You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by gi...@apache.org on 2019/07/19 22:06:19 UTC
[mesos] branch master updated (0913f54 -> 02b6467)
This is an automated email from the ASF dual-hosted git repository.
gilbert pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git.
from 0913f54 Fixed an UI issue in Roles tab where `Reserved` is incorrect.
new e58f4b9 Added two validations in `namespaces/ipc` isolator.
new 5032ea3 Added a test `ROOT_NonePrivateIPCModeWithShmSize`.
new 02b6467 Added a test `ROOT_DebugContainerWithPrivateIPCMode`.
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
docs/isolators/namespaces-ipc.md | 4 +
include/mesos/mesos.proto | 4 +-
include/mesos/v1/mesos.proto | 4 +-
.../mesos/isolators/namespaces/ipc.cpp | 11 ++
src/tests/containerizer/isolator_tests.cpp | 151 +++++++++++++++++----
5 files changed, 144 insertions(+), 30 deletions(-)
[mesos] 02/03: Added a test `ROOT_NonePrivateIPCModeWithShmSize`.
Posted by gi...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
gilbert pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit 5032ea381dd2d532d781ba1d2c9fd3a600e7883a
Author: Qian Zhang <zh...@gmail.com>
AuthorDate: Fri Jul 19 15:06:06 2019 -0700
Added a test `ROOT_NonePrivateIPCModeWithShmSize`.
Review: https://reviews.apache.org/r/71121/
---
src/tests/containerizer/isolator_tests.cpp | 49 ++++++++++++++++++++++++++++++
1 file changed, 49 insertions(+)
diff --git a/src/tests/containerizer/isolator_tests.cpp b/src/tests/containerizer/isolator_tests.cpp
index 3d79f23..0cbe0fe 100644
--- a/src/tests/containerizer/isolator_tests.cpp
+++ b/src/tests/containerizer/isolator_tests.cpp
@@ -1072,6 +1072,55 @@ TEST_F(NamespacesIsolatorTest, ROOT_DisallowShareAgentIPCNamespace)
AWAIT_FAILED(launch);
}
+
+
+// This test verifies that we do not support specifying container's
+// /dev/shm size when its IPC mode is not `PRIVATE`.
+TEST_F(NamespacesIsolatorTest, ROOT_NonePrivateIPCModeWithShmSize)
+{
+ Try<Owned<MesosContainerizer>> containerizer =
+ createContainerizer("filesystem/linux,namespaces/ipc");
+
+ ASSERT_SOME(containerizer);
+
+ // Launch a container with a specified /dev/shm size but without
+ // specifying IPC mode.
+ ContainerID containerId1;
+ containerId1.set_value(id::UUID::random().toString());
+
+ mesos::slave::ContainerConfig containerConfig = createContainerConfig(
+ None(),
+ createExecutorInfo("executor", "sleep 1000"),
+ directory);
+
+ ContainerInfo* container = containerConfig.mutable_container_info();
+ container->set_type(ContainerInfo::MESOS);
+ container->mutable_linux_info()->set_shm_size(128);
+
+ process::Future<Containerizer::LaunchResult> launch =
+ containerizer.get()->launch(
+ containerId1,
+ containerConfig,
+ std::map<string, string>(),
+ None());
+
+ AWAIT_FAILED(launch);
+
+ // Launch another container with a specified /dev/shm size and `SHARE_PARENT`
+ // IPC mode.
+ ContainerID containerId2;
+ containerId2.set_value(id::UUID::random().toString());
+
+ container->mutable_linux_info()->set_ipc_mode(LinuxInfo::SHARE_PARENT);
+
+ launch = containerizer.get()->launch(
+ containerId2,
+ containerConfig,
+ std::map<string, string>(),
+ None());
+
+ AWAIT_FAILED(launch);
+}
#endif // __linux__
} // namespace tests {
[mesos] 01/03: Added two validations in `namespaces/ipc` isolator.
Posted by gi...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
gilbert pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit e58f4b97b5d13ccc18ad9b1632d7e6409bdd0c55
Author: Qian Zhang <zh...@gmail.com>
AuthorDate: Fri Jul 19 15:06:03 2019 -0700
Added two validations in `namespaces/ipc` isolator.
1. Do not support specifying the size of /dev/shm when the IPC mode
is not `PRIVATE`.
2. Do not support private IPC mode for debug containers.
Review: https://reviews.apache.org/r/71120/
---
docs/isolators/namespaces-ipc.md | 4 ++
include/mesos/mesos.proto | 4 +-
include/mesos/v1/mesos.proto | 4 +-
.../mesos/isolators/namespaces/ipc.cpp | 11 +++++
src/tests/containerizer/isolator_tests.cpp | 49 ++++++++++------------
5 files changed, 42 insertions(+), 30 deletions(-)
diff --git a/docs/isolators/namespaces-ipc.md b/docs/isolators/namespaces-ipc.md
index 4c978ec..4009660 100644
--- a/docs/isolators/namespaces-ipc.md
+++ b/docs/isolators/namespaces-ipc.md
@@ -55,3 +55,7 @@ flag, if that flag is not set too, the size of the /dev/shm will be half
of the agent host RAM which is the default behavior of Linux. The
`ContainerInfo.linux_info.shm_size` field will be ignored for the container which
shares its parent's /dev/shm.
