You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by ji...@apache.org on 2016/08/02 23:55:39 UTC
[1/8] mesos git commit: Supported non-shell command in MesosLaunch to
avoid arbitrary commands.
Repository: mesos
Updated Branches:
refs/heads/1.0.x 547d42f73 -> 0324916fc
Supported non-shell command in MesosLaunch to avoid arbitrary commands.
Currently all pre_exec_commands are executed as shell commands in Mesos
Launch. It is not safe because arbitrary shell command may be included
in some user facing api (e.g., container_path). We should execute those
command as a subprocess to prevent arbitrary shell command injection.
Review: https://reviews.apache.org/r/50214/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/4d9a1d63
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/4d9a1d63
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/4d9a1d63
Branch: refs/heads/1.0.x
Commit: 4d9a1d63a7348adf0d59ceeaa96999c59014df47
Parents: 547d42f
Author: Gilbert Song <so...@gmail.com>
Authored: Mon Aug 1 09:50:13 2016 -0700
Committer: Jie Yu <yu...@gmail.com>
Committed: Tue Aug 2 16:34:32 2016 -0700
----------------------------------------------------------------------
src/slave/containerizer/mesos/launch.cpp | 48 ++++++++++++++++++++-------
1 file changed, 36 insertions(+), 12 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/4d9a1d63/src/slave/containerizer/mesos/launch.cpp
----------------------------------------------------------------------
diff --git a/src/slave/containerizer/mesos/launch.cpp b/src/slave/containerizer/mesos/launch.cpp
index 51f0c11..f854a9a 100644
--- a/src/slave/containerizer/mesos/launch.cpp
+++ b/src/slave/containerizer/mesos/launch.cpp
@@ -22,6 +22,8 @@
#include <iostream>
+#include <process/subprocess.hpp>
+
#include <stout/foreach.hpp>
#include <stout/os.hpp>
#include <stout/protobuf.hpp>
@@ -42,6 +44,8 @@ using std::endl;
using std::string;
using std::vector;
+using process::Subprocess;
+
namespace mesos {
namespace internal {
namespace slave {
@@ -208,23 +212,43 @@ int MesosContainerizerLaunch::execute()
return 1;
}
- // TODO(jieyu): Currently, we only accept shell commands for the
- // preparation commands.
- if (!parse.get().shell()) {
- cerr << "Preparation commands need to be shell commands" << endl;
- return 1;
- }
-
if (!parse.get().has_value()) {
cerr << "The 'value' of a preparation command is not specified" << endl;
return 1;
}
- // Block until the command completes.
- int status = os::system(parse.get().value());
- if (!WIFEXITED(status) || (WEXITSTATUS(status) != 0)) {
- cerr << "Failed to execute a preparation shell command" << endl;
- return 1;
+ Try<Subprocess> s = Error("Not launched");
+
+ if (parse->shell()) {
+ s = subprocess(parse->value(), Subprocess::PATH("/dev/null"));
+ } else {
+ // Launch non-shell command as a subprocess to avoid injecting
+ // arbitrary shell commands.
+ vector<string> args;
+ foreach (const string& arg, parse->arguments()) {
+ args.push_back(arg);
+ }
+
+ s = subprocess(parse->value(), args, Subprocess::PATH("/dev/null"));
+ }
+
+ if (s.isError()) {
+ cerr << "Failed to create the pre-exec subprocess: "
+ << s.error() << endl;
+ return EXIT_FAILURE;
+ }
+
+ s->status().await();
+
+ Option<int> status = s->status().get();
+ if (status.isNone()) {
+ cerr << "Failed to reap the pre-exec subprocess "
+ << "'" << value << "'" << endl;
+ return EXIT_FAILURE;
+ } else if (status.get() != 0) {
+ cerr << "The pre-exec subprocess '" << value << "' "
+ << "failed" << endl;
+ return EXIT_FAILURE;
}
}
}
[8/8] mesos git commit: Fixed the white space indentation in
CHANGELOG.
Posted by ji...@apache.org.
Fixed the white space indentation in CHANGELOG.
