You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@mesos.apache.org by Gilbert Song <so...@gmail.com> on 2017/07/20 08:19:45 UTC
Re: Review Request 58939: Filesystem isolation check for Mesos image
provisioner.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58939/#review181016
-----------------------------------------------------------
src/slave/containerizer/mesos/containerizer.cpp
Lines 1112-1126 (patched)
<https://reviews.apache.org/r/58939/#comment256447>
I don't like the checks here, since we have the following case:
what if we have a task with volumes specified in its containerinfo but no image?
Let's add `filesystem/isolator` check at docker::store::create().
src/slave/containerizer/mesos/containerizer.cpp
Lines 1113 (patched)
<https://reviews.apache.org/r/58939/#comment256439>
s/is/are/g
src/slave/containerizer/mesos/containerizer.cpp
Lines 1114 (patched)
<https://reviews.apache.org/r/58939/#comment256440>
s/to create a new mount namespace/to support container images/g
src/slave/containerizer/mesos/containerizer.cpp
Lines 1118-1119 (patched)
<https://reviews.apache.org/r/58939/#comment256441>
I would prefer:
The 'filesystem/linux' isolator must be enabled for container images support.
src/slave/containerizer/mesos/containerizer.cpp
Lines 1123-1124 (patched)
<https://reviews.apache.org/r/58939/#comment256442>
Ditto.
src/slave/containerizer/mesos/isolators/docker/runtime.cpp
Lines 70-79 (patched)
<https://reviews.apache.org/r/58939/#comment256449>
Basically we dont add isolator dependencies inside of any isolator, nor the launcher since the launcher is supposed to be a component for containerizer.
src/slave/containerizer/mesos/isolators/docker/runtime.cpp
Lines 71 (patched)
<https://reviews.apache.org/r/58939/#comment256443>
"The 'filesystem/linux' isolator ..."
src/tests/containerizer/docker_volume_isolator_tests.cpp
Lines 231 (patched)
<https://reviews.apache.org/r/58939/#comment256450>
No dependency on linux filesystem isolation.
src/tests/containerizer/docker_volume_isolator_tests.cpp
Lines 386 (patched)
<https://reviews.apache.org/r/58939/#comment256451>
Ditto.
src/tests/containerizer/docker_volume_isolator_tests.cpp
Lines 487 (patched)
<https://reviews.apache.org/r/58939/#comment256452>
Ditto.
src/tests/containerizer/docker_volume_isolator_tests.cpp
Lines 685 (patched)
<https://reviews.apache.org/r/58939/#comment256453>
Ditto.
src/tests/containerizer/mesos_containerizer_tests.cpp
Lines 906-911 (original), 914-930 (patched)
<https://reviews.apache.org/r/58939/#comment256454>
No need to change this test if you do the check in docker store create().
src/tests/containerizer/mesos_containerizer_tests.cpp
Lines 997-999 (original), 1016-1029 (patched)
<https://reviews.apache.org/r/58939/#comment256455>
Ditto.
src/tests/containerizer/mesos_containerizer_tests.cpp
Lines 1087-1089 (original), 1117-1130 (patched)
<https://reviews.apache.org/r/58939/#comment256456>
Ditto.
- Gilbert Song
On May 9, 2017, 11:08 a.m., Chun-Hung Hsiao wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58939/
> -----------------------------------------------------------
>
> (Updated May 9, 2017, 11:08 a.m.)
>
>
> Review request for mesos, Anand Mazumdar, Gilbert Song, and Jie Yu.
>
>
> Bugs: mesos-7374
> https://issues.apache.org/jira/browse/mesos-7374
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Checked if the 'filesystem/linux' isolator is enabled and the 'linux'
> launcher is used when launching a mesos containerizer with an image
> under Linux. This prevents the executor from messing up with the host
> filesystem. The check is in `MesosContainerizerProcess::prepare()`
> after provisioning and before launching, since provisioning itself
> does not depend on the filesystem isolator.
>
> Also checked that the 'filesystem/linux' is enabled and the 'linux'
> launcher is used when enabling the 'docker/runtime' isolator.
