Task
>            Reporter: Timothy Chen
>            Assignee: Timothy Chen
>
> We want to add a new proto message to encapsulate all Docker related configurations into
DockerInfo.
> Here is the document that describes the design for DockerInfo:
> https://github.com/tnachen/mesos/wiki/DockerInfo-design



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message