You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by jp...@apache.org on 2017/12/07 01:11:35 UTC
mesos git commit: Used more restrictive mount flags for host network bind mounts.

Repository: mesos
Updated Branches:
  refs/heads/master 1f06e8446 -> dfe9f51aa


Used more restrictive mount flags for host network bind mounts.

In the CNI isolator, mount the network configuration files with
the most restrictive mount flags to avoid getting trapped by user
namespace unprivileged mount preconditions.

Review: https://reviews.apache.org/r/64385/


Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/dfe9f51a
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/dfe9f51a
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/dfe9f51a

Branch: refs/heads/master
Commit: dfe9f51aa9f4ddc23c990a77bc53beab983b5c96
Parents: 1f06e84
Author: James Peach <jp...@apache.org>
Authored: Wed Dec 6 16:32:12 2017 -0800
Committer: James Peach <jp...@apache.org>
Committed: Wed Dec 6 17:05:02 2017 -0800

----------------------------------------------------------------------
 .../mesos/isolators/network/cni/cni.cpp             | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos/blob/dfe9f51a/src/slave/containerizer/mesos/isolators/network/cni/cni.cpp
----------------------------------------------------------------------
diff --git a/src/slave/containerizer/mesos/isolators/network/cni/cni.cpp b/src/slave/containerizer/mesos/isolators/network/cni/cni.cpp
index 0eca067..61de16b 100644
--- a/src/slave/containerizer/mesos/isolators/network/cni/cni.cpp
+++ b/src/slave/containerizer/mesos/isolators/network/cni/cni.cpp
@@ -1906,6 +1906,14 @@ int NetworkCniIsolatorSetup::execute()
     return EXIT_FAILURE;
   }
 
+  // If we are in a user namespace, then our copy of the mount tree is
+  // marked unprivileged and the kernel will required us to propagate
+  // any additional flags from the underlying mount to the bind mount
+  // when we do the MS_RDONLY remount. To save the bother of reading
+  // the mount table to find the flags to propagate, we just always
+  // use the most restrictive flags here.
+  const int bindflags = MS_BIND | MS_NOEXEC | MS_NODEV | MS_NOSUID;
+
   foreachpair (const string& file, const string& source, files) {
     // Do the bind mount for network files in the host filesystem if
     // the container joins non-host network since no process in the
@@ -1952,7 +1960,7 @@ int NetworkCniIsolatorSetup::execute()
           source,
           file,
           None(),
-          MS_BIND,
+          bindflags,
           nullptr);
       if (mount.isError()) {
         cerr << "Failed to bind mount from '" << source << "' to '"
@@ -1965,7 +1973,7 @@ int NetworkCniIsolatorSetup::execute()
           source,
           file,
           None(),
-          MS_RDONLY | MS_REMOUNT | MS_BIND,
+          MS_RDONLY | MS_REMOUNT | bindflags,
           nullptr);
         if (mount.isError()) {
           cerr << "Failed to remount bind mount as readonly from '" << source
@@ -2015,7 +2023,7 @@ int NetworkCniIsolatorSetup::execute()
           source,
           target,
           None(),
-          MS_BIND,
+          bindflags,
           nullptr);
 
       if (mount.isError()) {
@@ -2029,7 +2037,7 @@ int NetworkCniIsolatorSetup::execute()
           source,
           target,
           None(),
-          MS_RDONLY | MS_REMOUNT | MS_BIND,
+          MS_RDONLY | MS_REMOUNT | bindflags,
           nullptr);
         if (mount.isError()) {
           cerr << "Failed to remount bind mount as readonly from '" << source