You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by gi...@apache.org on 2019/08/15 20:06:12 UTC
[mesos] branch 1.7.x updated (ccecf11 -> bfceb10)
This is an automated email from the ASF dual-hosted git repository.
gilbert pushed a change to branch 1.7.x
in repository https://gitbox.apache.org/repos/asf/mesos.git.
from ccecf11 Added MESOS-9868 to the 1.7.3 CHANGELOG.
new 3046b42 Implemented `cleanup` method for `volume/secret` isolator.
new 058900e Moved const string `.secret` to paths.hpp.
new bfceb10 Added MESOS-9893 to 1.7.3 CHANGELOG.
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
CHANGELOG | 1 +
.../mesos/isolators/volume/secret.cpp | 50 +++++++++++++++++++---
.../mesos/isolators/volume/secret.hpp | 3 ++
src/slave/containerizer/mesos/paths.hpp | 1 +
4 files changed, 48 insertions(+), 7 deletions(-)
[mesos] 03/03: Added MESOS-9893 to 1.7.3 CHANGELOG.
Posted by gi...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
gilbert pushed a commit to branch 1.7.x
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit bfceb10f504353b5a94b93c0f8af9d845acda4a4
Author: Gilbert Song <so...@gmail.com>
AuthorDate: Thu Aug 15 13:00:26 2019 -0700
Added MESOS-9893 to 1.7.3 CHANGELOG.
(cherry picked from commit 5071d4928c351e89b8d19d89be78649d081db409)
---
CHANGELOG | 1 +
1 file changed, 1 insertion(+)
diff --git a/CHANGELOG b/CHANGELOG
index 4a64c94..3938f39 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -28,6 +28,7 @@ Release Notes - Mesos - Version 1.7.3 (WIP)
* [MESOS-9856] - REVIVE call with specified role(s) clears filters for all roles of a framework.
* [MESOS-9868] - NetworkInfo from the agent /state endpoint is not correct.
* [MESOS-9870] - Simultaneous adding/removal of a role from framework's roles and its suppressed roles crashes the master.
+ * [MESOS-9893] - `volume/secret` isolator should cleanup the stored secret from runtime directory when the container is destroyed.
** Improvements
* [MESOS-8880] - Add minimum capabilities in the master.
[mesos] 01/03: Implemented `cleanup` method for `volume/secret`
isolator.
Posted by gi...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
gilbert pushed a commit to branch 1.7.x
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit 3046b42ff51c05b8eb896926b3e42fd2036bb5a9
Author: Qian Zhang <zh...@gmail.com>
AuthorDate: Thu Aug 15 11:49:22 2019 -0700
Implemented `cleanup` method for `volume/secret` isolator.
Previously, after `volume/secret` isolator resolves a secret and write
it into a path (i.e., <runtime_dir>/.secret/<UUID>) on agent host for a
container, if the container fails to launch somehow (e.g., fails in
another isolator's `prepare` method), that path on the host will never
be cleaned up. In this patch, `volume/secret` isolator is improved to
write all the resolved secrets for a container into a single directory
(i.e., <runtime_dir>/.secret/<containerID>) on agent host, and the
`cleanup` method of the `volume/secret` isolator is implemented to
remove that directory when the container is destroyed.