Review: https://reviews.apache.org/r/50726/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/0324916f
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/0324916f
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/0324916f
Branch: refs/heads/1.0.x
Commit: 0324916fc7ca3b2b2c48753852174095b5b52a51
Parents: 6008ce1
Author: Gilbert Song <so...@gmail.com>
Authored: Tue Aug 2 16:31:10 2016 -0700
Committer: Jie Yu <yu...@gmail.com>
Committed: Tue Aug 2 16:37:18 2016 -0700
----------------------------------------------------------------------
CHANGELOG | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/0324916f/CHANGELOG
----------------------------------------------------------------------
diff --git a/CHANGELOG b/CHANGELOG
index b156f32..96f5adf 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -584,7 +584,7 @@ All Issues:
* [MESOS-5356] - Add Windows support for StopWatch
* [MESOS-5360] - Set death signal for dvdcli subprocess in docker volume isolator.
* [MESOS-5370] - Add deprecation support for Flags
- * [MESOS-5372] - Add random() to os:: namespace
+ * [MESOS-5372] - Add random() to os:: namespace
* [MESOS-5373] - Remove `Zookeeper's` NTDDI_VERSION define
* [MESOS-5374] - Add support for Console Ctrl handling in `slave.cpp`
* [MESOS-5375] - Implement stout/os/windows/kill.hpp
@@ -655,7 +655,7 @@ All Issues:
* [MESOS-3439] - Port ip_tests
* [MESOS-3443] - Windows: Port protobuf_tests.hpp
* [MESOS-3541] - Add CMakeLists that builds the Mesos master
- * [MESOS-3558] - Implement HTTPCommandExecutor that uses the Executor Library
+ * [MESOS-3558] - Implement HTTPCommandExecutor that uses the Executor Library
* [MESOS-3559] - Make the Command Scheduler use the HTTP Scheduler Library
* [MESOS-3609] - Port slave/gc.cpp
* [MESOS-3610] - Port slave/flags.cpp to Windows
@@ -709,8 +709,8 @@ All Issues:
* [MESOS-3779] - Slave/Agent Rename Phase I - Update terms in Web UI.
* [MESOS-3781] - Replace Master/Slave Terminology Phase I - Rename flag names and deprecate old ones
* [MESOS-3782] - Slave/Agent Rename Phase I - Add duplicate binaries (or create symlinks)
- * [MESOS-3783] - Replace Master/Slave Terminology Phase I - Update documentation
- * [MESOS-3784] - Replace Master/Slave Terminology Phase I - Update mesos-cli
+ * [MESOS-3783] - Replace Master/Slave Terminology Phase I - Update documentation
+ * [MESOS-3784] - Replace Master/Slave Terminology Phase I - Update mesos-cli
* [MESOS-3854] - Finalize design for generalized Authorizer interface
* [MESOS-3945] - Add operator documentation for /weight endpoint
* [MESOS-4033] - Add a commit hook for non-ascii characters.
@@ -727,7 +727,7 @@ All Issues:
* [MESOS-4758] - Add a 'name' field into NetworkInfo.
* [MESOS-4759] - Add network/cni isolator for Mesos containerizer.
* [MESOS-4761] - Add agent flags to allow operators to specify CNI plugin and config directories.
- * [MESOS-4764] - The network/cni isolator should report assigned IP address.
+ * [MESOS-4764] - The network/cni isolator should report assigned IP address.
* [MESOS-4771] - Document the network/cni isolator.
* [MESOS-4788] - Mesos UI should show the role and principal of a framework
* [MESOS-4797] - Add a couple of registrar tests for /weights endpoint
[7/8] mesos git commit: Added MESOS-5388 to 1.0.1 CHANGELOG.
Posted by ji...@apache.org.
Added MESOS-5388 to 1.0.1 CHANGELOG.
