If you're new to Mesos
See the getting started page for more information about downloading, building, and deploying Mesos.
If you'd like to get involved or you're looking for support
See our community page for more details.
Linux Capabilities Support in Mesos Containerizer
This document describes the linux/capabilities isolator. The
isolator adds support for controlling Linux
Capabilities
of containers launched using the
MesosContainerizer
The Linux capabilities isolator allows operators to control which privileged operations Mesos tasks may perform. Operators can specify which capabilities to allow for containers executing on an agent; containers on the other hand can expose which capabilities they need.
See the protobuf definition of CapabilityInfo::Capability for the
list of currently exposed capabilities.
Agent setup
The Linux capabilities isolator is loaded when linux/capabilities is
present in the agent’s --isolation flag.
Capabilities which should be allowed are passed with the
--allowed_capabilities flag. This isolator requires the
CAP_SETPCAP capability so agent processes typically need to be
started as root. A possible agent startup invocation could be
sudo mesos-agent --master=<master ip> --ip=<agent ip>
--work_dir=/var/lib/mesos
--isolation=linux/capabilities[,other isolation flags]
--allowed_capabilities='{"capabilities":[NET_RAW,MKNOD]}'
An empty list for --allowed_capabilities signifies that no
capabilities are allowed, while an absent --allowed_capabilities flag
signifies that all capabilities are allowed.
Task setup
In order for a Mesos task to acquire allowed capabilities it needs to
declare required capabilities in the LinuxInfo of its
ContainerInfo.
A Mesos task can only request capabilities which are allowed for the agent; a task requesting unallowed capabilities will be rejected.
If an empty list of capabilities is given the Mesos task will drop all
capabilities; if the optional capability_info field is not set the
container will be able to acquire the capabilities of the Mesos task’s
user.