You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by gi...@apache.org on 2019/05/20 22:08:09 UTC
[mesos] branch master updated (1f83bfc -> eecb82c)
This is an automated email from the ASF dual-hosted git repository.
gilbert pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git.
from 1f83bfc Added unit tests for 'framework::validateUpdate()'.
new 721cc06 Revert "Added MESOS-9536 to the 1.6.3 CHANGELOG."
new 6a919b6 Revert "Added MESOS-9536 to the 1.7.3 CHANGELOG."
new 6873559 Revert "Added MESOS-9536 to the 1.8.1 CHANGELOG.".
new a44eaca Revert "Added a test to verify non-root nested container can access its sandbox."
new eecb82c Revert "Made nested contaienr can access its sandbox via `MESOS_SANDBOX`."
The 5 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
CHANGELOG | 3 -
src/slave/containerizer/mesos/containerizer.cpp | 24 ++-----
.../mesos/isolators/filesystem/linux.cpp | 23 ------
.../nested_mesos_containerizer_tests.cpp | 82 ----------------------
4 files changed, 7 insertions(+), 125 deletions(-)
[mesos] 03/05: Revert "Added MESOS-9536 to the 1.8.1 CHANGELOG.".
Posted by gi...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
gilbert pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit 687355968d0d8a870bd0bda5af4185885873f4c1
Author: Gilbert Song <so...@gmail.com>
AuthorDate: Mon May 20 14:46:02 2019 -0700
Revert "Added MESOS-9536 to the 1.8.1 CHANGELOG.".
---
CHANGELOG | 1 -
1 file changed, 1 deletion(-)
diff --git a/CHANGELOG b/CHANGELOG
index f467775..237790b 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -13,7 +13,6 @@ Release Notes - Mesos - Version 1.8.1 (WIP)
* This is a bug fix release.
** Bug
- * [MESOS-9536] - Nested container launched with non-root user may not be able to write to its sandbox via the environment variable `MESOS_SANDBOX`.
* [MESOS-9616] - `Filters.refuse_seconds` declines resources not in offers.
* [MESOS-9695] - Remove the duplicate pid check in Docker containerizer
* [MESOS-9766] - /__processes__ endpoint can hang.
[mesos] 05/05: Revert "Made nested contaienr can access its sandbox
via `MESOS_SANDBOX`."
Posted by gi...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
gilbert pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit eecb82c77117998af0c67a53c64e9b1e975acfa4
Author: Gilbert Song <so...@gmail.com>
AuthorDate: Mon May 20 14:46:18 2019 -0700
Revert "Made nested contaienr can access its sandbox via `MESOS_SANDBOX`."
This reverts commit 40beae143a24a35f85b047ef8ee243581f1c3c69.
---
src/slave/containerizer/mesos/containerizer.cpp | 24 +++++++---------------
.../mesos/isolators/filesystem/linux.cpp | 23 ---------------------
2 files changed, 7 insertions(+), 40 deletions(-)
diff --git a/src/slave/containerizer/mesos/containerizer.cpp b/src/slave/containerizer/mesos/containerizer.cpp
index c4a6827..0432448 100644
--- a/src/slave/containerizer/mesos/containerizer.cpp
+++ b/src/slave/containerizer/mesos/containerizer.cpp
@@ -1837,25 +1837,15 @@ Future<Containerizer::LaunchResult> MesosContainerizerProcess::_launch(
if (container->containerClass() == ContainerClass::DEFAULT) {
// TODO(jieyu): Consider moving this to filesystem isolator.
//
- // NOTE: For the command executor case, although it uses the host filesystem
- // for itself, we still set `MESOS_SANDBOX` according to the root filesystem
- // of the task (if specified). Command executor itself does not use this
- // environment variable. For nested container which does not have its own
- // rootfs, if the `filesystem/linux` isolator is enabled, we will also set
- // `MESOS_SANDBOX` to `flags.sandbox_directory` since in `prepare` method
- // of the `filesystem/linux` isolator we bind mount such nested container's
- // sandbox to `flags.sandbox_directory`. Since such bind mount is only done
- // by the `filesystem/linux` isolator, if another filesystem isolator (e.g.,
- // `filesystem/posix`) is enabled instead, nested container may still have
- // no permission to access its sandbox via `MESOS_SANDBOX`.
+ // NOTE: For the command executor case, although it uses the host
+ // filesystem for itself, we still set 'MESOS_SANDBOX' according to
+ // the root filesystem of the task (if specified). Command executor
+ // itself does not use this environment variable.
