You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by gi...@apache.org on 2019/08/15 18:49:42 UTC
[mesos] 01/03: Implemented `cleanup` method for `volume/secret`
isolator.
This is an automated email from the ASF dual-hosted git repository.
gilbert pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit 8498a9b262cd145fd4966f621b91353bb162b56c
Author: Qian Zhang <zh...@gmail.com>
AuthorDate: Thu Aug 15 11:49:22 2019 -0700
Implemented `cleanup` method for `volume/secret` isolator.
Previously, after `volume/secret` isolator resolves a secret and write
it into a path (i.e., <runtime_dir>/.secret/<UUID>) on agent host for a
container, if the container fails to launch somehow (e.g., fails in
another isolator's `prepare` method), that path on the host will never
be cleaned up. In this patch, `volume/secret` isolator is improved to
write all the resolved secrets for a container into a single directory
(i.e., <runtime_dir>/.secret/<containerID>) on agent host, and the
`cleanup` method of the `volume/secret` isolator is implemented to
remove that directory when the container is destroyed.
Review: https://reviews.apache.org/r/71201/
---
.../mesos/isolators/volume/secret.cpp | 38 ++++++++++++++++++++--
.../mesos/isolators/volume/secret.hpp | 3 ++
2 files changed, 39 insertions(+), 2 deletions(-)
diff --git a/src/slave/containerizer/mesos/isolators/volume/secret.cpp b/src/slave/containerizer/mesos/isolators/volume/secret.cpp
index 4bbcc7a..5131ecb 100644
--- a/src/slave/containerizer/mesos/isolators/volume/secret.cpp
+++ b/src/slave/containerizer/mesos/isolators/volume/secret.cpp
@@ -33,6 +33,7 @@
#include <stout/strings.hpp>
#include <stout/os/mkdir.hpp>
+#include <stout/os/rmdir.hpp>
#include <stout/os/touch.hpp>
#include <stout/os/write.hpp>
@@ -128,6 +129,18 @@ Future<Option<ContainerLaunchInfo>> VolumeSecretIsolatorProcess::prepare(
return None();
}
+ const string containerDir = path::join(
+ flags.runtime_dir,
+ SECRET_DIR,
+ stringify(containerId));
+
+ Try<Nothing> mkdir = os::mkdir(containerDir);
+ if (mkdir.isError()) {
+ return Failure(
+ "Failed to create container directory at '" +
+ containerDir + "': " + mkdir.error());
+ }
+
ContainerLaunchInfo launchInfo;
launchInfo.add_clone_namespaces(CLONE_NEWNS);
@@ -137,7 +150,7 @@ Future<Option<ContainerLaunchInfo>> VolumeSecretIsolatorProcess::prepare(
// TODO(Kapil): Add some UUID suffix to the secret-root dir to avoid conflicts
// with user container_path.
- Try<Nothing> mkdir = os::mkdir(sandboxSecretRootDir);
+ mkdir = os::mkdir(sandboxSecretRootDir);
if (mkdir.isError()) {
return Failure("Failed to create sandbox secret root directory at '" +
sandboxSecretRootDir + "': " + mkdir.error());
@@ -238,7 +251,7 @@ Future<Option<ContainerLaunchInfo>> VolumeSecretIsolatorProcess::prepare(
}
const string hostSecretPath =
- path::join(flags.runtime_dir, SECRET_DIR, stringify(id::UUID::random()));
+ path::join(containerDir, stringify(id::UUID::random()));
const string sandboxSecretPath =
path::join(sandboxSecretRootDir,
@@ -290,6 +303,27 @@ Future<Option<ContainerLaunchInfo>> VolumeSecretIsolatorProcess::prepare(
});
}
+
+Future<Nothing> VolumeSecretIsolatorProcess::cleanup(
+ const ContainerID& containerId)
+{
+ const string containerDir = path::join(
+ flags.runtime_dir,
+ SECRET_DIR,
+ stringify(containerId));
+
+ if (os::exists(containerDir)) {
+ Try<Nothing> rmdir = os::rmdir(containerDir);
+ if (rmdir.isError()) {
+ return Failure(
+ "Failed to remove the container directory '" +
+ containerDir + "': " + rmdir.error());
+ }
+ }
+
+ return Nothing();
+}
+
} // namespace slave {
} // namespace internal {
} // namespace mesos {
diff --git a/src/slave/containerizer/mesos/isolators/volume/secret.hpp b/src/slave/containerizer/mesos/isolators/volume/secret.hpp
index a166491..e3cf713 100644
--- a/src/slave/containerizer/mesos/isolators/volume/secret.hpp
+++ b/src/slave/containerizer/mesos/isolators/volume/secret.hpp
@@ -51,6 +51,9 @@ public:
const ContainerID& containerId,
const mesos::slave::ContainerConfig& containerConfig) override;
+ process::Future<Nothing> cleanup(
+ const ContainerID& containerId) override;
+
private:
VolumeSecretIsolatorProcess(
const Flags& flags,