You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by ji...@apache.org on 2016/10/07 16:26:01 UTC
[5/5] mesos git commit: Introduced Linux capabilities support for Mesos executor.

Introduced Linux capabilities support for Mesos executor.

This change introduces Linux capability-based security the Mesos
exector. A new flag `capabilities` is introduced to optionally specify
the capabilities tasks launched by the Mesos executor are allowed to
use.

Review: https://reviews.apache.org/r/51930/


Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/5e3648c8
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/5e3648c8
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/5e3648c8

Branch: refs/heads/master
Commit: 5e3648c871f8008d8e11390b2ccba86c59d82f70
Parents: a7d567c
Author: Benjamin Bannier <be...@mesosphere.io>
Authored: Wed Oct 5 20:55:42 2016 -0700
Committer: Jie Yu <yu...@gmail.com>
Committed: Fri Oct 7 09:22:19 2016 -0700

----------------------------------------------------------------------
 src/launcher/executor.cpp       | 13 ++++++++++++-
 src/launcher/posix/executor.cpp |  9 ++++++++-
 src/launcher/posix/executor.hpp |  3 ++-
 3 files changed, 22 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos/blob/5e3648c8/src/launcher/executor.cpp
----------------------------------------------------------------------
diff --git a/src/launcher/executor.cpp b/src/launcher/executor.cpp
index 8a1051b..3e95d60 100644
--- a/src/launcher/executor.cpp
+++ b/src/launcher/executor.cpp
@@ -65,6 +65,7 @@
 #include <stout/os/killtree.hpp>
 
 #include "common/http.hpp"
+#include "common/parse.hpp"
 #include "common/protobuf_utils.hpp"
 #include "common/status_utils.hpp"
 
@@ -127,6 +128,7 @@ public:
       const Option<string>& _workingDirectory,
       const Option<string>& _user,
       const Option<string>& _taskCommand,
+      const Option<CapabilityInfo>& _capabilities,
       const FrameworkID& _frameworkId,
       const ExecutorID& _executorId,
       const Duration& _shutdownGracePeriod)
@@ -146,6 +148,7 @@ public:
       workingDirectory(_workingDirectory),
       user(_user),
       taskCommand(_taskCommand),
+      capabilities(_capabilities),
       frameworkId(_frameworkId),
       executorId(_executorId),
       task(None())
@@ -410,7 +413,8 @@ protected:
         user,
         rootfs,
         sandboxDirectory,
-        workingDirectory);
+        workingDirectory,
+        capabilities);
 #else
     // A Windows process is started using the `CREATE_SUSPENDED` flag
     // and is part of a job object. While the process handle is kept
@@ -799,6 +803,7 @@ private:
   Option<string> workingDirectory;
   Option<string> user;
   Option<string> taskCommand;
+  Option<CapabilityInfo> capabilities;
   const FrameworkID frameworkId;
   const ExecutorID executorId;
   Owned<MesosBase> mesos;
@@ -840,6 +845,10 @@ public:
         "If specified, this is the overrided command for launching the\n"
         "task (instead of the command from TaskInfo).");
 
+    add(&capabilities,
+        "capabilities",
+        "Capabilities the command can use.");
+
     add(&launcher_dir,
         "launcher_dir",
         "Directory path of Mesos binaries.",
@@ -854,6 +863,7 @@ public:
   Option<string> working_directory;
   Option<string> user;
   Option<string> task_command;
+  Option<mesos::CapabilityInfo> capabilities;
   string launcher_dir;
 };
 
@@ -927,6 +937,7 @@ int main(int argc, char** argv)
           flags.working_directory,
           flags.user,
           flags.task_command,
+          flags.capabilities,
           frameworkId,
           executorId,
           shutdownGracePeriod));

http://git-wip-us.apache.org/repos/asf/mesos/blob/5e3648c8/src/launcher/posix/executor.cpp
----------------------------------------------------------------------
diff --git a/src/launcher/posix/executor.cpp b/src/launcher/posix/executor.cpp
index 0f3fed3..8a21191 100644
--- a/src/launcher/posix/executor.cpp
+++ b/src/launcher/posix/executor.cpp
@@ -57,7 +57,8 @@ pid_t launchTaskPosix(
     const Option<string>& user,
     const Option<string>& rootfs,
     const Option<string>& sandboxDirectory,
-    const Option<string>& workingDirectory)
+    const Option<string>& workingDirectory,
+    const Option<CapabilityInfo>& capabilities)
 {
   // Prepare the flags to pass to the launch process.
   MesosContainerizerLaunch::Flags launchFlags;
@@ -97,6 +98,12 @@ pid_t launchTaskPosix(
   launchFlags.rootfs = rootfs;
   launchFlags.user = user;
 
+#ifdef __linux__
+  launchFlags.capabilities = capabilities.isSome()
+    ? JSON::protobuf(capabilities.get())
+    : Option<JSON::Object>::none();
+#endif // __linux__
+
   string commandString = strings::format(
       "%s %s %s",
       path::join(launcherDir, MESOS_CONTAINERIZER),

http://git-wip-us.apache.org/repos/asf/mesos/blob/5e3648c8/src/launcher/posix/executor.hpp
----------------------------------------------------------------------
diff --git a/src/launcher/posix/executor.hpp b/src/launcher/posix/executor.hpp
index 9e46726..d057ff6 100644
--- a/src/launcher/posix/executor.hpp
+++ b/src/launcher/posix/executor.hpp
@@ -32,7 +32,8 @@ pid_t launchTaskPosix(
     const Option<std::string>& user,
     const Option<std::string>& rootfs,
     const Option<std::string>& sandboxDirectory,
-    const Option<std::string>& workingDirectory);
+    const Option<std::string>& workingDirectory,
+    const Option<CapabilityInfo>& capabilities);
 
 } // namespace internal {
 } // namespace mesos {