Review: https://reviews.apache.org/r/50724/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/6008ce1f
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/6008ce1f
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/6008ce1f
Branch: refs/heads/1.0.x
Commit: 6008ce1f5a5ac37475f71d7e89f03d52c8e9be6c
Parents: 263f4e3
Author: Gilbert Song <so...@gmail.com>
Authored: Tue Aug 2 16:31:07 2016 -0700
Committer: Jie Yu <yu...@gmail.com>
Committed: Tue Aug 2 16:36:38 2016 -0700
----------------------------------------------------------------------
CHANGELOG | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/6008ce1f/CHANGELOG
----------------------------------------------------------------------
diff --git a/CHANGELOG b/CHANGELOG
index 33eaa51..b156f32 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -4,7 +4,8 @@ Release Notes - Mesos - Version 1.0.1
All Issues:
** Bug
- * [MESOS-5911] - webUI redirection to leader in browser does not work.
+ * [MESOS-5388] - MesosContainerizerLaunch flags execute arbitrary commands via shell.
+ * [MESOS-5911] - Webui redirection to leader in browser does not work.
* [MESOS-5913] - Stale socket FD usage when using libevent + SSL.
* [MESOS-5923] - Ubuntu 14.04 LTS GPU Isolator "/run" directory is noexec.
* [MESOS-5943] - Incremental http parsing of URLs leads to decoder error.
[2/8] mesos git commit: Updated mesos containerizer launch execute()
to return 'EXIT_FAILURE'.
Posted by ji...@apache.org.
Updated mesos containerizer launch execute() to return 'EXIT_FAILURE'.
Review: https://reviews.apache.org/r/50534/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/f3b63702
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/f3b63702
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/f3b63702
Branch: refs/heads/1.0.x
Commit: f3b63702aca80b6049613f6cfc7df356dbc76fba
Parents: 4d9a1d6
Author: Gilbert Song <so...@gmail.com>
Authored: Mon Aug 1 13:03:16 2016 -0700
Committer: Jie Yu <yu...@gmail.com>
Committed: Tue Aug 2 16:34:45 2016 -0700
----------------------------------------------------------------------
src/slave/containerizer/mesos/launch.cpp | 46 +++++++++++++--------------
1 file changed, 23 insertions(+), 23 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/f3b63702/src/slave/containerizer/mesos/launch.cpp
----------------------------------------------------------------------
diff --git a/src/slave/containerizer/mesos/launch.cpp b/src/slave/containerizer/mesos/launch.cpp
index f854a9a..e1cf9d5 100644
--- a/src/slave/containerizer/mesos/launch.cpp
+++ b/src/slave/containerizer/mesos/launch.cpp
@@ -110,7 +110,7 @@ int MesosContainerizerLaunch::execute()
// Check command line flags.
if (flags.command.isNone()) {
cerr << "Flag --command is not specified" << endl;
- return 1;
+ return EXIT_FAILURE;
}
bool controlPipeSpecified =
@@ -120,7 +120,7 @@ int MesosContainerizerLaunch::execute()
(flags.pipe_read.isNone() && flags.pipe_write.isSome())) {
cerr << "Flag --pipe_read and --pipe_write should either be "
<< "both set or both not set" << endl;
- return 1;
+ return EXIT_FAILURE;
}
// Parse the command.
@@ -129,19 +129,19 @@ int MesosContainerizerLaunch::execute()
if (command.isError()) {
cerr << "Failed to parse the command: " << command.error() << endl;
- return 1;
+ return EXIT_FAILURE;
}
// Validate the command.
if (command.get().shell()) {
if (!command.get().has_value()) {
cerr << "Shell command is not specified" << endl;
- return 1;
+ return EXIT_FAILURE;
}
} else {
if (!command.get().has_value()) {
cerr << "Executable path is not specified" << endl;
- return 1;
+ return EXIT_FAILURE;
}
}
@@ -160,7 +160,7 @@ int MesosContainerizerLaunch::execute()
Try<Nothing> close = os::close(pipe[1]);
if (close.isError()) {
cerr << "Failed to close pipe[1]: " << close.error() << endl;
- return 1;
+ return EXIT_FAILURE;
}
// Do a blocking read on the pipe until the parent signals us to continue.