Environment::Variable* variable = containerEnvironment.add_variables();
variable->set_name("MESOS_SANDBOX");
- variable->set_value(
- (container->config->has_rootfs() ||
- (strings::contains(flags.isolation, "filesystem/linux") &&
- containerId.has_parent()))
- ? flags.sandbox_directory
- : container->config->directory());
+ variable->set_value(container->config->has_rootfs()
+ ? flags.sandbox_directory
+ : container->config->directory());
}
// `launchInfo.environment` contains the environment returned by
diff --git a/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp b/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
index 7b50258..725754f 100644
--- a/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
+++ b/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
@@ -502,16 +502,6 @@ Try<Isolator*> LinuxFilesystemIsolatorProcess::create(
containersRuntimeDir + "': " + mkdir.error());
}
- // Create sandbox directory. We will bind mount the sandbox of nested
- // container which does not have its own rootfs to this directory. See
- // `prepare` for details.
- mkdir = os::mkdir(flags.sandbox_directory);
- if (mkdir.isError()) {
- return Error(
- "Failed to create sandbox directory at '" +
- flags.sandbox_directory + "': " + mkdir.error());
- }
-
Try<Nothing> containersDirMount = ensureAllowDevices(containersRuntimeDir);
if (containersDirMount.isError()) {
return Error(containersDirMount.error());
@@ -754,19 +744,6 @@ Future<Option<ContainerLaunchInfo>> LinuxFilesystemIsolatorProcess::prepare(
*launchInfo.add_mounts() = createContainerMount(
containerConfig.directory(), sandbox, MS_BIND | MS_REC);
- } else if (containerId.has_parent()) {
- // For nested container which does not have its own rootfs, bind mount its
- // sandbox to the directory specified via `flags.sandbox_directory` (e.g.,
- // `/mnt/mesos/sandbox`) in its own mount namespace and set the environment
- // variable `MESOS_SANDBOX` to `flags.sandbox_directory` (see the `_launch`
- // method of `MesosContainerizerProcess` for details). The reason that we do
- // this is, in MESOS-8332 we narrowed task sandbox permissions from 0755 to
- // 0750, since nested container's sandbox is subdirectory under its parent's
- // sandbox, if we still set `MESOS_SANDBOX` to `containerConfig.directory()`
- // for nested container, it will not have permission to access its sandbox
- // via `MESOS_SANDBOX` if its user is different from its parent's user.
- *launchInfo.add_mounts() = createContainerMount(
- containerConfig.directory(), flags.sandbox_directory, MS_BIND | MS_REC);
}
// Currently, we only need to update resources for top level containers.
[mesos] 02/05: Revert "Added MESOS-9536 to the 1.7.3 CHANGELOG."
Posted by gi...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
gilbert pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit 6a919b6993cd4a9feb797e0a012c4ae9044d37d6
Author: Gilbert Song <so...@gmail.com>
AuthorDate: Mon May 20 14:40:42 2019 -0700
Revert "Added MESOS-9536 to the 1.7.3 CHANGELOG."
This reverts commit 9c20d4ec869a4fb3eb90fda975afc10c1bdb49c3.
---
CHANGELOG | 1 -
1 file changed, 1 deletion(-)
diff --git a/CHANGELOG b/CHANGELOG
index 932542d..f467775 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -426,7 +426,6 @@ Release Notes - Mesos - Version 1.7.3 (WIP)
* [MESOS-8467] - Destroyed executors might be used after `Slave::publishResource()`.
* [MESOS-9507] - Agent could not recover due to empty docker volume checkpointed files.
* [MESOS-9529] - `/proc` should be remounted even if a nested container set `share_pid_namespace` to true.
- * [MESOS-9536] - Nested container launched with non-root user may not be able to write to its sandbox via the environment variable `MESOS_SANDBOX`.
* [MESOS-9549] - nvidia/cuda 10 does not work on GPU isolator.
* [MESOS-9564] - Logrotate container logger lets tasks execute arbitrary commands in the Mesos agent's namespace.
* [MESOS-9568] - SLRP does not clean up mount directories for destroyed MOUNT disks.
[mesos] 01/05: Revert "Added MESOS-9536 to the 1.6.3 CHANGELOG."
Posted by gi...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
gilbert pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit 721cc06330f1357dc4c1ee3bc9af36e5c3835199
Author: Gilbert Song <so...@gmail.com>
AuthorDate: Mon May 20 14:40:28 2019 -0700
Revert "Added MESOS-9536 to the 1.6.3 CHANGELOG."
This reverts commit 977af9b87f582d6301083c730046d5be32c5fea6.
---
CHANGELOG | 1 -
1 file changed, 1 deletion(-)
diff --git a/CHANGELOG b/CHANGELOG
index bfa5a26..932542d 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -905,7 +905,6 @@ Release Notes - Mesos - Version 1.6.3 (WIP)
** Bug
* [MESOS-9507] - Agent could not recover due to empty docker volume checkpointed files.
