You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by gi...@apache.org on 2019/05/20 22:14:00 UTC

[mesos] branch 1.6.x updated (3911b4c -> 25f073d)

This is an automated email from the ASF dual-hosted git repository.

gilbert pushed a change to branch 1.6.x
in repository https://gitbox.apache.org/repos/asf/mesos.git.


    from 3911b4c  Fixed the broken backport for MESOS-9787.
     new 08d993e  Revert "Added MESOS-9536 to the 1.6.3 CHANGELOG."
     new 25f073d  Revert "Made nested contaienr can access its sandbox via `MESOS_SANDBOX`."

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 CHANGELOG                                          |  1 -
 src/slave/containerizer/mesos/containerizer.cpp    | 24 ++++++---------------
 .../mesos/isolators/filesystem/linux.cpp           | 25 ----------------------
 3 files changed, 7 insertions(+), 43 deletions(-)

[mesos] 01/02: Revert "Added MESOS-9536 to the 1.6.3 CHANGELOG."

Posted by gi...@apache.org.
This is an automated email from the ASF dual-hosted git repository.

gilbert pushed a commit to branch 1.6.x
in repository https://gitbox.apache.org/repos/asf/mesos.git

commit 08d993ef852d01779844115796531879b0ddac6f
Author: Gilbert Song <so...@gmail.com>
AuthorDate: Mon May 20 15:13:45 2019 -0700

    Revert "Added MESOS-9536 to the 1.6.3 CHANGELOG."
    
    This reverts commit 45bfa2aa42c119da6f83b865d4929ee6064c2697.
---
 CHANGELOG | 1 -
 1 file changed, 1 deletion(-)

diff --git a/CHANGELOG b/CHANGELOG
index dcf5e06..3c92650 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -5,7 +5,6 @@ Release Notes - Mesos - Version 1.6.3 (WIP)
 ** Bug
   * [MESOS-9507] - Agent could not recover due to empty docker volume checkpointed files.
   * [MESOS-9529] - `/proc` should be remounted even if a nested container set `share_pid_namespace` to true.
-  * [MESOS-9536] - Nested container launched with non-root user may not be able to write to its sandbox via the environment variable `MESOS_SANDBOX`.
   * [MESOS-9564] - Logrotate container logger lets tasks execute arbitrary commands in the Mesos agent's namespace.
   * [MESOS-9616] - `Filters.refuse_seconds` declines resources not in offers.
   * [MESOS-9619] - Mesos Master Crashes with Launch Group when using Port Resources

[mesos] 02/02: Revert "Made nested contaienr can access its sandbox via `MESOS_SANDBOX`."

Posted by gi...@apache.org.
This is an automated email from the ASF dual-hosted git repository.

gilbert pushed a commit to branch 1.6.x
in repository https://gitbox.apache.org/repos/asf/mesos.git

commit 25f073d1e53c60a1856326dd7255c8c514c4e85a
Author: Gilbert Song <so...@gmail.com>
AuthorDate: Mon May 20 15:13:47 2019 -0700

    Revert "Made nested contaienr can access its sandbox via `MESOS_SANDBOX`."
    
    This reverts commit e5149a4a00625845995e38eaf96c35ef6817be37.
---
 src/slave/containerizer/mesos/containerizer.cpp    | 24 ++++++---------------
 .../mesos/isolators/filesystem/linux.cpp           | 25 ----------------------
 2 files changed, 7 insertions(+), 42 deletions(-)