@@ -174,13 +174,13 @@ int MesosContainerizerLaunch::execute()
// agent restarts across a large/busy cluster.
cerr << "Failed to synchronize with agent "
<< "(it's probably exited)" << endl;
- return 1;
+ return EXIT_FAILURE;
}
close = os::close(pipe[0]);
if (close.isError()) {
cerr << "Failed to close pipe[0]: " << close.error() << endl;
- return 1;
+ return EXIT_FAILURE;
}
}
@@ -189,7 +189,7 @@ int MesosContainerizerLaunch::execute()
if (unshare(CLONE_NEWNS) != 0) {
cerr << "Failed to unshare mount namespace: "
<< os::strerror(errno) << endl;
- return 1;
+ return EXIT_FAILURE;
}
}
#endif // __linux__
@@ -202,19 +202,19 @@ int MesosContainerizerLaunch::execute()
foreach (const JSON::Value& value, array.values) {
if (!value.is<JSON::Object>()) {
cerr << "Invalid JSON format for flag --commands" << endl;
- return 1;
+ return EXIT_FAILURE;
}
Try<CommandInfo> parse = ::protobuf::parse<CommandInfo>(value);
if (parse.isError()) {
cerr << "Failed to parse a preparation command: "
<< parse.error() << endl;
- return 1;
+ return EXIT_FAILURE;
}
if (!parse.get().has_value()) {
cerr << "The 'value' of a preparation command is not specified" << endl;
- return 1;
+ return EXIT_FAILURE;
}
Try<Subprocess> s = Error("Not launched");
@@ -273,7 +273,7 @@ int MesosContainerizerLaunch::execute()
if (!_uid.isSome()) {
cerr << "Failed to get the uid of user '" << flags.user.get() << "': "
<< (_uid.isError() ? _uid.error() : "not found") << endl;
- return 1;
+ return EXIT_FAILURE;
}
// No need to change user/groups if the specified user is the same
@@ -283,7 +283,7 @@ int MesosContainerizerLaunch::execute()
if (!_gid.isSome()) {
cerr << "Failed to get the gid of user '" << flags.user.get() << "': "
<< (_gid.isError() ? _gid.error() : "not found") << endl;
- return 1;
+ return EXIT_FAILURE;
}
Try<vector<gid_t>> _gids = os::getgrouplist(flags.user.get());
@@ -291,7 +291,7 @@ int MesosContainerizerLaunch::execute()
cerr << "Failed to get the supplementary gids of user '"
<< flags.user.get() << "': "
<< (_gids.isError() ? _gids.error() : "not found") << endl;
- return 1;
+ return EXIT_FAILURE;
}
uid = _uid.get();
@@ -317,13 +317,13 @@ int MesosContainerizerLaunch::execute()
if (realpath.isError()) {
cerr << "Failed to determine if rootfs is an absolute path: "
<< realpath.error() << endl;
- return 1;
+ return EXIT_FAILURE;
} else if (realpath.isNone()) {
cerr << "Rootfs path does not exist" << endl;
- return 1;
+ return EXIT_FAILURE;
} else if (realpath.get() != rootfs.get()) {
cerr << "Rootfs path is not an absolute path" << endl;
- return 1;
+ return EXIT_FAILURE;
}
#ifdef __linux__
@@ -336,7 +336,7 @@ int MesosContainerizerLaunch::execute()
if (chroot.isError()) {
cerr << "Failed to enter chroot '" << rootfs.get()
<< "': " << chroot.error();
- return 1;
+ return EXIT_FAILURE;
}
}
@@ -349,21 +349,21 @@ int MesosContainerizerLaunch::execute()
if (setgid.isError()) {
cerr << "Failed to set gid to " << gid.get()
<< ": " << setgid.error() << endl;
- return 1;
+ return EXIT_FAILURE;
}
Try<Nothing> setgroups = os::setgroups(gids, uid);
if (setgroups.isError()) {
cerr << "Failed to set supplementary gids: "
<< setgroups.error() << endl;
- return 1;
+ return EXIT_FAILURE;
}
Try<Nothing> setuid = os::setuid(uid.get());
if (setuid.isError()) {
cerr << "Failed to set uid to " << uid.get()
<< ": " << setuid.error() << endl;
- return 1;
+ return EXIT_FAILURE;
}
}
#endif // __WINDOWS__
@@ -374,7 +374,7 @@ int MesosContainerizerLaunch::execute()
cerr << "Failed to chdir into current working directory "
<< "'" << flags.working_directory.get() << "': "
<< chdir.error() << endl;
- return 1;
+ return EXIT_FAILURE;
}
}
[5/8] mesos git commit: Removed unused user variable in filesystem
linux isolator prepare.
