You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by ji...@apache.org on 2017/07/01 00:23:27 UTC
[1/7] mesos git commit: Add bounding_capabilities to LinuxInfo.
Repository: mesos
Updated Branches:
refs/heads/master 15078addd -> cb601b225
Add bounding_capabilities to LinuxInfo.
Add a bounding_capabilities CapabilityInfo field to the LinuxInfo
to carry the framework-specified capabilities bounding set.
Review: https://reviews.apache.org/r/60409/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/906fd43b
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/906fd43b
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/906fd43b
Branch: refs/heads/master
Commit: 906fd43b7f7a9dfbffebab82f00129cdb8f0586a
Parents: 15078ad
Author: James Peach <jp...@apache.org>
Authored: Fri Jun 30 17:12:24 2017 -0700
Committer: Jie Yu <yu...@gmail.com>
Committed: Fri Jun 30 17:12:24 2017 -0700
----------------------------------------------------------------------
include/mesos/mesos.proto | 4 ++++
include/mesos/v1/mesos.proto | 4 ++++
2 files changed, 8 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/906fd43b/include/mesos/mesos.proto
----------------------------------------------------------------------
diff --git a/include/mesos/mesos.proto b/include/mesos/mesos.proto
index 678178c..5fe28bc 100644
--- a/include/mesos/mesos.proto
+++ b/include/mesos/mesos.proto
@@ -2644,6 +2644,10 @@ message CapabilityInfo {
message LinuxInfo {
// Represents the capability whitelist.
optional CapabilityInfo capability_info = 1;
+
+ // The set of capabilities that are allowed but not initially
+ // granted to tasks.
+ optional CapabilityInfo bounding_capabilities = 2;
}
http://git-wip-us.apache.org/repos/asf/mesos/blob/906fd43b/include/mesos/v1/mesos.proto
----------------------------------------------------------------------
diff --git a/include/mesos/v1/mesos.proto b/include/mesos/v1/mesos.proto
index a038e95..091cecd 100644
--- a/include/mesos/v1/mesos.proto
+++ b/include/mesos/v1/mesos.proto
@@ -2627,6 +2627,10 @@ message CapabilityInfo {
message LinuxInfo {
// Represents the capability whitelist.
optional CapabilityInfo capability_info = 1;
+
+ // The set of capabilities that are allowed but not initially
+ // granted to tasks.
+ optional CapabilityInfo bounding_capabilities = 2;
}
[6/7] mesos git commit: Update documentation for framework bounding
capabilities.
Posted by ji...@apache.org.
Update documentation for framework bounding capabilities.
Review: https://reviews.apache.org/r/60414/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/a28f7726
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/a28f7726
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/a28f7726
Branch: refs/heads/master
Commit: a28f7726a57e0351e312a08ca260b50a9ccb3171
Parents: 31c7ad7
Author: James Peach <jp...@apache.org>
Authored: Fri Jun 30 17:12:36 2017 -0700
Committer: Jie Yu <yu...@gmail.com>
Committed: Fri Jun 30 17:12:36 2017 -0700
----------------------------------------------------------------------
docs/linux_capabilities.md | 33 ++++++++++++++++++---------------
1 file changed, 18 insertions(+), 15 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/a28f7726/docs/linux_capabilities.md
----------------------------------------------------------------------
diff --git a/docs/linux_capabilities.md b/docs/linux_capabilities.md
index 30b9f0c..d45c66c 100644
--- a/docs/linux_capabilities.md
+++ b/docs/linux_capabilities.md
@@ -35,10 +35,12 @@ be explicitly dropped. If the `--effective_capabilities` flag is not
present, the task will be launched with the default capabilities of the
task user but the ambient capabilities will not be set.
-The `--bounding_capabilities` flag specifies an upper bound on the the
-capabilities a task is allowed to acquire or be granted. Schedulers are
-not allowed to launch tasks with capabilities outside the set specified
-by the `--bounding_capabilities` flag.
+The `--bounding_capabilities` flag specifies an upper bound on the
+the capabilities a task is allowed to acquire or be granted.
+Schedulers are not allowed to launch tasks with capabilities outside
+the set specified by the `--bounding_capabilities` flag, but may
+specify effective or bounding capabilities that are within this
+set.
