You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@mesos.apache.org by "Jie Yu (JIRA)" <ji...@apache.org> on 2019/01/18 22:14:00 UTC

[jira] [Created] (MESOS-9529) `/proc` should be remounted even if a nested container set `share_pid_namespace` to true

Jie Yu created MESOS-9529:
-----------------------------

             Summary: `/proc` should be remounted even if a nested container set `share_pid_namespace` to true
                 Key: MESOS-9529
                 URL: https://issues.apache.org/jira/browse/MESOS-9529
             Project: Mesos
          Issue Type: Bug
          Components: containerization
    Affects Versions: 1.4.2, 1.5.2, 1.6.2, 1.7.1
            Reporter: Jie Yu


Currently, if a nested container wants to share the pid namespace of its parent container, we allow the framework to set `LinuxInfo.share_pid_namespace`.

If the nested container does not have its own rootfs (i.e., using the host rootfs), the `/proc` is not re-mounted:
https://github.com/apache/mesos/blob/1.7.x/src/slave/containerizer/mesos/isolators/namespaces/pid.cpp#L120-L126

This is problematic because the nested container will fork host's mount namespace, thus inherit the `/proc` there. As a result, `/proc/<pid>` are still for the host pid namespace. The pid namespace of the parent container might be different than that of the host pid namspace.

As a result, `ps aux` in the nested container will show all process information on the host pid namespace. Although, the pid namespace of the nested container is different than that of the host.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)