You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by gi...@apache.org on 2019/08/15 20:09:50 UTC
[mesos] branch 1.6.x updated (472d0d9 -> e5db870)
This is an automated email from the ASF dual-hosted git repository.
gilbert pushed a change to branch 1.6.x
in repository https://gitbox.apache.org/repos/asf/mesos.git.
from 472d0d9 Added MESOS-9868 to the 1.6.3 CHANGELOG.
new 124e8e7 Implemented `cleanup` method for `volume/secret` isolator.
new 8c7600e Moved const string `.secret` to paths.hpp.
new e5db870 Added MESOS-9893 to 1.6.3 CHANGELOG.
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
CHANGELOG | 1 +
.../mesos/isolators/volume/secret.cpp | 50 +++++++++++++++++++---
.../mesos/isolators/volume/secret.hpp | 3 ++
src/slave/containerizer/mesos/paths.hpp | 1 +
4 files changed, 48 insertions(+), 7 deletions(-)
[mesos] 03/03: Added MESOS-9893 to 1.6.3 CHANGELOG.
Posted by gi...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
gilbert pushed a commit to branch 1.6.x
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit e5db870a562c4f3f76d1ac1e3feb4ff95216a668
Author: Gilbert Song <so...@gmail.com>
AuthorDate: Thu Aug 15 13:00:42 2019 -0700
Added MESOS-9893 to 1.6.3 CHANGELOG.
(cherry picked from commit 18073ecbc8e35add1d8ebc4e8d23cc111f795839)
---
CHANGELOG | 1 +
1 file changed, 1 insertion(+)
diff --git a/CHANGELOG b/CHANGELOG
index a4aa80e..87b3a1d 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -19,6 +19,7 @@ Release Notes - Mesos - Version 1.6.3 (WIP)
* [MESOS-9856] - REVIVE call with specified role(s) clears filters for all roles of a framework.
* [MESOS-9868] - NetworkInfo from the agent /state endpoint is not correct.
* [MESOS-9870] - Simultaneous adding/removal of a role from framework's roles and its suppressed roles crashes the master.
+ * [MESOS-9893] - `volume/secret` isolator should cleanup the stored secret from runtime directory when the container is destroyed.
** Improvement
* [MESOS-8880] - Add minimum capabilities in the master.
[mesos] 02/03: Moved const string `.secret` to paths.hpp.
Posted by gi...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
gilbert pushed a commit to branch 1.6.x
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit 8c7600ece18612b3163509a95cafc3d238e12d27
Author: Qian Zhang <zh...@gmail.com>
AuthorDate: Thu Aug 15 11:49:23 2019 -0700
Moved const string `.secret` to paths.hpp.
Review: https://reviews.apache.org/r/71221/
(cherry picked from commit 34330fb08466116c8483ce6de234126a6089a683)
(cherry picked from commit ae8c16ae7eaa5ffb301300278a18f3f662a5d8d5)
---
.../containerizer/mesos/isolators/volume/secret.cpp | 16 +++++++++-------
src/slave/containerizer/mesos/paths.hpp | 1 +
2 files changed, 10 insertions(+), 7 deletions(-)
diff --git a/src/slave/containerizer/mesos/isolators/volume/secret.cpp b/src/slave/containerizer/mesos/isolators/volume/secret.cpp
index 6dc558b..7dca981 100644
--- a/src/slave/containerizer/mesos/isolators/volume/secret.cpp
+++ b/src/slave/containerizer/mesos/isolators/volume/secret.cpp
@@ -14,6 +14,8 @@
// See the License for the specific language governing permissions and
// limitations under the License.