Posted by ji...@apache.org.
Removed unused user variable in filesystem linux isolator prepare.
Review: https://reviews.apache.org/r/50580/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/44d32ea2
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/44d32ea2
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/44d32ea2
Branch: refs/heads/1.0.x
Commit: 44d32ea2c6630fb4d15e0b64f36ea496b52e0835
Parents: ca3c6b9
Author: Gilbert Song <so...@gmail.com>
Authored: Tue Aug 2 15:21:38 2016 -0700
Committer: Jie Yu <yu...@gmail.com>
Committed: Tue Aug 2 16:35:39 2016 -0700
----------------------------------------------------------------------
src/slave/containerizer/mesos/isolators/filesystem/linux.cpp | 5 -----
1 file changed, 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/44d32ea2/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
----------------------------------------------------------------------
diff --git a/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp b/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
index ed7366a..31aa3e7 100644
--- a/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
+++ b/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
@@ -265,11 +265,6 @@ Future<Option<ContainerLaunchInfo>> LinuxFilesystemIsolatorProcess::prepare(
{
const string& directory = containerConfig.directory();
- Option<string> user;
- if (containerConfig.has_user()) {
- user = containerConfig.user();
- }
-
if (infos.contains(containerId)) {
return Failure("Container has already been prepared");
}
[3/8] mesos git commit: Updated docker volume isolator to return
non-shell 'pre_exec_commands'.
Posted by ji...@apache.org.
Updated docker volume isolator to return non-shell 'pre_exec_commands'.
Review: https://reviews.apache.org/r/50535/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/1ea9665f
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/1ea9665f
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/1ea9665f
Branch: refs/heads/1.0.x
Commit: 1ea9665f596f1f4d0532d1ce67cca9f73e5e2c1d
Parents: f3b6370
Author: Gilbert Song <so...@gmail.com>
Authored: Mon Aug 1 13:05:53 2016 -0700
Committer: Jie Yu <yu...@gmail.com>
Committed: Tue Aug 2 16:35:12 2016 -0700
----------------------------------------------------------------------
.../mesos/isolators/docker/volume/isolator.cpp | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/1ea9665f/src/slave/containerizer/mesos/isolators/docker/volume/isolator.cpp
----------------------------------------------------------------------
diff --git a/src/slave/containerizer/mesos/isolators/docker/volume/isolator.cpp b/src/slave/containerizer/mesos/isolators/docker/volume/isolator.cpp
index 70ea5ca..d10c424 100644
--- a/src/slave/containerizer/mesos/isolators/docker/volume/isolator.cpp
+++ b/src/slave/containerizer/mesos/isolators/docker/volume/isolator.cpp
@@ -491,9 +491,18 @@ Future<Option<ContainerLaunchInfo>> DockerVolumeIsolatorProcess::_prepare(
LOG(INFO) << "Mounting docker volume mount point '" << source
<< "' to '" << target << "' for container " << containerId;
- const string command = "mount -n --rbind '" + source + "' '" + target + "'";
-
- launchInfo.add_pre_exec_commands()->set_value(command);
+ // Launch mount command as a non-shell subprocess to avoid
+ // injecting arbitrary shell commands (e.g., user defined
+ // 'container_path' in volume can be postfixed with any
+ // unsafe arbitrary commands).