An empty list for `--bounding_capabilities` signifies that no capabilities
are allowed, while an absent `--bounding_capabilities` flag signifies
@@ -57,18 +59,19 @@ sudo mesos-agent --master=<master ip> --ip=<agent ip>
## Task setup
-In order for a Mesos task to acquire effective capabilities it should
-declare the required capabilities in the `LinuxInfo` element of its
-`ContainerInfo`.
+In order for a Mesos task to acquire specific effective capabilities
+or limit its bounding capabilities it should declare the required
+capabilities in the `LinuxInfo` element of its `ContainerInfo`.
A Mesos task can only request capabilities which are allowed according
to the `--bounding_capabilities` flag of the agent; a task requesting
other capabilities will be rejected. When the `--bounding_capabilities`
-flag is not present, all capability request will be granted.
-
-If the optional `capability_info` field is not set, the value of the
-`--effective_capabilities` flag will be used to populate the task
-capabilities. If an empty list of capabilities is given, the Mesos task
-will drop all capabilities. Note that the task will be unable to acquire
-capabilities not specified in the final `capability_info` even if the
-`--bounding_capabilities` flag would otherwise allow them.
+flag is not present, all capability requests will be granted.
+
+If the optional `effective_capabilities` field is not set, the value
+of the `--effective_capabilities` flag will be used to populate the
+task capabilities. If the optional `bounding_capabilities` field
+is not set, the value of the `--bounding_capabilities` flag will
+be used to populate the task capabilities. In both case, if an empty
+list of capabilities is given, the Mesos task will drop all
+capabilities in the corresponding set.
[7/7] mesos git commit: Update mesos-execute capabilities options.
Posted by ji...@apache.org.
Update mesos-execute capabilities options.
Update mesos-execute capabilities options to match the
framework capabilities fields. Rename `--capabilities`
to `--effective_capabilities`, and add a new
`--bounding_capabilities` option.
Review: https://reviews.apache.org/r/60497/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/cb601b22
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/cb601b22
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/cb601b22
Branch: refs/heads/master
Commit: cb601b225ab409a7f95184c8fe21e1bcc274c847
Parents: a28f772
Author: James Peach <jp...@apache.org>
Authored: Fri Jun 30 17:12:39 2017 -0700
Committer: Jie Yu <yu...@gmail.com>
Committed: Fri Jun 30 17:12:39 2017 -0700
----------------------------------------------------------------------
src/cli/execute.cpp | 43 +++++++++++++++++++++++++++++++++----------
1 file changed, 33 insertions(+), 10 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/cb601b22/src/cli/execute.cpp
----------------------------------------------------------------------
diff --git a/src/cli/execute.cpp b/src/cli/execute.cpp
index 9aafd80..670a516 100644
--- a/src/cli/execute.cpp
+++ b/src/cli/execute.cpp
@@ -253,10 +253,22 @@ public:
"Containerizer to be used (i.e., docker, mesos).",
"mesos");
- add(&Flags::capabilities,
- "capabilities",
- "JSON representation of system capabilities needed to execute \n"
- "the command.\n"
+ add(&Flags::effective_capabilities,
+ "effective_capabilities",
+ "JSON representation of effective system capabilities that should be\n"
+ "granted to the command.\n"
+ "Example:\n"
+ "{\n"
+ " \"capabilities\": [\n"
+ " \"NET_RAW\",\n"
+ " \"SYS_ADMIN\"\n"
+ " ]\n"
+ "}");
+
+ add(&Flags::bounding_capabilities,
+ "bounding_capabilities",
+ "JSON representation of system capabilities bounding set that should\n"
+ "be applied to the command.\n"
"Example:\n"
"{\n"
" \"capabilities\": [\n"
@@ -368,7 +380,8 @@ public:
Option<std::set<string>> framework_capabilities;
Option<JSON::Array> volumes;
string containerizer;
- Option<CapabilityInfo> capabilities;
+ Option<CapabilityInfo> effective_capabilities;
+ Option<CapabilityInfo> bounding_capabilities;
Option<RLimitInfo> rlimits;
string role;
Option<Duration> kill_after;