* [MESOS-9529] - `/proc` should be remounted even if a nested container set `share_pid_namespace` to true.
- * [MESOS-9536] - Nested container launched with non-root user may not be able to write to its sandbox via the environment variable `MESOS_SANDBOX`.
* [MESOS-9564] - Logrotate container logger lets tasks execute arbitrary commands in the Mesos agent's namespace.
* [MESOS-9616] - `Filters.refuse_seconds` declines resources not in offers.
* [MESOS-9619] - Mesos Master Crashes with Launch Group when using Port Resources
[mesos] 04/05: Revert "Added a test to verify non-root nested
container can access its sandbox."
Posted by gi...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
gilbert pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit a44eaca379da7779955a3e94b92e1199e9b203b8
Author: Gilbert Song <so...@gmail.com>
AuthorDate: Mon May 20 14:46:16 2019 -0700
Revert "Added a test to verify non-root nested container can access its sandbox."
This reverts commit 510aa02f9a53b1209e9deeaf65f25db2c0ccd96b.
---
.../nested_mesos_containerizer_tests.cpp | 82 ----------------------
1 file changed, 82 deletions(-)
diff --git a/src/tests/containerizer/nested_mesos_containerizer_tests.cpp b/src/tests/containerizer/nested_mesos_containerizer_tests.cpp
index 42cfe3a..bbf83fa 100644
--- a/src/tests/containerizer/nested_mesos_containerizer_tests.cpp
+++ b/src/tests/containerizer/nested_mesos_containerizer_tests.cpp
@@ -243,88 +243,6 @@ TEST_F(NestedMesosContainerizerTest, ROOT_CGROUPS_LaunchNested)
}
-// This is a regression test for MESOS-9536. It verifies that a nested
-// container launched with a non-root user has the permission to write
-// to its own sandbox via the `MESOS_SANDBOX` environment variable while
-// its parent container is launched with a different user (root).
-TEST_F(NestedMesosContainerizerTest,
- ROOT_CGROUPS_UNPRIVILEGED_USER_NestedContainerAccessMesosSandbox)
-{
- slave::Flags flags = CreateSlaveFlags();
- flags.launcher = "linux";
- flags.isolation = "cgroups/cpu,filesystem/linux,namespaces/pid";
-
- Fetcher fetcher(flags);
-
- Try<MesosContainerizer*> create = MesosContainerizer::create(
- flags,
- false,
- &fetcher);
-
- ASSERT_SOME(create);
-
- Owned<MesosContainerizer> containerizer(create.get());
-
- SlaveState state;
- state.id = SlaveID();
-
- AWAIT_READY(containerizer->recover(state));
-
- ContainerID containerId;
- containerId.set_value(id::UUID::random().toString());
-
- Try<string> directory = environment->mkdtemp();
- ASSERT_SOME(directory);
-
- Future<Containerizer::LaunchResult> launch = containerizer->launch(
- containerId,
- createContainerConfig(
- None(),
- createExecutorInfo("executor", "sleep 1000", "cpus:1"),
- directory.get()),
- map<string, string>(),
- None());
-
- AWAIT_ASSERT_EQ(Containerizer::LaunchResult::SUCCESS, launch);
-
- // Launch the nested container with a non-root user.
- ContainerID nestedContainerId;
- nestedContainerId.mutable_parent()->CopyFrom(containerId);
- nestedContainerId.set_value(id::UUID::random().toString());
-
- Option<string> user = os::getenv("SUDO_USER");
- ASSERT_SOME(user);
-
- launch = containerizer->launch(
- nestedContainerId,
- createContainerConfig(
- createCommandInfo("echo 'hello' > $MESOS_SANDBOX/file"),
- None(),
- None(),
- user.get()),
- map<string, string>(),
- None());
-
- AWAIT_ASSERT_EQ(Containerizer::LaunchResult::SUCCESS, launch);
-
- Future<Option<ContainerTermination>> wait = containerizer->wait(
- nestedContainerId);
-
- AWAIT_READY(wait);
- ASSERT_SOME(wait.get());
- ASSERT_TRUE(wait.get()->has_status());
- EXPECT_WEXITSTATUS_EQ(0, wait.get()->status());
-
- Future<Option<ContainerTermination>> termination =
- containerizer->destroy(containerId);
-
- AWAIT_READY(termination);
- ASSERT_SOME(termination.get());
- ASSERT_TRUE(termination.get()->has_status());
- EXPECT_WTERMSIG_EQ(SIGKILL, termination.get()->status());
-}
-
-
// This test verifies that a debug container inherits the
// environment of its parent even after agent failover.
TEST_F(NestedMesosContainerizerTest,