>
>
> Diffs
> -----
>
> src/slave/containerizer/mesos/containerizer.cpp 58ab74571fb14c6dbb1907151dc421f93e324bb5
> src/slave/containerizer/mesos/isolators/docker/runtime.cpp 2a6e0b179394e0485d2495ceb4bbbcb184af08fe
> src/tests/containerizer/docker_volume_isolator_tests.cpp b47a6b5081a63ac474ac4634701b1a572eb58137
> src/tests/containerizer/mesos_containerizer_tests.cpp 13e0f7e603a3ffdd0965b253d7abfe6a069cd2b4
>
>
> Diff: https://reviews.apache.org/r/58939/diff/6/
>
>
> Testing
> -------
>
> sudo make check
> Manually tested on a simplified case of mesos-7374.
>
>
> Thanks,
>
> Chun-Hung Hsiao
>
>
Re: Review Request 58939: Filesystem isolation check for Mesos image
provisioner.
Posted by Chun-Hung Hsiao <ch...@mesosphere.io>.
> On July 20, 2017, 8:19 a.m., Gilbert Song wrote:
> > src/slave/containerizer/mesos/containerizer.cpp
> > Lines 1112-1126 (patched)
> > <https://reviews.apache.org/r/58939/diff/6/?file=1711635#file1711635line1112>
> >
> > I don't like the checks here, since we have the following case:
> >
> > what if we have a task with volumes specified in its containerinfo but no image?
> >
> > Let's add `filesystem/isolator` check at docker::store::create().
Based on our discussion, let's put the checks in `MesosContainerizer::create()`.
> On July 20, 2017, 8:19 a.m., Gilbert Song wrote:
> > src/slave/containerizer/mesos/isolators/docker/runtime.cpp
> > Lines 70-79 (patched)
> > <https://reviews.apache.org/r/58939/diff/6/?file=1711636#file1711636line70>
> >
> > Basically we dont add isolator dependencies inside of any isolator, nor the launcher since the launcher is supposed to be a component for containerizer.
Should I move this check into `MesosContainerizer::create()` or just remove it, since we already plan to check these two conditions when `--image_provider` is set?
- Chun-Hung
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58939/#review181016
-----------------------------------------------------------
On May 9, 2017, 6:08 p.m., Chun-Hung Hsiao wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58939/
> -----------------------------------------------------------
>
> (Updated May 9, 2017, 6:08 p.m.)
>
>
> Review request for mesos, Anand Mazumdar, Gilbert Song, and Jie Yu.
>
>
> Bugs: mesos-7374
> https://issues.apache.org/jira/browse/mesos-7374
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Checked if the 'filesystem/linux' isolator is enabled and the 'linux'
> launcher is used when launching a mesos containerizer with an image
> under Linux. This prevents the executor from messing up with the host
> filesystem. The check is in `MesosContainerizerProcess::prepare()`
> after provisioning and before launching, since provisioning itself
> does not depend on the filesystem isolator.
>
> Also checked that the 'filesystem/linux' is enabled and the 'linux'
> launcher is used when enabling the 'docker/runtime' isolator.
>
>
> Diffs
> -----
>
> src/slave/containerizer/mesos/containerizer.cpp 58ab74571fb14c6dbb1907151dc421f93e324bb5
> src/slave/containerizer/mesos/isolators/docker/runtime.cpp 2a6e0b179394e0485d2495ceb4bbbcb184af08fe
> src/tests/containerizer/docker_volume_isolator_tests.cpp b47a6b5081a63ac474ac4634701b1a572eb58137
> src/tests/containerizer/mesos_containerizer_tests.cpp 13e0f7e603a3ffdd0965b253d7abfe6a069cd2b4
>
>
> Diff: https://reviews.apache.org/r/58939/diff/6/
>
>
> Testing
> -------
>
> sudo make check
> Manually tested on a simplified case of mesos-7374.
>
>
> Thanks,
>
> Chun-Hung Hsiao
>
>