@@ -767,7 +780,8 @@ static Result<ContainerInfo> getContainerInfo(
const Option<string>& networks,
const Option<string>& appcImage,
const Option<string>& dockerImage,
- const Option<CapabilityInfo>& capabilities,
+ const Option<CapabilityInfo>& effective_capabilities,
+ const Option<CapabilityInfo>& bounding_capabilities,
const Option<RLimitInfo>& rlimits)
{
if (containerizer.empty()) {
@@ -786,7 +800,8 @@ static Result<ContainerInfo> getContainerInfo(
if (containerizer == "mesos") {
if (appcImage.isNone() &&
dockerImage.isNone() &&
- capabilities.isNone() &&
+ effective_capabilities.isNone() &&
+ bounding_capabilities.isNone() &&
rlimits.isNone() &&
(networks.isNone() || networks->empty()) &&
(volumes.isNone() || volumes->empty())) {
@@ -832,11 +847,18 @@ static Result<ContainerInfo> getContainerInfo(
}
}
- if (capabilities.isSome()) {
+ if (effective_capabilities.isSome()) {
containerInfo
.mutable_linux_info()
->mutable_effective_capabilities()
- ->CopyFrom(capabilities.get());
+ ->CopyFrom(effective_capabilities.get());
+ }
+
+ if (bounding_capabilities.isSome()) {
+ containerInfo
+ .mutable_linux_info()
+ ->mutable_bounding_capabilities()
+ ->CopyFrom(bounding_capabilities.get());
}
if (rlimits.isSome()) {
@@ -1166,7 +1188,8 @@ int main(int argc, char** argv)
flags.networks,
appcImage,
dockerImage,
- flags.capabilities,
+ flags.effective_capabilities,
+ flags.bounding_capabilities,
flags.rlimits);
if (containerInfo.isError()){
[4/7] mesos git commit: Add more linux/capabilities isolator test
cases.
Posted by ji...@apache.org.
Add more linux/capabilities isolator test cases.
Add a case to verify that the effective framework capabilities
must be within the bounding framework capabilities.
Check that setting the framework capabilities to something that
is insufficient to execute ping overrides the operator flags and
fails.
Check that setting the framework bounding capabilities to allow
ping overrides the operator flags and succeeds.
Check that setting the framework effective and bounding
capabilities to allow ping overrides the operator flags and
succeeds.
Review: https://reviews.apache.org/r/60412/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/dd2374bd
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/dd2374bd
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/dd2374bd
Branch: refs/heads/master
Commit: dd2374bdb16965ec789553b0f3b47f9a55c72571
Parents: 508f73e
Author: James Peach <jp...@apache.org>
Authored: Fri Jun 30 17:12:31 2017 -0700
Committer: Jie Yu <yu...@gmail.com>
Committed: Fri Jun 30 17:12:31 2017 -0700
----------------------------------------------------------------------
.../linux_capabilities_isolator_tests.cpp | 101 +++++++++++++++++++
1 file changed, 101 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/dd2374bd/src/tests/containerizer/linux_capabilities_isolator_tests.cpp
----------------------------------------------------------------------
diff --git a/src/tests/containerizer/linux_capabilities_isolator_tests.cpp b/src/tests/containerizer/linux_capabilities_isolator_tests.cpp
index 4a21c9a..a0b8b4b 100644
--- a/src/tests/containerizer/linux_capabilities_isolator_tests.cpp
+++ b/src/tests/containerizer/linux_capabilities_isolator_tests.cpp
@@ -367,6 +367,37 @@ INSTANTIATE_TEST_CASE_P(
TestParam::WITH_IMAGE,
TestParam::FAILURE),
+ // The framework effective set is outside the bounding set
+ // so the task will be failed by the isolator.
+ TestParam(
+ set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
+ set<Capability>(),
+ None(),
+ None(),
+ TestParam::WITH_IMAGE,
+ TestParam::FAILURE),
+ TestParam(
+ set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
+ set<Capability>(),
+ None(),
+ None(),
+ TestParam::WITHOUT_IMAGE,
+ TestParam::FAILURE),
+ TestParam(
+ set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
+ set<Capability>({CHOWN}),
+ None(),
+ None(),
+ TestParam::WITH_IMAGE,
+ TestParam::FAILURE),
+ TestParam(
+ set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
+ set<Capability>({CHOWN}),
+ None(),
+ None(),
+ TestParam::WITHOUT_IMAGE,
+ TestParam::FAILURE),
+
// Effective capabilities do not contain that ping needs, thus
// ping will fail.
