You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@mesos.apache.org by Gilbert Song <so...@gmail.com> on 2019/02/25 03:33:13 UTC
Re: Review Request 69345: Made non-root containers can access PARENT
type SANDBOX_PATH volume.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69345/#review213129
-----------------------------------------------------------
src/slave/containerizer/mesos/containerizer.cpp
Lines 2684 (patched)
<https://reviews.apache.org/r/69345/#comment298977>
IIRC, this is because we want to do GID deallocate based on the PARENT sandbox_path volume life cycle?
Could you remind me that:
if there are more hierarchies, any sandbox_path volume gid deallocation rely on the top level executor container destroy?
src/slave/main.cpp
Lines 641 (patched)
<https://reviews.apache.org/r/69345/#comment298976>
we have been leaking for a while?
:(
- Gilbert Song
On Jan. 28, 2019, 11:34 p.m., Qian Zhang wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69345/
> -----------------------------------------------------------
>
> (Updated Jan. 28, 2019, 11:34 p.m.)
>
>
> Review request for mesos, Andrei Budnik, Gilbert Song, Greg Mann, Ilya Pronin, and Jie Yu.
>
>
> Bugs: MESOS-8810
> https://issues.apache.org/jira/browse/MESOS-8810
>
>
> Repository: mesos
>
>
> Description
> -------
>
> If a nested container running as a non-root user tries to use a PARENT
> type SANDBOX_PATH volume, we will make sure the volume owned by a unique
> gid allocated by the volume gid manager and the container process
> launched with that gid as its supplementary group.
>
>
> Diffs
> -----
>
> include/mesos/slave/containerizer.proto 7d16463fcce3df14d256f5a4f2deb42c482d0734
> src/local/local.cpp 608706811486e59b9472c026876d1d84cbccc279
> src/slave/containerizer/containerizer.hpp 66f73a306deffc51503479420531ea1948c574e1
> src/slave/containerizer/containerizer.cpp c6b5e64a72d16b871dcbfc17c05566affea6bd44
> src/slave/containerizer/mesos/containerizer.hpp 3102b8755c1fa3b205081d0198c6021c02d15ec6
> src/slave/containerizer/mesos/containerizer.cpp 35f51ad33da53b3e6a8eec275fbf3e77782b0fba
> src/slave/containerizer/mesos/isolators/volume/sandbox_path.hpp 1631160236379f84c6e1ed1be1370b5f2f2fd563
> src/slave/containerizer/mesos/isolators/volume/sandbox_path.cpp ecd467c5a33c2f41396bc72ddd7cb806bb8adc52
> src/slave/containerizer/mesos/launch.cpp 7f401cdf481123b8c6cc500ac02bb7daf2613d2c
> src/slave/main.cpp d1ce45455f2867cb71378da122fbd598aca4546d
> src/slave/slave.hpp 2bcd7a93a8f25b77c71c7f931bfaac87649f987c
> src/slave/slave.cpp ed92f672f5155d70a36ba3619bb6f06fa09bc836
> src/tests/cluster.cpp 61489840fb1491ab56fd9edd5bcbb1c1dca2c0d2
> src/tests/mock_slave.hpp 3c0d602a981d76dcf10f9e413851e606d835e113
> src/tests/mock_slave.cpp a78ca9c7911bb7928a93be6867abe62e8cd20712
>
>
> Diff: https://reviews.apache.org/r/69345/diff/6/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Qian Zhang
>
>
Re: Review Request 69345: Made non-root containers can access PARENT
type SANDBOX_PATH volume.
Posted by Qian Zhang <zh...@gmail.com>.
> On Feb. 25, 2019, 11:33 a.m., Gilbert Song wrote:
> > src/slave/containerizer/mesos/containerizer.cpp
> > Lines 2684 (patched)
> > <https://reviews.apache.org/r/69345/diff/6/?file=2123002#file2123002line2684>
> >
> > IIRC, this is because we want to do GID deallocate based on the PARENT sandbox_path volume life cycle?
> >
> > Could you remind me that:
> > if there are more hierarchies, any sandbox_path volume gid deallocation rely on the top level executor container destroy?
> this is because we want to do GID deallocate based on the PARENT sandbox_path volume life cycle?
Yes.
> if there are more hierarchies, any sandbox_path volume gid deallocation rely on the top level executor container destroy?
It relies on its direct parent container destroy rather than the top level executor container destroy.
> On Feb. 25, 2019, 11:33 a.m., Gilbert Song wrote:
> > src/slave/main.cpp
> > Lines 641 (patched)
> > <https://reviews.apache.org/r/69345/diff/6/?file=2123006#file2123006line641>
> >
> > we have been leaking for a while?
> >
> > :(
Yes, but I guess it is not that bad because we should only delete it when the agent process teminates which will actually free everything of the process.
- Qian
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69345/#review213129
-----------------------------------------------------------
On Jan. 29, 2019, 3:34 p.m., Qian Zhang wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69345/
> -----------------------------------------------------------
>
> (Updated Jan. 29, 2019, 3:34 p.m.)
>
>
> Review request for mesos, Andrei Budnik, Gilbert Song, Greg Mann, Ilya Pronin, and Jie Yu.
>
>
> Bugs: MESOS-8810
> https://issues.apache.org/jira/browse/MESOS-8810
>
>
> Repository: mesos
>
>
> Description
> -------
>
> If a nested container running as a non-root user tries to use a PARENT
> type SANDBOX_PATH volume, we will make sure the volume owned by a unique
> gid allocated by the volume gid manager and the container process
> launched with that gid as its supplementary group.
>
>
> Diffs
> -----
>
> include/mesos/slave/containerizer.proto 7d16463fcce3df14d256f5a4f2deb42c482d0734
> src/local/local.cpp 608706811486e59b9472c026876d1d84cbccc279
> src/slave/containerizer/containerizer.hpp 66f73a306deffc51503479420531ea1948c574e1
> src/slave/containerizer/containerizer.cpp c6b5e64a72d16b871dcbfc17c05566affea6bd44
> src/slave/containerizer/mesos/containerizer.hpp 3102b8755c1fa3b205081d0198c6021c02d15ec6
> src/slave/containerizer/mesos/containerizer.cpp 35f51ad33da53b3e6a8eec275fbf3e77782b0fba
> src/slave/containerizer/mesos/isolators/volume/sandbox_path.hpp 1631160236379f84c6e1ed1be1370b5f2f2fd563
> src/slave/containerizer/mesos/isolators/volume/sandbox_path.cpp ecd467c5a33c2f41396bc72ddd7cb806bb8adc52
> src/slave/containerizer/mesos/launch.cpp 7f401cdf481123b8c6cc500ac02bb7daf2613d2c
> src/slave/main.cpp d1ce45455f2867cb71378da122fbd598aca4546d
> src/slave/slave.hpp 2bcd7a93a8f25b77c71c7f931bfaac87649f987c
> src/slave/slave.cpp ed92f672f5155d70a36ba3619bb6f06fa09bc836
> src/tests/cluster.cpp 61489840fb1491ab56fd9edd5bcbb1c1dca2c0d2
> src/tests/mock_slave.hpp 3c0d602a981d76dcf10f9e413851e606d835e113
> src/tests/mock_slave.cpp a78ca9c7911bb7928a93be6867abe62e8cd20712
>
>
> Diff: https://reviews.apache.org/r/69345/diff/6/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Qian Zhang
>
>