+ CommandInfo* command = launchInfo.add_pre_exec_commands();
+ command->set_shell(false);
+ command->set_value("mount");
+ command->add_arguments("mount");
+ command->add_arguments("-n");
+ command->add_arguments("--rbind");
+ command->add_arguments(source);
+ command->add_arguments(target);
}
return launchInfo;
[6/8] mesos git commit: Added logs for pre-exec commands to sandbox
in MesosContainerizerLaunch.
Posted by ji...@apache.org.
Added logs for pre-exec commands to sandbox in MesosContainerizerLaunch.
Review: https://reviews.apache.org/r/50581/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/263f4e30
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/263f4e30
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/263f4e30
Branch: refs/heads/1.0.x
Commit: 263f4e30228b089b12988dfe592538c6037733e8
Parents: 44d32ea
Author: Gilbert Song <so...@gmail.com>
Authored: Tue Aug 2 15:46:31 2016 -0700
Committer: Jie Yu <yu...@gmail.com>
Committed: Tue Aug 2 16:35:49 2016 -0700
----------------------------------------------------------------------
src/slave/containerizer/mesos/launch.cpp | 2 ++
1 file changed, 2 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/263f4e30/src/slave/containerizer/mesos/launch.cpp
----------------------------------------------------------------------
diff --git a/src/slave/containerizer/mesos/launch.cpp b/src/slave/containerizer/mesos/launch.cpp
index e1cf9d5..2db8db5 100644
--- a/src/slave/containerizer/mesos/launch.cpp
+++ b/src/slave/containerizer/mesos/launch.cpp
@@ -217,6 +217,8 @@ int MesosContainerizerLaunch::execute()
return EXIT_FAILURE;
}
+ cout << "Executing pre-exec command '" << value << "'" << endl;
+
Try<Subprocess> s = Error("Not launched");
if (parse->shell()) {
[4/8] mesos git commit: Updated filesystem linux isolator pre exec
commands to be non-shell.
Posted by ji...@apache.org.
Updated filesystem linux isolator pre exec commands to be non-shell.
Review: https://reviews.apache.org/r/50216/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/ca3c6b9d
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/ca3c6b9d
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/ca3c6b9d
Branch: refs/heads/1.0.x
Commit: ca3c6b9df9ec7c7d931dcb6422142133952fd42b
Parents: 1ea9665
Author: Gilbert Song <so...@gmail.com>
Authored: Mon Aug 1 17:07:00 2016 -0700
Committer: Jie Yu <yu...@gmail.com>
Committed: Tue Aug 2 16:35:26 2016 -0700
----------------------------------------------------------------------
.../mesos/isolators/filesystem/linux.cpp | 66 +++++++++++++++-----
.../mesos/isolators/filesystem/linux.hpp | 2 +-
2 files changed, 50 insertions(+), 18 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/ca3c6b9d/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
----------------------------------------------------------------------
diff --git a/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp b/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
index db3ed8f..ed7366a 100644
--- a/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
+++ b/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
@@ -49,6 +49,7 @@ using namespace process;
using std::list;
using std::ostringstream;
using std::string;
+using std::vector;
using mesos::slave::ContainerConfig;
using mesos::slave::ContainerState;
@@ -286,13 +287,16 @@ Future<Option<ContainerLaunchInfo>> LinuxFilesystemIsolatorProcess::prepare(
// namespace right after forking the executor process. We use these
// commands to mount those volumes specified in the container info
// so that they don't pollute the host mount namespace.