TestParam(
@@ -397,6 +428,34 @@ INSTANTIATE_TEST_CASE_P(
set<Capability>({CHOWN, DAC_READ_SEARCH}),
TestParam::WITHOUT_IMAGE,
TestParam::FAILURE),
+ TestParam(
+ set<Capability>({CHOWN, DAC_READ_SEARCH}),
+ None(),
+ None(),
+ None(),
+ TestParam::WITHOUT_IMAGE,
+ TestParam::FAILURE),
+ TestParam(
+ set<Capability>({CHOWN, DAC_READ_SEARCH}),
+ None(),
+ None(),
+ None(),
+ TestParam::WITH_IMAGE,
+ TestParam::FAILURE),
+ TestParam(
+ set<Capability>({CHOWN, DAC_READ_SEARCH}),
+ set<Capability>({CHOWN, DAC_READ_SEARCH}),
+ None(),
+ None(),
+ TestParam::WITH_IMAGE,
+ TestParam::FAILURE),
+ TestParam(
+ set<Capability>({CHOWN, DAC_READ_SEARCH}),
+ set<Capability>({CHOWN, DAC_READ_SEARCH}),
+ None(),
+ None(),
+ TestParam::WITHOUT_IMAGE,
+ TestParam::FAILURE),
// Framework effective capabilities are not allowed, task will fail.
TestParam(
@@ -417,6 +476,20 @@ INSTANTIATE_TEST_CASE_P(
// Dropped all capabilities but those that ping needs, thus
// ping will finish normally.
TestParam(
+ set<Capability>({DAC_READ_SEARCH}),
+ set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
+ None(),
+ None(),
+ TestParam::WITHOUT_IMAGE,
+ TestParam::SUCCESS),
+ TestParam(
+ set<Capability>(),
+ set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
+ None(),
+ None(),
+ TestParam::WITH_IMAGE,
+ TestParam::SUCCESS),
+ TestParam(
set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
None(),
None(),
@@ -431,6 +504,20 @@ INSTANTIATE_TEST_CASE_P(
TestParam::WITH_IMAGE,
TestParam::SUCCESS),
TestParam(
+ set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
+ set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
+ None(),
+ None(),
+ TestParam::WITHOUT_IMAGE,
+ TestParam::SUCCESS),
+ TestParam(
+ set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
+ set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
+ None(),
+ None(),
+ TestParam::WITH_IMAGE,
+ TestParam::SUCCESS),
+ TestParam(
None(),
None(),
set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
@@ -459,6 +546,20 @@ INSTANTIATE_TEST_CASE_P(
TestParam::WITH_IMAGE,
TestParam::SUCCESS),
TestParam(
+ None(),
+ set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
+ None(),
+ None(),
+ TestParam::WITHOUT_IMAGE,
+ TestParam::SUCCESS),
+ TestParam(
+ None(),
+ set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
+ None(),
+ None(),
+ TestParam::WITH_IMAGE,
+ TestParam::SUCCESS),
+ TestParam(
set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
None(),
set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
[3/7] mesos git commit: Allow frameworks to specify the capabilities
bounding set.
Posted by ji...@apache.org.
Allow frameworks to specify the capabilities bounding set.
Allow frameworks to specify the capabilities bounding set in the
LinuxInfo message. We need to explicitly make sure that this does
not exceed and bounding set specified by the operator, since that
is the outer limit of allowed privilege.
Review: https://reviews.apache.org/r/60411/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/508f73e3
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/508f73e3
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/508f73e3
Branch: refs/heads/master
Commit: 508f73e3b45bc6003d1ba862842aea34b0be6735
Parents: d197be3
Author: James Peach <jp...@apache.org>
Authored: Fri Jun 30 17:12:29 2017 -0700
Committer: Jie Yu <yu...@gmail.com>
Committed: Fri Jun 30 17:12:29 2017 -0700
----------------------------------------------------------------------
.../mesos/isolators/linux/capabilities.cpp | 33 ++++++++++++++------
1 file changed, 23 insertions(+), 10 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/508f73e3/src/slave/containerizer/mesos/isolators/linux/capabilities.cpp
----------------------------------------------------------------------
diff --git a/src/slave/containerizer/mesos/isolators/linux/capabilities.cpp b/src/slave/containerizer/mesos/isolators/linux/capabilities.cpp
index ff7b9f1..5c79619 100644
--- a/src/slave/containerizer/mesos/isolators/linux/capabilities.cpp
+++ b/src/slave/containerizer/mesos/isolators/linux/capabilities.cpp
@@ -86,13 +86,16 @@ Future<Option<ContainerLaunchInfo>> LinuxCapabilitiesIsolatorProcess::prepare(
// that the effective set is at least as restrictive as the
// bounding set.
