You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by ji...@apache.org on 2016/08/02 00:07:15 UTC
mesos git commit: Updated filesystem linux isolator pre exec commands
to be non-shell.
Repository: mesos
Updated Branches:
refs/heads/master 988ebc878 -> 9c6097f06
Updated filesystem linux isolator pre exec commands to be non-shell.
Review: https://reviews.apache.org/r/50216/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/9c6097f0
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/9c6097f0
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/9c6097f0
Branch: refs/heads/master
Commit: 9c6097f063405279efc07eec22457c2059653f07
Parents: 988ebc8
Author: Gilbert Song <so...@gmail.com>
Authored: Mon Aug 1 17:07:00 2016 -0700
Committer: Jie Yu <yu...@gmail.com>
Committed: Mon Aug 1 17:07:00 2016 -0700
----------------------------------------------------------------------
.../mesos/isolators/filesystem/linux.cpp | 66 +++++++++++++++-----
.../mesos/isolators/filesystem/linux.hpp | 2 +-
2 files changed, 50 insertions(+), 18 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/9c6097f0/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
----------------------------------------------------------------------
diff --git a/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp b/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
index db3ed8f..ed7366a 100644
--- a/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
+++ b/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
@@ -49,6 +49,7 @@ using namespace process;
using std::list;
using std::ostringstream;
using std::string;
+using std::vector;
using mesos::slave::ContainerConfig;
using mesos::slave::ContainerState;
@@ -286,13 +287,16 @@ Future<Option<ContainerLaunchInfo>> LinuxFilesystemIsolatorProcess::prepare(
// namespace right after forking the executor process. We use these
// commands to mount those volumes specified in the container info
// so that they don't pollute the host mount namespace.
- Try<string> _script = script(containerId, containerConfig);
- if (_script.isError()) {
- return Failure("Failed to generate isolation script: " + _script.error());
+ Try<vector<CommandInfo>> commands =
+ getPreExecCommands(containerId, containerConfig);
+
+ if (commands.isError()) {
+ return Failure("Failed to get pre-exec commands: " + commands.error());
}
- CommandInfo* command = launchInfo.add_pre_exec_commands();
- command->set_value(_script.get());
+ foreach (const CommandInfo& command, commands.get()) {
+ launchInfo.add_pre_exec_commands()->CopyFrom(command);
+ }
return update(containerId, containerConfig.executor_info().resources())
.then([launchInfo]() -> Future<Option<ContainerLaunchInfo>> {
@@ -301,27 +305,38 @@ Future<Option<ContainerLaunchInfo>> LinuxFilesystemIsolatorProcess::prepare(
}
-Try<string> LinuxFilesystemIsolatorProcess::script(
+Try<vector<CommandInfo>> LinuxFilesystemIsolatorProcess::getPreExecCommands(
const ContainerID& containerId,
const ContainerConfig& containerConfig)
{
- ostringstream out;
- out << "#!/bin/sh\n";
- out << "set -x -e\n";
+ vector<CommandInfo> commands;
// Make sure mounts in the container mount namespace do not
// propagate back to the host mount namespace.
// NOTE: We cannot simply run `mount --make-rslave /`, for more info
// please refer to comments in mount.hpp.
+ CommandInfo command;
+ command.set_shell(false);
+ command.set_value(path::join(flags.launcher_dir, "mesos-containerizer"));
+ command.add_arguments("mesos-containerizer");
+ command.add_arguments(MesosContainerizerMount::NAME);
+
MesosContainerizerMount::Flags mountFlags;
mountFlags.operation = MesosContainerizerMount::MAKE_RSLAVE;
mountFlags.path = "/";
- out << path::join(flags.launcher_dir, "mesos-containerizer") << " "
- << MesosContainerizerMount::NAME << " "
- << stringify(mountFlags) << "\n";
+
+ foreachvalue (const flags::Flag& flag, mountFlags) {
+ const Option<string> value = flag.stringify(flags);
+ if (value.isSome()) {
+ command.add_arguments(
+ "--" + flag.effective_name().value + "=" + value.get());
+ }
+ }
+
+ commands.push_back(command);
if (!containerConfig.executor_info().has_container()) {
- return out.str();
+ return commands;
}
// Bind mount the sandbox if the container specifies a rootfs.
@@ -337,8 +352,16 @@ Try<string> LinuxFilesystemIsolatorProcess::script(
sandbox + "': " + mkdir.error());
}
- out << "mount -n --rbind '" << containerConfig.directory()
- << "' '" << sandbox << "'\n";
+ CommandInfo command;
+ command.set_shell(false);
+ command.set_value("mount");
+ command.add_arguments("mount");
+ command.add_arguments("-n");
+ command.add_arguments("--rbind");
+ command.add_arguments(containerConfig.directory());
+ command.add_arguments(sandbox);
+
+ commands.push_back(command);
}
foreach (const Volume& volume,
@@ -490,10 +513,19 @@ Try<string> LinuxFilesystemIsolatorProcess::script(
}
// TODO(jieyu): Consider the mode in the volume.
- out << "mount -n --rbind '" << source << "' '" << target << "'\n";
+ CommandInfo command;
+ command.set_shell(false);
+ command.set_value("mount");
+ command.add_arguments("mount");
+ command.add_arguments("-n");
+ command.add_arguments("--rbind");
+ command.add_arguments(source);
+ command.add_arguments(target);
+
+ commands.push_back(command);
}
- return out.str();
+ return commands;
}
http://git-wip-us.apache.org/repos/asf/mesos/blob/9c6097f0/src/slave/containerizer/mesos/isolators/filesystem/linux.hpp
----------------------------------------------------------------------
diff --git a/src/slave/containerizer/mesos/isolators/filesystem/linux.hpp b/src/slave/containerizer/mesos/isolators/filesystem/linux.hpp
index 0afe927..0a85935 100644
--- a/src/slave/containerizer/mesos/isolators/filesystem/linux.hpp
+++ b/src/slave/containerizer/mesos/isolators/filesystem/linux.hpp
@@ -64,7 +64,7 @@ public:
private:
LinuxFilesystemIsolatorProcess(const Flags& flags);
- Try<std::string> script(
+ Try<std::vector<CommandInfo>> getPreExecCommands(
const ContainerID& containerId,
const mesos::slave::ContainerConfig& containerConfig);