Review: https://reviews.apache.org/r/71201/
(cherry picked from commit 8498a9b262cd145fd4966f621b91353bb162b56c)
(cherry picked from commit 304a28a95b8f89c0ed01828d1921c9f9acc93987)
---
.../mesos/isolators/volume/secret.cpp | 38 ++++++++++++++++++++--
.../mesos/isolators/volume/secret.hpp | 3 ++
2 files changed, 39 insertions(+), 2 deletions(-)
diff --git a/src/slave/containerizer/mesos/isolators/volume/secret.cpp b/src/slave/containerizer/mesos/isolators/volume/secret.cpp
index 7a9bb82..acd1d8f 100644
--- a/src/slave/containerizer/mesos/isolators/volume/secret.cpp
+++ b/src/slave/containerizer/mesos/isolators/volume/secret.cpp
@@ -31,6 +31,7 @@
#include <stout/strings.hpp>
#include <stout/os/mkdir.hpp>
+#include <stout/os/rmdir.hpp>
#include <stout/os/touch.hpp>
#include <stout/os/write.hpp>
@@ -119,6 +120,18 @@ Future<Option<ContainerLaunchInfo>> VolumeSecretIsolatorProcess::prepare(
return None();
}
+ const string containerDir = path::join(
+ flags.runtime_dir,
+ SECRET_DIR,
+ stringify(containerId));
+
+ Try<Nothing> mkdir = os::mkdir(containerDir);
+ if (mkdir.isError()) {
+ return Failure(
+ "Failed to create container directory at '" +
+ containerDir + "': " + mkdir.error());
+ }
+
ContainerLaunchInfo launchInfo;
launchInfo.add_clone_namespaces(CLONE_NEWNS);
@@ -128,7 +141,7 @@ Future<Option<ContainerLaunchInfo>> VolumeSecretIsolatorProcess::prepare(
// TODO(Kapil): Add some UUID suffix to the secret-root dir to avoid conflicts
// with user container_path.
- Try<Nothing> mkdir = os::mkdir(sandboxSecretRootDir);
+ mkdir = os::mkdir(sandboxSecretRootDir);
if (mkdir.isError()) {
return Failure("Failed to create sandbox secret root directory at '" +
sandboxSecretRootDir + "': " + mkdir.error());
@@ -236,7 +249,7 @@ Future<Option<ContainerLaunchInfo>> VolumeSecretIsolatorProcess::prepare(
}
const string hostSecretPath =
- path::join(flags.runtime_dir, SECRET_DIR, stringify(id::UUID::random()));
+ path::join(containerDir, stringify(id::UUID::random()));
const string sandboxSecretPath =
path::join(sandboxSecretRootDir,
@@ -312,6 +325,27 @@ Future<Option<ContainerLaunchInfo>> VolumeSecretIsolatorProcess::prepare(
});
}
+
+Future<Nothing> VolumeSecretIsolatorProcess::cleanup(
+ const ContainerID& containerId)
+{
+ const string containerDir = path::join(
+ flags.runtime_dir,
+ SECRET_DIR,
+ stringify(containerId));
+
+ if (os::exists(containerDir)) {
+ Try<Nothing> rmdir = os::rmdir(containerDir);
+ if (rmdir.isError()) {
+ return Failure(
+ "Failed to remove the container directory '" +
+ containerDir + "': " + rmdir.error());
+ }
+ }
+
+ return Nothing();
+}
+
} // namespace slave {
} // namespace internal {
} // namespace mesos {
diff --git a/src/slave/containerizer/mesos/isolators/volume/secret.hpp b/src/slave/containerizer/mesos/isolators/volume/secret.hpp
index a166491..e3cf713 100644
--- a/src/slave/containerizer/mesos/isolators/volume/secret.hpp
+++ b/src/slave/containerizer/mesos/isolators/volume/secret.hpp
@@ -51,6 +51,9 @@ public:
const ContainerID& containerId,
const mesos::slave::ContainerConfig& containerConfig) override;
+ process::Future<Nothing> cleanup(
+ const ContainerID& containerId) override;
+
private:
VolumeSecretIsolatorProcess(
const Flags& flags,
[mesos] 02/03: Moved const string `.secret` to paths.hpp.
Posted by gi...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
gilbert pushed a commit to branch 1.7.x
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit 058900ee335b24c9dd2386115847defcf2c09d2e
Author: Qian Zhang <zh...@gmail.com>
AuthorDate: Thu Aug 15 11:49:23 2019 -0700
Moved const string `.secret` to paths.hpp.
