You are viewing a plain text version of this content. The canonical link for it is here.

Posted to reviews@mesos.apache.org by Gilbert Song <so...@gmail.com> on 2019/02/25 03:33:13 UTC

Re: Review Request 69345: Made non-root containers can access PARENT type SANDBOX_PATH volume.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69345/#review213129
-----------------------------------------------------------




src/slave/containerizer/mesos/containerizer.cpp
Lines 2684 (patched)
<https://reviews.apache.org/r/69345/#comment298977>

    IIRC, this is because we want to do GID deallocate based on the PARENT sandbox_path volume life cycle?
    
    Could you remind me that:
    if there are more hierarchies, any sandbox_path volume gid deallocation rely on the top level executor container destroy?



src/slave/main.cpp
Lines 641 (patched)
<https://reviews.apache.org/r/69345/#comment298976>

    we have been leaking for a while?
    
    :(


- Gilbert Song


On Jan. 28, 2019, 11:34 p.m., Qian Zhang wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69345/
> -----------------------------------------------------------
> 
> (Updated Jan. 28, 2019, 11:34 p.m.)
> 
> 
> Review request for mesos, Andrei Budnik, Gilbert Song, Greg Mann, Ilya Pronin, and Jie Yu.
> 
> 
> Bugs: MESOS-8810
>     https://issues.apache.org/jira/browse/MESOS-8810
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> If a nested container running as a non-root user tries to use a PARENT
> type SANDBOX_PATH volume, we will make sure the volume owned by a unique
> gid allocated by the volume gid manager and the container process
> launched with that gid as its supplementary group.
> 
> 
> Diffs
> -----
> 
>   include/mesos/slave/containerizer.proto 7d16463fcce3df14d256f5a4f2deb42c482d0734 
>   src/local/local.cpp 608706811486e59b9472c026876d1d84cbccc279 
>   src/slave/containerizer/containerizer.hpp 66f73a306deffc51503479420531ea1948c574e1 
>   src/slave/containerizer/containerizer.cpp c6b5e64a72d16b871dcbfc17c05566affea6bd44 
>   src/slave/containerizer/mesos/containerizer.hpp 3102b8755c1fa3b205081d0198c6021c02d15ec6 
>   src/slave/containerizer/mesos/containerizer.cpp 35f51ad33da53b3e6a8eec275fbf3e77782b0fba 
>   src/slave/containerizer/mesos/isolators/volume/sandbox_path.hpp 1631160236379f84c6e1ed1be1370b5f2f2fd563 
>   src/slave/containerizer/mesos/isolators/volume/sandbox_path.cpp ecd467c5a33c2f41396bc72ddd7cb806bb8adc52 
>   src/slave/containerizer/mesos/launch.cpp 7f401cdf481123b8c6cc500ac02bb7daf2613d2c 
>   src/slave/main.cpp d1ce45455f2867cb71378da122fbd598aca4546d 
>   src/slave/slave.hpp 2bcd7a93a8f25b77c71c7f931bfaac87649f987c 
>   src/slave/slave.cpp ed92f672f5155d70a36ba3619bb6f06fa09bc836 
>   src/tests/cluster.cpp 61489840fb1491ab56fd9edd5bcbb1c1dca2c0d2 
>   src/tests/mock_slave.hpp 3c0d602a981d76dcf10f9e413851e606d835e113 
>   src/tests/mock_slave.cpp a78ca9c7911bb7928a93be6867abe62e8cd20712 
> 
> 
> Diff: https://reviews.apache.org/r/69345/diff/6/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Qian Zhang
> 
>

Re: Review Request 69345: Made non-root containers can access PARENT type SANDBOX_PATH volume.

Posted by Qian Zhang <zh...@gmail.com>.


> On Feb. 25, 2019, 11:33 a.m., Gilbert Song wrote:
> > src/slave/containerizer/mesos/containerizer.cpp
> > Lines 2684 (patched)
> > <https://reviews.apache.org/r/69345/diff/6/?file=2123002#file2123002line2684>
> >
> >     IIRC, this is because we want to do GID deallocate based on the PARENT sandbox_path volume life cycle?
> >     
> >     Could you remind me that:
> >     if there are more hierarchies, any sandbox_path volume gid deallocation rely on the top level executor container destroy?

> this is because we want to do GID deallocate based on the PARENT sandbox_path volume life cycle?

Yes.

> if there are more hierarchies, any sandbox_path volume gid deallocation rely on the top level executor container destroy?

It relies on its direct parent container destroy rather than the top level executor container destroy.


> On Feb. 25, 2019, 11:33 a.m., Gilbert Song wrote:
> > src/slave/main.cpp
> > Lines 641 (patched)
> > <https://reviews.apache.org/r/69345/diff/6/?file=2123006#file2123006line641>
> >
> >     we have been leaking for a while?
> >     
> >     :(

Yes, but I guess it is not that bad because we should only delete it when the agent process teminates which will actually free everything of the process.


- Qian


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69345/#review213129
-----------------------------------------------------------


On Jan. 29, 2019, 3:34 p.m., Qian Zhang wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69345/
> -----------------------------------------------------------
> 
> (Updated Jan. 29, 2019, 3:34 p.m.)
> 
> 
> Review request for mesos, Andrei Budnik, Gilbert Song, Greg Mann, Ilya Pronin, and Jie Yu.
> 
> 
> Bugs: MESOS-8810
>     https://issues.apache.org/jira/browse/MESOS-8810
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> If a nested container running as a non-root user tries to use a PARENT
> type SANDBOX_PATH volume, we will make sure the volume owned by a unique
> gid allocated by the volume gid manager and the container process
> launched with that gid as its supplementary group.
> 
> 
> Diffs
> -----
> 
>   include/mesos/slave/containerizer.proto 7d16463fcce3df14d256f5a4f2deb42c482d0734 
>   src/local/local.cpp 608706811486e59b9472c026876d1d84cbccc279 
>   src/slave/containerizer/containerizer.hpp 66f73a306deffc51503479420531ea1948c574e1 
>   src/slave/containerizer/containerizer.cpp c6b5e64a72d16b871dcbfc17c05566affea6bd44 
>   src/slave/containerizer/mesos/containerizer.hpp 3102b8755c1fa3b205081d0198c6021c02d15ec6 
>   src/slave/containerizer/mesos/containerizer.cpp 35f51ad33da53b3e6a8eec275fbf3e77782b0fba 
>   src/slave/containerizer/mesos/isolators/volume/sandbox_path.hpp 1631160236379f84c6e1ed1be1370b5f2f2fd563 
>   src/slave/containerizer/mesos/isolators/volume/sandbox_path.cpp ecd467c5a33c2f41396bc72ddd7cb806bb8adc52 
>   src/slave/containerizer/mesos/launch.cpp 7f401cdf481123b8c6cc500ac02bb7daf2613d2c 
>   src/slave/main.cpp d1ce45455f2867cb71378da122fbd598aca4546d 
>   src/slave/slave.hpp 2bcd7a93a8f25b77c71c7f931bfaac87649f987c 
>   src/slave/slave.cpp ed92f672f5155d70a36ba3619bb6f06fa09bc836 
>   src/tests/cluster.cpp 61489840fb1491ab56fd9edd5bcbb1c1dca2c0d2 
>   src/tests/mock_slave.hpp 3c0d602a981d76dcf10f9e413851e606d835e113 
>   src/tests/mock_slave.cpp a78ca9c7911bb7928a93be6867abe62e8cd20712 
> 
> 
> Diff: https://reviews.apache.org/r/69345/diff/6/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Qian Zhang
> 
>