- Try<string> _script = script(containerId, containerConfig);
- if (_script.isError()) {
- return Failure("Failed to generate isolation script: " + _script.error());
+ Try<vector<CommandInfo>> commands =
+ getPreExecCommands(containerId, containerConfig);
+
+ if (commands.isError()) {
+ return Failure("Failed to get pre-exec commands: " + commands.error());
}
- CommandInfo* command = launchInfo.add_pre_exec_commands();
- command->set_value(_script.get());
+ foreach (const CommandInfo& command, commands.get()) {
+ launchInfo.add_pre_exec_commands()->CopyFrom(command);
+ }
return update(containerId, containerConfig.executor_info().resources())
.then([launchInfo]() -> Future<Option<ContainerLaunchInfo>> {
@@ -301,27 +305,38 @@ Future<Option<ContainerLaunchInfo>> LinuxFilesystemIsolatorProcess::prepare(
}
-Try<string> LinuxFilesystemIsolatorProcess::script(
+Try<vector<CommandInfo>> LinuxFilesystemIsolatorProcess::getPreExecCommands(
const ContainerID& containerId,
const ContainerConfig& containerConfig)
{
- ostringstream out;
- out << "#!/bin/sh\n";
- out << "set -x -e\n";
+ vector<CommandInfo> commands;
// Make sure mounts in the container mount namespace do not
// propagate back to the host mount namespace.
// NOTE: We cannot simply run `mount --make-rslave /`, for more info
// please refer to comments in mount.hpp.
+ CommandInfo command;
+ command.set_shell(false);
+ command.set_value(path::join(flags.launcher_dir, "mesos-containerizer"));
+ command.add_arguments("mesos-containerizer");
+ command.add_arguments(MesosContainerizerMount::NAME);
+
MesosContainerizerMount::Flags mountFlags;
mountFlags.operation = MesosContainerizerMount::MAKE_RSLAVE;
mountFlags.path = "/";
- out << path::join(flags.launcher_dir, "mesos-containerizer") << " "
- << MesosContainerizerMount::NAME << " "
- << stringify(mountFlags) << "\n";
+
+ foreachvalue (const flags::Flag& flag, mountFlags) {
+ const Option<string> value = flag.stringify(flags);
+ if (value.isSome()) {
+ command.add_arguments(
+ "--" + flag.effective_name().value + "=" + value.get());
+ }
+ }
+
+ commands.push_back(command);
if (!containerConfig.executor_info().has_container()) {
- return out.str();
+ return commands;
}
// Bind mount the sandbox if the container specifies a rootfs.
@@ -337,8 +352,16 @@ Try<string> LinuxFilesystemIsolatorProcess::script(
sandbox + "': " + mkdir.error());
}
- out << "mount -n --rbind '" << containerConfig.directory()
- << "' '" << sandbox << "'\n";
+ CommandInfo command;
+ command.set_shell(false);
+ command.set_value("mount");
+ command.add_arguments("mount");
+ command.add_arguments("-n");
+ command.add_arguments("--rbind");
+ command.add_arguments(containerConfig.directory());
+ command.add_arguments(sandbox);
+
+ commands.push_back(command);
}
foreach (const Volume& volume,
@@ -490,10 +513,19 @@ Try<string> LinuxFilesystemIsolatorProcess::script(
}
// TODO(jieyu): Consider the mode in the volume.
- out << "mount -n --rbind '" << source << "' '" << target << "'\n";
+ CommandInfo command;
+ command.set_shell(false);
+ command.set_value("mount");
+ command.add_arguments("mount");
+ command.add_arguments("-n");
+ command.add_arguments("--rbind");
+ command.add_arguments(source);
+ command.add_arguments(target);
+
+ commands.push_back(command);
}
- return out.str();
+ return commands;
}
http://git-wip-us.apache.org/repos/asf/mesos/blob/ca3c6b9d/src/slave/containerizer/mesos/isolators/filesystem/linux.hpp
----------------------------------------------------------------------
diff --git a/src/slave/containerizer/mesos/isolators/filesystem/linux.hpp b/src/slave/containerizer/mesos/isolators/filesystem/linux.hpp
index 0afe927..0a85935 100644
--- a/src/slave/containerizer/mesos/isolators/filesystem/linux.hpp
+++ b/src/slave/containerizer/mesos/isolators/filesystem/linux.hpp
@@ -64,7 +64,7 @@ public:
private:
LinuxFilesystemIsolatorProcess(const Flags& flags);
- Try<std::string> script(
+ Try<std::vector<CommandInfo>> getPreExecCommands(
const ContainerID& containerId,
const mesos::slave::ContainerConfig& containerConfig);