+#include "slave/containerizer/mesos/paths.hpp"
+
#include "slave/containerizer/mesos/isolators/volume/secret.hpp"
#include <list>
@@ -48,6 +50,8 @@ using process::Failure;
using process::Future;
using process::Owned;
+using mesos::internal::slave::containerizer::paths::SECRET_DIRECTORY;
+
using mesos::slave::ContainerClass;
using mesos::slave::ContainerConfig;
using mesos::slave::ContainerLaunchInfo;
@@ -58,9 +62,6 @@ namespace mesos {
namespace internal {
namespace slave {
-constexpr char SECRET_DIR[] = ".secret";
-
-
Try<Isolator*> VolumeSecretIsolatorProcess::create(
const Flags& flags,
SecretResolver* secretResolver)
@@ -70,7 +71,8 @@ Try<Isolator*> VolumeSecretIsolatorProcess::create(
return Error("Volume secret isolation requires filesystem/linux isolator.");
}
- const string hostSecretTmpDir = path::join(flags.runtime_dir, SECRET_DIR);
+ const string hostSecretTmpDir =
+ path::join(flags.runtime_dir, SECRET_DIRECTORY);
Try<Nothing> mkdir = os::mkdir(hostSecretTmpDir);
if (mkdir.isError()) {
@@ -122,7 +124,7 @@ Future<Option<ContainerLaunchInfo>> VolumeSecretIsolatorProcess::prepare(
const string containerDir = path::join(
flags.runtime_dir,
- SECRET_DIR,
+ SECRET_DIRECTORY,
stringify(containerId));
Try<Nothing> mkdir = os::mkdir(containerDir);
@@ -137,7 +139,7 @@ Future<Option<ContainerLaunchInfo>> VolumeSecretIsolatorProcess::prepare(
const string sandboxSecretRootDir =
path::join(containerConfig.directory(),
- SECRET_DIR + string("-") + stringify(id::UUID::random()));
+ SECRET_DIRECTORY + string("-") + stringify(id::UUID::random()));
// TODO(Kapil): Add some UUID suffix to the secret-root dir to avoid conflicts
// with user container_path.
@@ -318,7 +320,7 @@ Future<Nothing> VolumeSecretIsolatorProcess::cleanup(
{
const string containerDir = path::join(
flags.runtime_dir,
- SECRET_DIR,
+ SECRET_DIRECTORY,
stringify(containerId));
if (os::exists(containerDir)) {
diff --git a/src/slave/containerizer/mesos/paths.hpp b/src/slave/containerizer/mesos/paths.hpp
index 106da74..adc3883 100644
--- a/src/slave/containerizer/mesos/paths.hpp
+++ b/src/slave/containerizer/mesos/paths.hpp
@@ -79,6 +79,7 @@ constexpr char MNT_HOST_PROC[] = "host_proc";
constexpr char CONTAINER_DIRECTORY[] = "containers";
constexpr char CONTAINER_LAUNCH_INFO_FILE[] = "launch_info";
constexpr char STANDALONE_MARKER_FILE[] = "standalone.marker";
+constexpr char SECRET_DIRECTORY[] = ".secret";
enum Mode
[mesos] 01/03: Implemented `cleanup` method for `volume/secret`
isolator.
Posted by gi...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
gilbert pushed a commit to branch 1.6.x
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit 124e8e71a164066ad4a366b4274c12a8415589d2
Author: Qian Zhang <zh...@gmail.com>
AuthorDate: Thu Aug 15 11:49:22 2019 -0700
Implemented `cleanup` method for `volume/secret` isolator.
Previously, after `volume/secret` isolator resolves a secret and write
it into a path (i.e., <runtime_dir>/.secret/<UUID>) on agent host for a
container, if the container fails to launch somehow (e.g., fails in
another isolator's `prepare` method), that path on the host will never
be cleaned up. In this patch, `volume/secret` isolator is improved to
write all the resolved secrets for a container into a single directory
(i.e., <runtime_dir>/.secret/<containerID>) on agent host, and the
`cleanup` method of the `volume/secret` isolator is implemented to
remove that directory when the container is destroyed.