if (containerConfig.has_container_info() &&
- containerConfig.container_info().has_linux_info() &&
- containerConfig.container_info().linux_info().has_capability_info()) {
- effective =
- containerConfig.container_info().linux_info().capability_info();
+ containerConfig.container_info().has_linux_info()) {
+ const auto& linuxInfo = containerConfig.container_info().linux_info();
- // TODO(jpeach): MESOS-7671: Let the framework specify a bounding
- // capability set too.
+ if (linuxInfo.has_capability_info()) {
+ effective = linuxInfo.capability_info();
+ }
+
+ if (linuxInfo.has_bounding_capabilities()) {
+ bounding = linuxInfo.bounding_capabilities();
+ }
}
// If the framework didn't specify, use the operator effective set.
@@ -100,8 +103,19 @@ Future<Option<ContainerLaunchInfo>> LinuxCapabilitiesIsolatorProcess::prepare(
effective = flags.effective_capabilities;
}
- // TODO(jpeach): MESOS-7671: If the framework specified a bounding set,
- // test it against flags.bounding_capabilities.
+ // If the framework specified a bounding set, test it against
+ // flags.bounding_capabilities since that defines the limits of
+ // what the operator is willing to allow.
+ if (bounding.isSome() && flags.bounding_capabilities.isSome()) {
+ const set<Capability> requested = convert(bounding.get());
+ const set<Capability> allowed = convert(flags.bounding_capabilities.get());
+
+ if ((requested & allowed).size() != requested.size()) {
+ return Failure(
+ "Bounding capabilities '" + stringify(requested) + "', "
+ "but only '" + stringify(allowed) + "' are allowed");
+ }
+ }
// If the framework didn't specify, use the operator bounding set and fall
// back to the effective set if necessary.
@@ -113,8 +127,7 @@ Future<Option<ContainerLaunchInfo>> LinuxCapabilitiesIsolatorProcess::prepare(
bounding = effective;
}
- // If the operator specified a bounding set, require effective task
- // capabilities to be within that set.
+ // Require the effective task capabilities to be within the bounding set.
if (effective.isSome()) {
CHECK_SOME(bounding);
[2/7] mesos git commit: Add bounding set support to
linux/capabilities tests.
Posted by ji...@apache.org.
Add bounding set support to linux/capabilities tests.
Add a framework bounding set parameter to the `linux/capabilities`
isolator tests so that we can add parameterized test cases where
the framework specified a bounding capabilities set.
Review: https://reviews.apache.org/r/60410/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/d197be30
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/d197be30
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/d197be30
Branch: refs/heads/master
Commit: d197be3042232553c954ba3670b7eb50adeafd3a
Parents: 906fd43
Author: James Peach <jp...@apache.org>
Authored: Fri Jun 30 17:12:27 2017 -0700
Committer: Jie Yu <yu...@gmail.com>
Committed: Fri Jun 30 17:12:27 2017 -0700
----------------------------------------------------------------------
.../linux_capabilities_isolator_tests.cpp | 64 ++++++++++++++++----
1 file changed, 51 insertions(+), 13 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/d197be30/src/tests/containerizer/linux_capabilities_isolator_tests.cpp
----------------------------------------------------------------------
diff --git a/src/tests/containerizer/linux_capabilities_isolator_tests.cpp b/src/tests/containerizer/linux_capabilities_isolator_tests.cpp
index 5982c33..4a21c9a 100644
--- a/src/tests/containerizer/linux_capabilities_isolator_tests.cpp
+++ b/src/tests/containerizer/linux_capabilities_isolator_tests.cpp
@@ -104,23 +104,28 @@ struct TestParam
TestParam(
const Option<set<Capability>>& _framework_effective,
+ const Option<set<Capability>>& _framework_bounding,
const Option<set<Capability>>& _operator_effective,
const Option<set<Capability>>& _operator_bounding,
