You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by gi...@apache.org on 2017/08/15 03:53:55 UTC

[2/8] mesos git commit: Added pid ns sharing based on agent flag and protobuf message field.

Added pid ns sharing based on agent flag and protobuf message field.

Added pid ns sharing based on agent flag and protobuf message field.

Review: https://reviews.apache.org/r/61428/


Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/36f11dd3
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/36f11dd3
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/36f11dd3

Branch: refs/heads/master
Commit: 36f11dd39a389fbe4128bd6ffffe9afb179e4f6c
Parents: 03e093f
Author: Qian Zhang <zh...@gmail.com>
Authored: Sun Aug 13 19:51:57 2017 -0700
Committer: Gilbert Song <so...@gmail.com>
Committed: Mon Aug 14 15:40:31 2017 -0700

----------------------------------------------------------------------
 .../mesos/isolators/namespaces/pid.cpp          | 33 ++++++++++++++++----
 .../mesos/isolators/namespaces/pid.hpp          |  4 ++-
 2 files changed, 30 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos/blob/36f11dd3/src/slave/containerizer/mesos/isolators/namespaces/pid.cpp
----------------------------------------------------------------------
diff --git a/src/slave/containerizer/mesos/isolators/namespaces/pid.cpp b/src/slave/containerizer/mesos/isolators/namespaces/pid.cpp
index f1dfc9f..42bc2e1 100644
--- a/src/slave/containerizer/mesos/isolators/namespaces/pid.cpp
+++ b/src/slave/containerizer/mesos/isolators/namespaces/pid.cpp
@@ -22,6 +22,7 @@
 
 #include "slave/containerizer/mesos/isolators/namespaces/pid.hpp"
 
+using process::Failure;
 using process::Future;
 using process::Owned;
 
@@ -61,12 +62,13 @@ Try<Isolator*> NamespacesPidIsolatorProcess::create(const Flags& flags)
   }
 
   return new MesosIsolator(Owned<MesosIsolatorProcess>(
-      new NamespacesPidIsolatorProcess()));
+      new NamespacesPidIsolatorProcess(flags)));
 }
 
 
-NamespacesPidIsolatorProcess::NamespacesPidIsolatorProcess()
-  : ProcessBase(process::ID::generate("pid-namespace-isolator")) {}
+NamespacesPidIsolatorProcess::NamespacesPidIsolatorProcess(const Flags& _flags)
+  : ProcessBase(process::ID::generate("pid-namespace-isolator")),
+    flags(_flags) {}
 
 
 bool NamespacesPidIsolatorProcess::supportsNesting()
@@ -81,20 +83,39 @@ Future<Option<ContainerLaunchInfo>> NamespacesPidIsolatorProcess::prepare(
 {
   ContainerLaunchInfo launchInfo;
 
+  bool sharePidNamespace =
+    containerConfig.container_info().linux_info().share_pid_namespace();
+
   if (containerId.has_parent()) {
     // If we are a nested container, then we want to enter our
     // parent's pid namespace before cloning a new one.
     launchInfo.add_enter_namespaces(CLONE_NEWPID);
 
-    // However, if we are a nested container in the `DEBUG` class,
-    // then we don't want to clone a new PID namespace at all, so we
-    // short cirucuit here.
+    // For nested container in the `DEBUG` class, we don't want to clone a
+    // new pid namespace at all, so we short circuit here.
     if (containerConfig.has_container_class() &&
         containerConfig.container_class() == ContainerClass::DEBUG) {
       return launchInfo;
     }
+  } else {
+    // If sharing agent pid namespace with top-level container is disallowed,
+    // but the framework requests it by setting the `share_pid_namespace` field
+    // to true, the container launch will be rejected.
+    if (flags.disallow_sharing_agent_pid_namespace && sharePidNamespace) {
+      return Failure(
+          "Sharing agent pid namespace with "
+          "top-level container is not allowed");
+    }
+  }
+
+  // For the container which wants to share pid namespace
+  // with its parent, just return immediately.
+  if (sharePidNamespace) {
+    return launchInfo;
   }
 
+  // For the container which does not want to share pid namespace with
+  // its parent, make sure we will clone a new pid namespace for it.
   launchInfo.add_clone_namespaces(CLONE_NEWPID);
 
   // Mount /proc with standard options for the container's pid

http://git-wip-us.apache.org/repos/asf/mesos/blob/36f11dd3/src/slave/containerizer/mesos/isolators/namespaces/pid.hpp
----------------------------------------------------------------------
diff --git a/src/slave/containerizer/mesos/isolators/namespaces/pid.hpp b/src/slave/containerizer/mesos/isolators/namespaces/pid.hpp
index 2b316db..6b4ba06 100644
--- a/src/slave/containerizer/mesos/isolators/namespaces/pid.hpp
+++ b/src/slave/containerizer/mesos/isolators/namespaces/pid.hpp
@@ -39,7 +39,9 @@ public:
       const mesos::slave::ContainerConfig& containerConfig);
 
 private:
-  NamespacesPidIsolatorProcess();
+  NamespacesPidIsolatorProcess(const Flags& flags);
+
+  const Flags flags;
 };
 
 } // namespace slave {