You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@mesos.apache.org by "Jie Yu (JIRA)" <ji...@apache.org> on 2019/03/30 04:52:00 UTC

[jira] [Commented] (MESOS-9529) `/proc` should be remounted even if a nested container set `share_pid_namespace` to true

    [ https://issues.apache.org/jira/browse/MESOS-9529?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16805615#comment-16805615 ] 

Jie Yu commented on MESOS-9529:
-------------------------------

I tried to send a patch for this ticket, but realized that the problem is a little tricky to resolve. The problem is that we cannot just blindly `mount -t proc proc /proc` irrespective if the container shares the same pid namespace of its parent. Because if the parent container indeed shares the same pid namespace as the agent, this mount will result in EBUSY. We also cannot blindly umount /proc and mount again. This is because typically there are bind mounts under `/proc/sys/fs/binfmt_misc`. An unmount will typically result in EBUSY too.

> `/proc` should be remounted even if a nested container set `share_pid_namespace` to true
> ----------------------------------------------------------------------------------------
>
>                 Key: MESOS-9529
>                 URL: https://issues.apache.org/jira/browse/MESOS-9529
>             Project: Mesos
>          Issue Type: Bug
>          Components: containerization
>    Affects Versions: 1.4.2, 1.5.2, 1.6.2, 1.7.1
>            Reporter: Jie Yu
>            Priority: Critical
>
> Currently, if a nested container wants to share the pid namespace of its parent container, we allow the framework to set `LinuxInfo.share_pid_namespace`.
> If the nested container does not have its own rootfs (i.e., using the host rootfs), the `/proc` is not re-mounted:
> https://github.com/apache/mesos/blob/1.7.x/src/slave/containerizer/mesos/isolators/namespaces/pid.cpp#L120-L126
> This is problematic because the nested container will fork host's mount namespace, thus inherit the `/proc` there. As a result, `/proc/<pid>` are still for the host pid namespace. The pid namespace of the parent container might be different than that of the host pid namspace.
> As a result, `ps aux` in the nested container will show all process information on the host pid namespace. Although, the pid namespace of the nested container is different than that of the host.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)