You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by ji...@apache.org on 2016/10/07 16:26:01 UTC
[5/5] mesos git commit: Introduced Linux capabilities support for
Mesos executor.
Introduced Linux capabilities support for Mesos executor.
This change introduces Linux capability-based security the Mesos
exector. A new flag `capabilities` is introduced to optionally specify
the capabilities tasks launched by the Mesos executor are allowed to
use.
Review: https://reviews.apache.org/r/51930/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/5e3648c8
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/5e3648c8
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/5e3648c8
Branch: refs/heads/master
Commit: 5e3648c871f8008d8e11390b2ccba86c59d82f70
Parents: a7d567c
Author: Benjamin Bannier <be...@mesosphere.io>
Authored: Wed Oct 5 20:55:42 2016 -0700
Committer: Jie Yu <yu...@gmail.com>
Committed: Fri Oct 7 09:22:19 2016 -0700
----------------------------------------------------------------------
src/launcher/executor.cpp | 13 ++++++++++++-
src/launcher/posix/executor.cpp | 9 ++++++++-
src/launcher/posix/executor.hpp | 3 ++-
3 files changed, 22 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/5e3648c8/src/launcher/executor.cpp
----------------------------------------------------------------------
diff --git a/src/launcher/executor.cpp b/src/launcher/executor.cpp
index 8a1051b..3e95d60 100644
--- a/src/launcher/executor.cpp
+++ b/src/launcher/executor.cpp
@@ -65,6 +65,7 @@
#include <stout/os/killtree.hpp>
#include "common/http.hpp"
+#include "common/parse.hpp"
#include "common/protobuf_utils.hpp"
#include "common/status_utils.hpp"
@@ -127,6 +128,7 @@ public:
const Option<string>& _workingDirectory,
const Option<string>& _user,
const Option<string>& _taskCommand,
+ const Option<CapabilityInfo>& _capabilities,
const FrameworkID& _frameworkId,
const ExecutorID& _executorId,
const Duration& _shutdownGracePeriod)
@@ -146,6 +148,7 @@ public:
workingDirectory(_workingDirectory),
user(_user),
taskCommand(_taskCommand),
+ capabilities(_capabilities),
frameworkId(_frameworkId),
executorId(_executorId),
task(None())
@@ -410,7 +413,8 @@ protected:
user,
rootfs,
sandboxDirectory,
- workingDirectory);
+ workingDirectory,
+ capabilities);
#else
// A Windows process is started using the `CREATE_SUSPENDED` flag
// and is part of a job object. While the process handle is kept
@@ -799,6 +803,7 @@ private:
Option<string> workingDirectory;
Option<string> user;
Option<string> taskCommand;
+ Option<CapabilityInfo> capabilities;
const FrameworkID frameworkId;
const ExecutorID executorId;
Owned<MesosBase> mesos;
@@ -840,6 +845,10 @@ public:
"If specified, this is the overrided command for launching the\n"
"task (instead of the command from TaskInfo).");
+ add(&capabilities,
+ "capabilities",
+ "Capabilities the command can use.");
+
add(&launcher_dir,
"launcher_dir",
"Directory path of Mesos binaries.",
@@ -854,6 +863,7 @@ public:
Option<string> working_directory;
Option<string> user;
Option<string> task_command;
+ Option<mesos::CapabilityInfo> capabilities;
string launcher_dir;
};
@@ -927,6 +937,7 @@ int main(int argc, char** argv)
flags.working_directory,
flags.user,
flags.task_command,
+ flags.capabilities,
frameworkId,
executorId,
shutdownGracePeriod));
http://git-wip-us.apache.org/repos/asf/mesos/blob/5e3648c8/src/launcher/posix/executor.cpp
----------------------------------------------------------------------
diff --git a/src/launcher/posix/executor.cpp b/src/launcher/posix/executor.cpp
index 0f3fed3..8a21191 100644
--- a/src/launcher/posix/executor.cpp
+++ b/src/launcher/posix/executor.cpp
@@ -57,7 +57,8 @@ pid_t launchTaskPosix(
const Option<string>& user,
const Option<string>& rootfs,
const Option<string>& sandboxDirectory,
- const Option<string>& workingDirectory)
+ const Option<string>& workingDirectory,
+ const Option<CapabilityInfo>& capabilities)
{
// Prepare the flags to pass to the launch process.
MesosContainerizerLaunch::Flags launchFlags;
@@ -97,6 +98,12 @@ pid_t launchTaskPosix(
launchFlags.rootfs = rootfs;
launchFlags.user = user;
+#ifdef __linux__
+ launchFlags.capabilities = capabilities.isSome()
+ ? JSON::protobuf(capabilities.get())
+ : Option<JSON::Object>::none();
+#endif // __linux__
+
string commandString = strings::format(
"%s %s %s",
path::join(launcherDir, MESOS_CONTAINERIZER),
http://git-wip-us.apache.org/repos/asf/mesos/blob/5e3648c8/src/launcher/posix/executor.hpp
----------------------------------------------------------------------
diff --git a/src/launcher/posix/executor.hpp b/src/launcher/posix/executor.hpp
index 9e46726..d057ff6 100644
--- a/src/launcher/posix/executor.hpp
+++ b/src/launcher/posix/executor.hpp
@@ -32,7 +32,8 @@ pid_t launchTaskPosix(
const Option<std::string>& user,
const Option<std::string>& rootfs,
const Option<std::string>& sandboxDirectory,
- const Option<std::string>& workingDirectory);
+ const Option<std::string>& workingDirectory,
+ const Option<CapabilityInfo>& capabilities);
} // namespace internal {
} // namespace mesos {