UseImage _useImage,
Result _result)
- : framework_effective(_framework_effective.isSome()
- ? convert(_framework_effective.get())
- : Option<CapabilityInfo>::none()),
- operator_effective(_operator_effective.isSome()
- ? convert(_operator_effective.get())
- : Option<CapabilityInfo>::none()),
- operator_bounding(_operator_bounding.isSome()
- ? convert(_operator_bounding.get())
- : Option<CapabilityInfo>::none()),
+ : framework_effective(convert(_framework_effective)),
+ framework_bounding(convert(_framework_bounding)),
+ operator_effective(convert(_operator_effective)),
+ operator_bounding(convert(_operator_bounding)),
useImage(_useImage),
result(_result) {}
+ static const Option<CapabilityInfo> convert(
+ const Option<set<Capability>>& caps)
+ {
+ return caps.isSome()
+ ? capabilities::convert(caps.get())
+ : Option<CapabilityInfo>::none();
+ }
+
const Option<CapabilityInfo> framework_effective;
+ const Option<CapabilityInfo> framework_bounding;
const Option<CapabilityInfo> operator_effective;
const Option<CapabilityInfo> operator_bounding;
@@ -138,6 +143,13 @@ ostream& operator<<(ostream& stream, const TestParam& param)
stream << "framework_effective='none', ";
}
+ if (param.framework_bounding.isSome()) {
+ stream << "framework_bounding='"
+ << JSON::protobuf(param.framework_bounding.get()) << "', ";
+ } else {
+ stream << "framework_bounding='none', ";
+ }
+
if (param.operator_effective.isSome()) {
stream << "operator_effective='"
<< JSON::protobuf(param.operator_effective.get()) << "', ";
@@ -259,13 +271,22 @@ TEST_P(LinuxCapabilitiesIsolatorTest, ROOT_Ping)
offers.get()[0].resources(),
command);
- if (param.framework_effective.isSome()) {
+ if (param.framework_effective.isSome() ||
+ param.framework_bounding.isSome()) {
ContainerInfo* container = task.mutable_container();
container->set_type(ContainerInfo::MESOS);
LinuxInfo* linux = container->mutable_linux_info();
- CapabilityInfo* capabilities = linux->mutable_capability_info();
- capabilities->CopyFrom(param.framework_effective.get());
+
+ if (param.framework_effective.isSome()) {
+ CapabilityInfo* capabilities = linux->mutable_capability_info();
+ capabilities->CopyFrom(param.framework_effective.get());
+ }
+
+ if (param.framework_bounding.isSome()) {
+ CapabilityInfo* capabilities = linux->mutable_bounding_capabilities();
+ capabilities->CopyFrom(param.framework_bounding.get());
+ }
}
if (param.useImage == TestParam::WITH_IMAGE) {
@@ -321,22 +342,26 @@ INSTANTIATE_TEST_CASE_P(
set<Capability>(),
None(),
None(),
+ None(),
TestParam::WITHOUT_IMAGE,
TestParam::FAILURE),
TestParam(
set<Capability>(),
None(),
None(),
+ None(),
TestParam::WITH_IMAGE,
TestParam::FAILURE),
TestParam(
set<Capability>({DAC_READ_SEARCH}),
+ None(),
set<Capability>({CHOWN, DAC_READ_SEARCH}),
set<Capability>({CHOWN, DAC_READ_SEARCH}),
TestParam::WITHOUT_IMAGE,
TestParam::FAILURE),
TestParam(
set<Capability>({DAC_READ_SEARCH}),
+ None(),
set<Capability>({CHOWN, DAC_READ_SEARCH}),
set<Capability>({CHOWN, DAC_READ_SEARCH}),
TestParam::WITH_IMAGE,
@@ -346,12 +371,14 @@ INSTANTIATE_TEST_CASE_P(
// ping will fail.
TestParam(
None(),
+ None(),
set<Capability>({CHOWN, DAC_READ_SEARCH}),
set<Capability>({CHOWN, DAC_READ_SEARCH}),
TestParam::WITHOUT_IMAGE,
TestParam::FAILURE),
TestParam(
None(),
+ None(),
set<Capability>({CHOWN, DAC_READ_SEARCH}),
set<Capability>({CHOWN, DAC_READ_SEARCH}),
TestParam::WITH_IMAGE,
@@ -359,12 +386,14 @@ INSTANTIATE_TEST_CASE_P(
TestParam(
None(),
None(),
+ None(),
set<Capability>({CHOWN, DAC_READ_SEARCH}),
TestParam::WITH_IMAGE,
TestParam::FAILURE),
TestParam(
None(),
None(),
+ None(),
set<Capability>({CHOWN, DAC_READ_SEARCH}),
TestParam::WITHOUT_IMAGE,
TestParam::FAILURE),
@@ -372,12 +401,14 @@ INSTANTIATE_TEST_CASE_P(
// Framework effective capabilities are not allowed, task will fail.