diff --git a/src/slave/containerizer/mesos/containerizer.cpp b/src/slave/containerizer/mesos/containerizer.cpp
index a34978a..6e635d8 100644
--- a/src/slave/containerizer/mesos/containerizer.cpp
+++ b/src/slave/containerizer/mesos/containerizer.cpp
@@ -1747,25 +1747,15 @@ Future<Containerizer::LaunchResult> MesosContainerizerProcess::_launch(
   if (container->containerClass() == ContainerClass::DEFAULT) {
     // TODO(jieyu): Consider moving this to filesystem isolator.
     //
-    // NOTE: For the command executor case, although it uses the host filesystem
-    // for itself, we still set `MESOS_SANDBOX` according to the root filesystem
-    // of the task (if specified). Command executor itself does not use this
-    // environment variable. For nested container which does not have its own
-    // rootfs, if the `filesystem/linux` isolator is enabled, we will also set
-    // `MESOS_SANDBOX` to `flags.sandbox_directory` since in `prepare` method
-    // of the `filesystem/linux` isolator we bind mount such nested container's
-    // sandbox to `flags.sandbox_directory`. Since such bind mount is only done
-    // by the `filesystem/linux` isolator, if another filesystem isolator (e.g.,
-    // `filesystem/posix`) is enabled instead, nested container may still have
-    // no permission to access its sandbox via `MESOS_SANDBOX`.
+    // NOTE: For the command executor case, although it uses the host
+    // filesystem for itself, we still set 'MESOS_SANDBOX' according to
+    // the root filesystem of the task (if specified). Command executor
+    // itself does not use this environment variable.
     Environment::Variable* variable = containerEnvironment.add_variables();
     variable->set_name("MESOS_SANDBOX");
-    variable->set_value(
-        (container->config->has_rootfs() ||
-         (strings::contains(flags.isolation, "filesystem/linux") &&
-          containerId.has_parent()))
-          ? flags.sandbox_directory
-          : container->config->directory());
+    variable->set_value(container->config->has_rootfs()
+      ? flags.sandbox_directory
+      : container->config->directory());
   }
 
   // `launchInfo.environment` contains the environment returned by
diff --git a/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp b/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
index b3d1d4e..2844327 100644
--- a/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
+++ b/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
@@ -203,16 +203,6 @@ Try<Isolator*> LinuxFilesystemIsolatorProcess::create(const Flags& flags)
     }
   }
 
-  // Create sandbox directory. We will bind mount the sandbox of nested
-  // container which does not have its own rootfs to this directory. See
-  // `prepare` for details.
-  Try<Nothing> mkdir = os::mkdir(flags.sandbox_directory);
-  if (mkdir.isError()) {
-    return Error(
-        "Failed to create sandbox directory at '" +
-        flags.sandbox_directory + "': " + mkdir.error());
-  }
-
   Owned<MesosIsolatorProcess> process(
       new LinuxFilesystemIsolatorProcess(flags));
 
@@ -406,21 +396,6 @@ Future<Option<ContainerLaunchInfo>> LinuxFilesystemIsolatorProcess::prepare(
     mount->set_source(containerConfig.directory());
     mount->set_target(sandbox);
     mount->set_flags(MS_BIND | MS_REC);
-  } else if (containerId.has_parent()) {
-    // For nested container which does not have its own rootfs, bind mount its
-    // sandbox to the directory specified via `flags.sandbox_directory` (e.g.,
-    // `/mnt/mesos/sandbox`) in its own mount namespace and set the environment
-    // variable `MESOS_SANDBOX` to `flags.sandbox_directory` (see the `_launch`
-    // method of `MesosContainerizerProcess` for details). The reason that we do
-    // this is, in MESOS-8332 we narrowed task sandbox permissions from 0755 to
-    // 0750, since nested container's sandbox is subdirectory under its parent's
-    // sandbox, if we still set `MESOS_SANDBOX` to `containerConfig.directory()`
-    // for nested container, it will not have permission to access its sandbox
-    // via `MESOS_SANDBOX` if its user is different from its parent's user.
-    ContainerMountInfo* mount = launchInfo.add_mounts();
-    mount->set_source(containerConfig.directory());
-    mount->set_target(flags.sandbox_directory);
-    mount->set_flags(MS_BIND | MS_REC);
   }
 
   // Currently, we only need to update resources for top level containers.