You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by ji...@apache.org on 2016/08/02 00:07:15 UTC

mesos git commit: Updated filesystem linux isolator pre exec commands to be non-shell.

Repository: mesos
Updated Branches:
  refs/heads/master 988ebc878 -> 9c6097f06


Updated filesystem linux isolator pre exec commands to be non-shell.

Review: https://reviews.apache.org/r/50216/


Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/9c6097f0
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/9c6097f0
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/9c6097f0

Branch: refs/heads/master
Commit: 9c6097f063405279efc07eec22457c2059653f07
Parents: 988ebc8
Author: Gilbert Song <so...@gmail.com>
Authored: Mon Aug 1 17:07:00 2016 -0700
Committer: Jie Yu <yu...@gmail.com>
Committed: Mon Aug 1 17:07:00 2016 -0700

----------------------------------------------------------------------
 .../mesos/isolators/filesystem/linux.cpp        | 66 +++++++++++++++-----
 .../mesos/isolators/filesystem/linux.hpp        |  2 +-
 2 files changed, 50 insertions(+), 18 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos/blob/9c6097f0/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
----------------------------------------------------------------------
diff --git a/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp b/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
index db3ed8f..ed7366a 100644
--- a/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
+++ b/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
@@ -49,6 +49,7 @@ using namespace process;
 using std::list;
 using std::ostringstream;
 using std::string;
+using std::vector;
 
 using mesos::slave::ContainerConfig;
 using mesos::slave::ContainerState;
@@ -286,13 +287,16 @@ Future<Option<ContainerLaunchInfo>> LinuxFilesystemIsolatorProcess::prepare(
   // namespace right after forking the executor process. We use these
   // commands to mount those volumes specified in the container info
   // so that they don't pollute the host mount namespace.
-  Try<string> _script = script(containerId, containerConfig);
-  if (_script.isError()) {
-    return Failure("Failed to generate isolation script: " + _script.error());
+  Try<vector<CommandInfo>> commands =
+    getPreExecCommands(containerId, containerConfig);
+
+  if (commands.isError()) {
+    return Failure("Failed to get pre-exec commands: " + commands.error());
   }
 
-  CommandInfo* command = launchInfo.add_pre_exec_commands();
-  command->set_value(_script.get());
+  foreach (const CommandInfo& command, commands.get()) {
+    launchInfo.add_pre_exec_commands()->CopyFrom(command);
+  }
 
   return update(containerId, containerConfig.executor_info().resources())
     .then([launchInfo]() -> Future<Option<ContainerLaunchInfo>> {
@@ -301,27 +305,38 @@ Future<Option<ContainerLaunchInfo>> LinuxFilesystemIsolatorProcess::prepare(
 }
 
 
-Try<string> LinuxFilesystemIsolatorProcess::script(
+Try<vector<CommandInfo>> LinuxFilesystemIsolatorProcess::getPreExecCommands(
     const ContainerID& containerId,
     const ContainerConfig& containerConfig)
 {
-  ostringstream out;
-  out << "#!/bin/sh\n";
-  out << "set -x -e\n";
+  vector<CommandInfo> commands;
 
   // Make sure mounts in the container mount namespace do not
   // propagate back to the host mount namespace.
   // NOTE: We cannot simply run `mount --make-rslave /`, for more info
   // please refer to comments in mount.hpp.
+  CommandInfo command;
+  command.set_shell(false);
+  command.set_value(path::join(flags.launcher_dir, "mesos-containerizer"));
+  command.add_arguments("mesos-containerizer");
+  command.add_arguments(MesosContainerizerMount::NAME);
+
   MesosContainerizerMount::Flags mountFlags;
   mountFlags.operation = MesosContainerizerMount::MAKE_RSLAVE;
   mountFlags.path = "/";
-  out << path::join(flags.launcher_dir, "mesos-containerizer") << " "
-      << MesosContainerizerMount::NAME << " "
-      << stringify(mountFlags) << "\n";
+
+  foreachvalue (const flags::Flag& flag, mountFlags) {
+    const Option<string> value = flag.stringify(flags);
+    if (value.isSome()) {
+      command.add_arguments(
+          "--" + flag.effective_name().value + "=" + value.get());
+    }
+  }
+
+  commands.push_back(command);
 
   if (!containerConfig.executor_info().has_container()) {
-    return out.str();
+    return commands;
   }
 
   // Bind mount the sandbox if the container specifies a rootfs.
@@ -337,8 +352,16 @@ Try<string> LinuxFilesystemIsolatorProcess::script(
           sandbox + "': " + mkdir.error());
     }
 
-    out << "mount -n --rbind '" << containerConfig.directory()
-        << "' '" << sandbox << "'\n";
+    CommandInfo command;
+    command.set_shell(false);
+    command.set_value("mount");
+    command.add_arguments("mount");
+    command.add_arguments("-n");
+    command.add_arguments("--rbind");
+    command.add_arguments(containerConfig.directory());
+    command.add_arguments(sandbox);
+
+    commands.push_back(command);
   }
 
   foreach (const Volume& volume,
@@ -490,10 +513,19 @@ Try<string> LinuxFilesystemIsolatorProcess::script(
     }
 
     // TODO(jieyu): Consider the mode in the volume.
-    out << "mount -n --rbind '" << source << "' '" << target << "'\n";
+    CommandInfo command;
+    command.set_shell(false);
+    command.set_value("mount");
+    command.add_arguments("mount");
+    command.add_arguments("-n");
+    command.add_arguments("--rbind");
+    command.add_arguments(source);
+    command.add_arguments(target);
+
+    commands.push_back(command);
   }
 
-  return out.str();
+  return commands;
 }
 
 

http://git-wip-us.apache.org/repos/asf/mesos/blob/9c6097f0/src/slave/containerizer/mesos/isolators/filesystem/linux.hpp
----------------------------------------------------------------------
diff --git a/src/slave/containerizer/mesos/isolators/filesystem/linux.hpp b/src/slave/containerizer/mesos/isolators/filesystem/linux.hpp
index 0afe927..0a85935 100644
--- a/src/slave/containerizer/mesos/isolators/filesystem/linux.hpp
+++ b/src/slave/containerizer/mesos/isolators/filesystem/linux.hpp
@@ -64,7 +64,7 @@ public:
 private:
   LinuxFilesystemIsolatorProcess(const Flags& flags);
 
-  Try<std::string> script(
+  Try<std::vector<CommandInfo>> getPreExecCommands(
       const ContainerID& containerId,
       const mesos::slave::ContainerConfig& containerConfig);