You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mesos.apache.org by "Benjamin Mahler (JIRA)" <ji...@apache.org> on 2014/05/17 00:02:16 UTC
[jira] [Updated] (MESOS-1282) Support unprivileged access to
cgroups
[ https://issues.apache.org/jira/browse/MESOS-1282?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Benjamin Mahler updated MESOS-1282:
-----------------------------------
Fix Version/s: (was: 0.19.0)
> Support unprivileged access to cgroups
> --------------------------------------
>
> Key: MESOS-1282
> URL: https://issues.apache.org/jira/browse/MESOS-1282
> Project: Mesos
> Issue Type: Improvement
> Affects Versions: 0.19.0
> Reporter: Ian Downes
> Priority: Minor
>
> Supporting this would allow running tests with cgroup isolators on CI machines where sudo access is unavailable.
> This could be achieved by having the subsystems mounted and the mesos (or mesos_test) cgroup created and owned by the unprivileged user.
> {noformat}
> [vagrant@mesos cpu]$ cat /proc/mounts | grep cgroup
> tmpfs /sys/fs/cgroup tmpfs rw,relatime 0 0
> cgroup /sys/fs/cgroup/cpuset cgroup rw,relatime,cpuset,clone_children 0 0
> cgroup /sys/fs/cgroup/cpu cgroup rw,relatime,cpu,clone_children 0 0
> cgroup /sys/fs/cgroup/cpuacct cgroup rw,relatime,cpuacct,clone_children 0 0
> cgroup /sys/fs/cgroup/memory cgroup rw,relatime,memory,clone_children 0 0
> cgroup /sys/fs/cgroup/devices cgroup rw,relatime,devices,clone_children 0 0
> cgroup /sys/fs/cgroup/freezer cgroup rw,relatime,freezer,clone_children 0 0
> cgroup /sys/fs/cgroup/net_cls cgroup rw,relatime,net_cls,clone_children 0 0
> cgroup /sys/fs/cgroup/blkio cgroup rw,relatime,blkio,clone_children 0 0
> [vagrant@mesos cpu]$ pwd
> /sys/fs/cgroup/cpu
> [vagrant@mesos cpu]$ ls -la
> total 0
> drwxr-xr-x 2 root root 0 May 1 22:11 .
> drwxrwxrwt 10 root root 200 Apr 30 23:09 ..
> -rw-r--r-- 1 root root 0 Apr 30 23:14 cgroup.clone_children
> --w--w--w- 1 root root 0 Apr 30 23:09 cgroup.event_control
> -rw-r--r-- 1 root root 0 Apr 30 23:09 cgroup.procs
> -rw-r--r-- 1 root root 0 Apr 30 23:09 cpu.cfs_period_us
> -rw-r--r-- 1 root root 0 Apr 30 23:09 cpu.cfs_quota_us
> -rw-r--r-- 1 root root 0 Apr 30 23:09 cpu.rt_period_us
> -rw-r--r-- 1 root root 0 Apr 30 23:09 cpu.rt_runtime_us
> -rw-r--r-- 1 root root 0 Apr 30 23:09 cpu.shares
> -r--r--r-- 1 root root 0 Apr 30 23:09 cpu.stat
> -rw-r--r-- 1 root root 0 Apr 30 23:09 notify_on_release
> -rw-r--r-- 1 root root 0 Apr 30 23:09 release_agent
> -rw-r--r-- 1 root root 0 Apr 30 23:09 tasks
> {noformat}
> User is unprivileged:
> {noformat}
> [vagrant@mesos cpu]$ id
> uid=500(vagrant) gid=500(vagrant) groups=500(vagrant),10(wheel)
> [vagrant@mesos cpu]$ mkdir mesos
> mkdir: cannot create directory `mesos': Permission denied
> {noformat}
> Create a cgroup and chown to the unprivileged user.
> {noformat}
> [vagrant@mesos cpu]$ sudo mkdir mesos && sudo chown -R vagrant:vagrant mesos
> [vagrant@mesos cpu]$ ls -la
> total 0
> drwxr-xr-x 3 root root 0 May 1 22:11 .
> drwxrwxrwt 10 root root 200 Apr 30 23:09 ..
> -rw-r--r-- 1 root root 0 Apr 30 23:14 cgroup.clone_children
> --w--w--w- 1 root root 0 Apr 30 23:09 cgroup.event_control
> -rw-r--r-- 1 root root 0 Apr 30 23:09 cgroup.procs
> -rw-r--r-- 1 root root 0 Apr 30 23:09 cpu.cfs_period_us
> -rw-r--r-- 1 root root 0 Apr 30 23:09 cpu.cfs_quota_us
> -rw-r--r-- 1 root root 0 Apr 30 23:09 cpu.rt_period_us
> -rw-r--r-- 1 root root 0 Apr 30 23:09 cpu.rt_runtime_us
> -rw-r--r-- 1 root root 0 Apr 30 23:09 cpu.shares
> -r--r--r-- 1 root root 0 Apr 30 23:09 cpu.stat
> drwxr-xr-x 2 vagrant vagrant 0 May 1 22:12 mesos
> -rw-r--r-- 1 root root 0 Apr 30 23:09 notify_on_release
> -rw-r--r-- 1 root root 0 Apr 30 23:09 release_agent
> -rw-r--r-- 1 root root 0 Apr 30 23:09 tasks
> {noformat}
> The unprivileged user can now create nested cgroups and move processes into/out of cgroups it owns.
> {noformat}
> [vagrant@mesos cpu]$ echo $$
> 2877
> [vagrant@mesos cpu]$ echo $$ > mesos/cgroup.procs
> [vagrant@mesos cpu]$ cat mesos/cgroup.procs
> 2877
> 2957
> [vagrant@mesos cpu]$ mkdir mesos/test
> [vagrant@mesos cpu]$ echo $$ > mesos/test/cgroup.procs
> [vagrant@mesos cpu]$ cat mesos/test/cgroup.procs
> 2877
> 2960
> [vagrant@mesos cpu]$ echo $$ > mesos/cgroup.procs
> [vagrant@mesos cpu]$ cat mesos/cgroup.procs
> 2877
> 2977
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.2#6252)