Description
Hi,
In your README, you give the following instructions for launching a Mesos agent node from your Docker image:
docker run -d --net=host --privileged \
-e MESOS_PORT=5051 \
-e MESOS_MASTER=zk://127.0.0.1:2181/mesos \
-e MESOS_SWITCH_USER=0 \
-e MESOS_CONTAINERIZERS=docker,mesos \
-e MESOS_LOG_DIR=/var/log/mesos \
-e MESOS_WORK_DIR=/var/tmp/mesos \
-v "$(pwd)/log/mesos:/var/log/mesos" \
-v "$(pwd)/tmp/mesos:/var/tmp/mesos" \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /cgroup:/cgroup \
-v /sys:/sys \
-v /usr/local/bin/docker:/usr/local/bin/docker \
mesosphere/mesos-slave:0.28.0-2.0.16.ubuntu1404
According to these instructions, the agent container shall be launched in privileged mode. However, I did not find any missing or faulty behavior in practice when omitting the --privileged flag.
The Docker docs say the following about privileged containers:
When the operator executes docker run --privileged, Docker will enable access to all devices on the host as well as set some configuration in AppArmor or SELinux to allow the container nearly all the same access to the host as processes running outside containers on the host.
So, adhering to the "least privileges principle", a container should only run in privileged mode if it absolutely has to, so we should consider updating the instructions. The correct run configuration I'd propose:
docker run -d --net=host \
-e MESOS_PORT=5051 \
-e MESOS_MASTER=zk://127.0.0.1:2181/mesos \
-e MESOS_SWITCH_USER=0 \
-e MESOS_CONTAINERIZERS=docker,mesos \
-e MESOS_LOG_DIR=/var/log/mesos \
-e MESOS_WORK_DIR=/var/tmp/mesos \
-v "$(pwd)/log/mesos:/var/log/mesos" \
-v "$(pwd)/tmp/mesos:/var/tmp/mesos" \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /cgroup:/cgroup \
-v /sys:/sys \
-v /usr/local/bin/docker:/usr/local/bin/docker \
mesosphere/mesos-slave:0.28.0-2.0.16.ubuntu1404
Do you agree with this or can you otherwise elaborate on why the status quo is correct from your point of view?
Thanks :)