TestParam(
set<Capability>({NET_RAW, NET_ADMIN}),
+ None(),
set<Capability>({CHOWN}),
set<Capability>({CHOWN}),
TestParam::WITHOUT_IMAGE,
TestParam::FAILURE),
TestParam(
set<Capability>({NET_RAW, NET_ADMIN}),
+ None(),
set<Capability>({CHOWN}),
set<Capability>({CHOWN}),
TestParam::WITH_IMAGE,
@@ -389,22 +420,26 @@ INSTANTIATE_TEST_CASE_P(
set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
None(),
None(),
+ None(),
TestParam::WITHOUT_IMAGE,
TestParam::SUCCESS),
TestParam(
set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
None(),
None(),
+ None(),
TestParam::WITH_IMAGE,
TestParam::SUCCESS),
TestParam(
None(),
+ None(),
set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
TestParam::WITHOUT_IMAGE,
TestParam::SUCCESS),
TestParam(
None(),
+ None(),
set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
TestParam::WITH_IMAGE,
@@ -412,23 +447,27 @@ INSTANTIATE_TEST_CASE_P(
TestParam(
None(),
None(),
+ None(),
set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
TestParam::WITHOUT_IMAGE,
TestParam::SUCCESS),
TestParam(
None(),
None(),
+ None(),
set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
TestParam::WITH_IMAGE,
TestParam::SUCCESS),
TestParam(
set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
+ None(),
set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
TestParam::WITHOUT_IMAGE,
TestParam::SUCCESS),
TestParam(
set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
+ None(),
set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
TestParam::WITH_IMAGE,
@@ -453,7 +492,6 @@ TEST_F(LinuxCapabilitiesIsolatorFlagsTest, ROOT_IsolatorFlags)
Try<Owned<cluster::Slave>> slave = Owned<cluster::Slave>();
-
// Allowed is not a subset of bounding, so this should fail.
flags.effective_capabilities = convert(set<Capability>({NET_RAW, NET_ADMIN}));
flags.bounding_capabilities = convert(set<Capability>({NET_RAW}));
[5/7] mesos git commit: Rename and deprecate the LinuxInfo
capability_info field.
Posted by ji...@apache.org.
Rename and deprecate the LinuxInfo capability_info field.
For clarity, deprecate the LinuxInfo `capability_info`` field in
favor of a new `effective_capabilities` field.
Review: https://reviews.apache.org/r/60413/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/31c7ad72
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/31c7ad72
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/31c7ad72
Branch: refs/heads/master
Commit: 31c7ad725a2c787a861c98129b4cf803dc0ba7ac
Parents: dd2374b
Author: James Peach <jp...@apache.org>
Authored: Fri Jun 30 17:12:33 2017 -0700
Committer: Jie Yu <yu...@gmail.com>
Committed: Fri Jun 30 17:12:33 2017 -0700
----------------------------------------------------------------------
include/mesos/mesos.proto | 8 ++++++--
include/mesos/v1/mesos.proto | 8 ++++++--
src/cli/execute.cpp | 2 +-
.../containerizer/mesos/isolators/linux/capabilities.cpp | 11 +++++++++++
.../containerizer/linux_capabilities_isolator_tests.cpp | 2 +-
5 files changed, 25 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/31c7ad72/include/mesos/mesos.proto
----------------------------------------------------------------------
diff --git a/include/mesos/mesos.proto b/include/mesos/mesos.proto
index 5fe28bc..4e4b279 100644
--- a/include/mesos/mesos.proto
+++ b/include/mesos/mesos.proto
@@ -2642,12 +2642,16 @@ message CapabilityInfo {
* E.g, capabilities, limits etc.
*/
message LinuxInfo {
- // Represents the capability whitelist.
- optional CapabilityInfo capability_info = 1;
+ // Since 1.4.0, deprecated in favor of `effective_capabilities`.