Review: https://reviews.apache.org/r/71201/
(cherry picked from commit 8498a9b262cd145fd4966f621b91353bb162b56c)
(cherry picked from commit 304a28a95b8f89c0ed01828d1921c9f9acc93987)
---
.../mesos/isolators/volume/secret.cpp | 38 ++++++++++++++++++++--
.../mesos/isolators/volume/secret.hpp | 3 ++
2 files changed, 39 insertions(+), 2 deletions(-)
diff --git a/src/slave/containerizer/mesos/isolators/volume/secret.cpp b/src/slave/containerizer/mesos/isolators/volume/secret.cpp
index d1bc7c5..6dc558b 100644
--- a/src/slave/containerizer/mesos/isolators/volume/secret.cpp
+++ b/src/slave/containerizer/mesos/isolators/volume/secret.cpp
@@ -31,6 +31,7 @@
#include <stout/strings.hpp>
#include <stout/os/mkdir.hpp>
+#include <stout/os/rmdir.hpp>
#include <stout/os/touch.hpp>
#include <stout/os/write.hpp>
@@ -119,6 +120,18 @@ Future<Option<ContainerLaunchInfo>> VolumeSecretIsolatorProcess::prepare(
return None();
}
+ const string containerDir = path::join(
+ flags.runtime_dir,
+ SECRET_DIR,
+ stringify(containerId));
+
+ Try<Nothing> mkdir = os::mkdir(containerDir);
+ if (mkdir.isError()) {
+ return Failure(
+ "Failed to create container directory at '" +
+ containerDir + "': " + mkdir.error());
+ }
+
ContainerLaunchInfo launchInfo;
launchInfo.add_clone_namespaces(CLONE_NEWNS);
@@ -128,7 +141,7 @@ Future<Option<ContainerLaunchInfo>> VolumeSecretIsolatorProcess::prepare(
// TODO(Kapil): Add some UUID suffix to the secret-root dir to avoid conflicts
// with user container_path.
- Try<Nothing> mkdir = os::mkdir(sandboxSecretRootDir);
+ mkdir = os::mkdir(sandboxSecretRootDir);
if (mkdir.isError()) {
return Failure("Failed to create sandbox secret root directory at '" +
sandboxSecretRootDir + "': " + mkdir.error());
@@ -236,7 +249,7 @@ Future<Option<ContainerLaunchInfo>> VolumeSecretIsolatorProcess::prepare(
}
const string hostSecretPath =
- path::join(flags.runtime_dir, SECRET_DIR, stringify(id::UUID::random()));
+ path::join(containerDir, stringify(id::UUID::random()));
const string sandboxSecretPath =
path::join(sandboxSecretRootDir,
@@ -299,6 +312,27 @@ Future<Option<ContainerLaunchInfo>> VolumeSecretIsolatorProcess::prepare(
});
}
+
+Future<Nothing> VolumeSecretIsolatorProcess::cleanup(
+ const ContainerID& containerId)
+{
+ const string containerDir = path::join(
+ flags.runtime_dir,
+ SECRET_DIR,
+ stringify(containerId));
+
+ if (os::exists(containerDir)) {
+ Try<Nothing> rmdir = os::rmdir(containerDir);
+ if (rmdir.isError()) {
+ return Failure(
+ "Failed to remove the container directory '" +
+ containerDir + "': " + rmdir.error());
+ }
+ }
+
+ return Nothing();
+}
+
} // namespace slave {
} // namespace internal {
} // namespace mesos {
diff --git a/src/slave/containerizer/mesos/isolators/volume/secret.hpp b/src/slave/containerizer/mesos/isolators/volume/secret.hpp
index 2680345..9b557ed 100644
--- a/src/slave/containerizer/mesos/isolators/volume/secret.hpp
+++ b/src/slave/containerizer/mesos/isolators/volume/secret.hpp
@@ -51,6 +51,9 @@ public:
const ContainerID& containerId,
const mesos::slave::ContainerConfig& containerConfig);
+ process::Future<Nothing> cleanup(
+ const ContainerID& containerId) override;
+
private:
VolumeSecretIsolatorProcess(
const Flags& flags,