mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Peach <jpe...@apache.org>
Subject Re: Review Request 59552: Add support for explicitly setting bounding capabilities.
Date Fri, 09 Jun 2017 23:09:39 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59552/
-----------------------------------------------------------

(Updated June 9, 2017, 11:09 p.m.)


Review request for mesos, Jie Yu and Jiang Yan Xu.


Changes
-------

Rebase and partially address review feedback.


Bugs: MESOS-7476
    https://issues.apache.org/jira/browse/MESOS-7476


Repository: mesos


Description
-------

The linux/capabilities isolator implements the `--allowed_capabilities`
option by granting all the allowed capabilities. This change explicitly
populates the only the bounding capabilities in the case where
`--bounding_capabilities` has been set but the task itself has not been
granted any effective capabilities. This improves the security of tasks
since it is now possible to configure the bounding set without actually
granting privilege to the task.


Diffs (updated)
-----

  src/slave/containerizer/mesos/isolators/linux/capabilities.cpp 60d22aa877c1ab62a08222e5efe8800e337684da

  src/slave/containerizer/mesos/launch.cpp f48d294a0a832dfe248c4a83849ee5a63cb76bce 
  src/tests/containerizer/linux_capabilities_isolator_tests.cpp 40376a03fdb8f931f8d3f83b1c3fa6207e02c1d1



Diff: https://reviews.apache.org/r/59552/diff/3/

Changes: https://reviews.apache.org/r/59552/diff/2-3/


Testing
-------

make check (Fedora 25)


Thanks,

James Peach


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message