Review: https://reviews.apache.org/r/71221/
(cherry picked from commit 34330fb08466116c8483ce6de234126a6089a683)
(cherry picked from commit ae8c16ae7eaa5ffb301300278a18f3f662a5d8d5)
---
.../containerizer/mesos/isolators/volume/secret.cpp | 16 +++++++++-------
src/slave/containerizer/mesos/paths.hpp | 1 +
2 files changed, 10 insertions(+), 7 deletions(-)
diff --git a/src/slave/containerizer/mesos/isolators/volume/secret.cpp b/src/slave/containerizer/mesos/isolators/volume/secret.cpp
index acd1d8f..c378256 100644
--- a/src/slave/containerizer/mesos/isolators/volume/secret.cpp
+++ b/src/slave/containerizer/mesos/isolators/volume/secret.cpp
@@ -14,6 +14,8 @@
// See the License for the specific language governing permissions and
// limitations under the License.
+#include "slave/containerizer/mesos/paths.hpp"
+
#include "slave/containerizer/mesos/isolators/volume/secret.hpp"
#include <string>
@@ -48,6 +50,8 @@ using process::Failure;
using process::Future;
using process::Owned;
+using mesos::internal::slave::containerizer::paths::SECRET_DIRECTORY;
+
using mesos::slave::ContainerClass;
using mesos::slave::ContainerConfig;
using mesos::slave::ContainerLaunchInfo;
@@ -58,9 +62,6 @@ namespace mesos {
namespace internal {
namespace slave {
-constexpr char SECRET_DIR[] = ".secret";
-
-
Try<Isolator*> VolumeSecretIsolatorProcess::create(
const Flags& flags,
SecretResolver* secretResolver)
@@ -70,7 +71,8 @@ Try<Isolator*> VolumeSecretIsolatorProcess::create(
return Error("Volume secret isolation requires filesystem/linux isolator.");
}
- const string hostSecretTmpDir = path::join(flags.runtime_dir, SECRET_DIR);
+ const string hostSecretTmpDir =
+ path::join(flags.runtime_dir, SECRET_DIRECTORY);
Try<Nothing> mkdir = os::mkdir(hostSecretTmpDir);
if (mkdir.isError()) {
@@ -122,7 +124,7 @@ Future<Option<ContainerLaunchInfo>> VolumeSecretIsolatorProcess::prepare(
const string containerDir = path::join(
flags.runtime_dir,
- SECRET_DIR,
+ SECRET_DIRECTORY,
stringify(containerId));
Try<Nothing> mkdir = os::mkdir(containerDir);
@@ -137,7 +139,7 @@ Future<Option<ContainerLaunchInfo>> VolumeSecretIsolatorProcess::prepare(
const string sandboxSecretRootDir =
path::join(containerConfig.directory(),
- SECRET_DIR + string("-") + stringify(id::UUID::random()));
+ SECRET_DIRECTORY + string("-") + stringify(id::UUID::random()));
// TODO(Kapil): Add some UUID suffix to the secret-root dir to avoid conflicts
// with user container_path.
@@ -331,7 +333,7 @@ Future<Nothing> VolumeSecretIsolatorProcess::cleanup(
{
const string containerDir = path::join(
flags.runtime_dir,
- SECRET_DIR,
+ SECRET_DIRECTORY,
stringify(containerId));
if (os::exists(containerDir)) {
diff --git a/src/slave/containerizer/mesos/paths.hpp b/src/slave/containerizer/mesos/paths.hpp
index 6ace481..31d1d55 100644
--- a/src/slave/containerizer/mesos/paths.hpp
+++ b/src/slave/containerizer/mesos/paths.hpp
@@ -80,6 +80,7 @@ constexpr char CONTAINER_DIRECTORY[] = "containers";
constexpr char CONTAINER_DEVICES_DIRECTORY[] = "devices";
constexpr char CONTAINER_LAUNCH_INFO_FILE[] = "launch_info";
constexpr char STANDALONE_MARKER_FILE[] = "standalone.marker";
+constexpr char SECRET_DIRECTORY[] = ".secret";
enum Mode