This document describes the linux/nnp
isolator. This isolator sets the no_new_privs flag for all containers launched using the MesosContainerizer.
The no_new_privs
flag disables the ability of container tasks to acquire any additional privileges by means of executing a child process e.g. through invocation of setuid
or setgid
programs. To enable the linux/nnp
isolator, append linux/nnp
to the --isolation
flag when starting the Mesos agent.