+ optional CapabilityInfo capability_info = 1 [deprecated = true];
// The set of capabilities that are allowed but not initially
// granted to tasks.
optional CapabilityInfo bounding_capabilities = 2;
+
+ // Represents the set of capabilities that the task will
+ // be executed with.
+ optional CapabilityInfo effective_capabilities = 3;
}
http://git-wip-us.apache.org/repos/asf/mesos/blob/31c7ad72/include/mesos/v1/mesos.proto
----------------------------------------------------------------------
diff --git a/include/mesos/v1/mesos.proto b/include/mesos/v1/mesos.proto
index 091cecd..b8625d3 100644
--- a/include/mesos/v1/mesos.proto
+++ b/include/mesos/v1/mesos.proto
@@ -2625,12 +2625,16 @@ message CapabilityInfo {
* E.g, capabilities, limits etc.
*/
message LinuxInfo {
- // Represents the capability whitelist.
- optional CapabilityInfo capability_info = 1;
+ // Since 1.4.0, deprecated in favor of `effective_capabilities`.
+ optional CapabilityInfo capability_info = 1 [deprecated = true];
// The set of capabilities that are allowed but not initially
// granted to tasks.
optional CapabilityInfo bounding_capabilities = 2;
+
+ // Represents the set of capabilities that the task will
+ // be executed with.
+ optional CapabilityInfo effective_capabilities = 3;
}
http://git-wip-us.apache.org/repos/asf/mesos/blob/31c7ad72/src/cli/execute.cpp
----------------------------------------------------------------------
diff --git a/src/cli/execute.cpp b/src/cli/execute.cpp
index 6e15344..9aafd80 100644
--- a/src/cli/execute.cpp
+++ b/src/cli/execute.cpp
@@ -835,7 +835,7 @@ static Result<ContainerInfo> getContainerInfo(
if (capabilities.isSome()) {
containerInfo
.mutable_linux_info()
- ->mutable_capability_info()
+ ->mutable_effective_capabilities()
->CopyFrom(capabilities.get());
}
http://git-wip-us.apache.org/repos/asf/mesos/blob/31c7ad72/src/slave/containerizer/mesos/isolators/linux/capabilities.cpp
----------------------------------------------------------------------
diff --git a/src/slave/containerizer/mesos/isolators/linux/capabilities.cpp b/src/slave/containerizer/mesos/isolators/linux/capabilities.cpp
index 5c79619..f85a84d 100644
--- a/src/slave/containerizer/mesos/isolators/linux/capabilities.cpp
+++ b/src/slave/containerizer/mesos/isolators/linux/capabilities.cpp
@@ -89,10 +89,21 @@ Future<Option<ContainerLaunchInfo>> LinuxCapabilitiesIsolatorProcess::prepare(
containerConfig.container_info().has_linux_info()) {
const auto& linuxInfo = containerConfig.container_info().linux_info();
+ if (linuxInfo.has_capability_info() &&
+ linuxInfo.has_effective_capabilities()) {
+ return Failure(
+ "Only one of 'capability_info' or 'effective_capabilities' "
+ "is allowed");
+ }
+
if (linuxInfo.has_capability_info()) {
effective = linuxInfo.capability_info();
}
+ if (linuxInfo.has_effective_capabilities()) {
+ effective = linuxInfo.effective_capabilities();
+ }
+
if (linuxInfo.has_bounding_capabilities()) {
bounding = linuxInfo.bounding_capabilities();
}
http://git-wip-us.apache.org/repos/asf/mesos/blob/31c7ad72/src/tests/containerizer/linux_capabilities_isolator_tests.cpp
----------------------------------------------------------------------
diff --git a/src/tests/containerizer/linux_capabilities_isolator_tests.cpp b/src/tests/containerizer/linux_capabilities_isolator_tests.cpp
index a0b8b4b..8050876 100644
--- a/src/tests/containerizer/linux_capabilities_isolator_tests.cpp
+++ b/src/tests/containerizer/linux_capabilities_isolator_tests.cpp
@@ -279,7 +279,7 @@ TEST_P(LinuxCapabilitiesIsolatorTest, ROOT_Ping)
LinuxInfo* linux = container->mutable_linux_info();
if (param.framework_effective.isSome()) {
- CapabilityInfo* capabilities = linux->mutable_capability_info();
+ CapabilityInfo* capabilities = linux->mutable_effective_capabilities();
capabilities->CopyFrom(param.framework_effective.get());
}