If you're new to Mesos
See the getting started page for more information about downloading, building, and deploying Mesos.
If you'd like to get involved or you're looking for support
See our community page for more details.
Linux Seccomp Support in Mesos Containerizer
Seccomp filter reduces the attack surface of the Linux kernel by providing a mechanism for filtering of certain system calls. Seccomp requires Linux kernel 3.5 or newer.
Seccomp filter is defined by a Seccomp profile which must be compatible with the Docker Seccomp profile format. An example of the Seccomp profile can be found in default.json.
Note: Mesos containerizer uses
pivot_root system call, so it must be
specified in the Seccomp profile. Usually, the Docker Seccomp profile contains
chroot syscall, so the
pivot_root syscall must be added to the same array
The Linux Seccomp isolator is loaded when
linux/seccomp is present in the
--isolation flag. This isolator requires root privileges to install
a Seccomp filter because a Seccomp filter can’t be installed for a
non-privileged user without setting
no_new_privs bit which leads to side
--seccomp_config_dir flag specifies the path to the directory containing
--seccomp_profile_name flag specifies the default Seccomp profile which is
applied by default for all Mesos containers. This profile name must be relative
--seccomp_config_dir. If this flag is omitted, then the default Seccomp
profile is not defined and therefore not applied by default.
A possible agent startup invocation could be
sudo mesos-agent --master=<master ip> --ip=<agent ip> --work_dir=/var/lib/mesos --isolation=linux/seccomp[,other isolation flags] --seccomp_config_dir=/etc/mesos/seccomp --seccomp_profile_name=default.json
In order for a Mesos task to override the agent’s default Seccomp profile,
it should declare the required profile in the
LinuxInfo field of its
ContainerInfo. E.g., if the agent is launched with the default Seccomp
profile enabled, a framework can disable Seccomp for a particular task by
unconfined field in the corresponding