You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@aurora.apache.org by "Joshua Cohen (JIRA)" <ji...@apache.org> on 2016/09/09 17:34:20 UTC

[jira] [Commented] (AURORA-1768) Command `aurora task ssh` is not namespace and taskfs aware

    [ https://issues.apache.org/jira/browse/AURORA-1768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15477671#comment-15477671 ] 

Joshua Cohen commented on AURORA-1768:
--------------------------------------

This would likely involve {{aurora task ssh}} invoking some helper binary to enter the container's namespace upon connection (similar to how it currently just [cd's|https://github.com/apache/aurora/blob/master/src/main/python/apache/aurora/client/api/command_runner.py#L63-L72] into the task's sandbox).

Ideally this helper would just be {{nsenter}}, but I don't think nsenter is guaranteed to be available on all distro's (e.g. it needs to be built from source for Ubuntu 14.04 for use in our vagrant image). We could instead create our own thin pex that relies on [python-nsenter|https://github.com/zalando/python-nsenter] to enter the necessary namespaces and then [embed|https://github.com/apache/aurora/blob/master/build-support/embed_runner_in_executor.py] that in the executor (and later [extract|https://github.com/apache/aurora/blob/master/src/main/python/apache/aurora/executor/bin/thermos_executor_main.py#L192-L204) it].

This raises the second question: how do we determine which namespace to actually enter? I'm unsure of this exactly, but I believe it's available via procfs at {{/proc/<pid>/ns/mnt}} (or net, etc.).

> Command `aurora task ssh` is not namespace and taskfs aware 
> ------------------------------------------------------------
>
>                 Key: AURORA-1768
>                 URL: https://issues.apache.org/jira/browse/AURORA-1768
>             Project: Aurora
>          Issue Type: Story
>          Components: Thermos
>            Reporter: Stephan Erb
>
> In order to guarantee isolation among tasks and to simplify debugging in production environments, we should make sure commands executed via `aurora ssh` have been isolated in the same way as the tasks itself. This implies that we have to use the same container filesystem and enter the same namespaces.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)