+
+Please note that we only support setting the `ContainerInfo.linux_info.shm_size` field
+when the `ContainerInfo.linux_info.ipc_mode` field is set to `PRIVATE`, otherwise the
+container launch will be rejected.
diff --git a/include/mesos/mesos.proto b/include/mesos/mesos.proto
index 075c110..cb6d131 100644
--- a/include/mesos/mesos.proto
+++ b/include/mesos/mesos.proto
@@ -3324,7 +3324,9 @@ message LinuxInfo {
// flag is not set too, the size of the /dev/shm will be half of the host RAM
// which is the default behavior of Linux. This field will be ignored for the
// container which shares /dev/shm from its parent and it will be also ignored
- // for any containers if the `namespaces/ipc` isolator is not enabled.
+ // for any containers if the `namespaces/ipc` isolator is not enabled. Please
+ // note that we only support setting this field when the `ipc_mode` field is
+ // set to `PRIVATE` otherwise the container launch will be rejected.
optional uint32 shm_size = 7;
}
diff --git a/include/mesos/v1/mesos.proto b/include/mesos/v1/mesos.proto
index 0dcaee6..438c3fe 100644
--- a/include/mesos/v1/mesos.proto
+++ b/include/mesos/v1/mesos.proto
@@ -3313,7 +3313,9 @@ message LinuxInfo {
// flag is not set too, the size of the /dev/shm will be half of the host RAM
// which is the default behavior of Linux. This field will be ignored for the
// container which shares /dev/shm from its parent and it will be also ignored
- // for any containers if the `namespaces/ipc` isolator is not enabled.
+ // for any containers if the `namespaces/ipc` isolator is not enabled. Please
+ // note that we only support setting this field when the `ipc_mode` field is
+ // set to `PRIVATE` otherwise the container launch will be rejected.
optional uint32 shm_size = 7;
}
diff --git a/src/slave/containerizer/mesos/isolators/namespaces/ipc.cpp b/src/slave/containerizer/mesos/isolators/namespaces/ipc.cpp
index 743d48d..aaaec6b 100644
--- a/src/slave/containerizer/mesos/isolators/namespaces/ipc.cpp
+++ b/src/slave/containerizer/mesos/isolators/namespaces/ipc.cpp
@@ -119,6 +119,12 @@ Future<Option<ContainerLaunchInfo>> NamespacesIPCIsolatorProcess::prepare(
}
if (containerConfig.container_info().linux_info().has_shm_size()) {
+ if (ipcMode != LinuxInfo::PRIVATE) {
+ return Failure(
+ "Only support specifying the size of /dev/shm "
+ "when the IPC mode is `PRIVATE`");
+ }
+
shmSize =
Megabytes(containerConfig.container_info().linux_info().shm_size());
} else if (flags.default_container_shm_size.isSome()) {
@@ -133,6 +139,11 @@ Future<Option<ContainerLaunchInfo>> NamespacesIPCIsolatorProcess::prepare(
// so it will share its parent container's /dev/shm.
if (containerConfig.has_container_class() &&
containerConfig.container_class() == ContainerClass::DEBUG) {
+ if (ipcMode == LinuxInfo::PRIVATE) {
+ return Failure(
+ "Private IPC mode is not supported for DEBUG containers");
+ }
+
launchInfo.add_enter_namespaces(CLONE_NEWIPC);
return launchInfo;
}
diff --git a/src/tests/containerizer/isolator_tests.cpp b/src/tests/containerizer/isolator_tests.cpp
index 14feaed..3d79f23 100644
--- a/src/tests/containerizer/isolator_tests.cpp
+++ b/src/tests/containerizer/isolator_tests.cpp
@@ -523,8 +523,8 @@ TEST_F(NamespacesIsolatorTest, ROOT_IPCNamespaceWithIPCIsolatorDisabled)
// This test verifies that a top-level container with private IPC mode will
// have its own IPC namespace and /dev/shm, and it can share IPC namespace
-// and /dev/shm with its child container, grandchild container and debug
-// container.
+// and /dev/shm with its child containers, grandchild containers and debug
+// containers.
TEST_F(NamespacesIsolatorTest, ROOT_ShareIPCNamespace)
{
Try<Owned<MesosContainerizer>> containerizer =
@@ -580,8 +580,7 @@ TEST_F(NamespacesIsolatorTest, ROOT_ShareIPCNamespace)
// its own /dev/shm rather than in agent's /dev/shm.
ASSERT_FALSE(os::exists("/dev/shm/root"));
- // Now launch two child containers with `SHARE_PARENT` ipc mode and
- // 256MB /dev/shm.
+ // Now launch two child containers with `SHARE_PARENT` ipc mode.
ContainerID childContainerId1, childContainerId2;
childContainerId1.mutable_parent()->CopyFrom(containerId);
@@ -593,12 +592,11 @@ TEST_F(NamespacesIsolatorTest, ROOT_ShareIPCNamespace)
ContainerInfo containerInfo;
containerInfo.set_type(ContainerInfo::MESOS);
containerInfo.mutable_linux_info()->set_ipc_mode(LinuxInfo::SHARE_PARENT);
- containerInfo.mutable_linux_info()->set_shm_size(256);
- // Launch the first child container, check its /dev/shm size is 128MB
- // rather than 256MB, it can see the file created by its parent container
- // in /dev/shm and it is in the same IPC namespace with its parent container,
- // and then write its IPC namespace inode to a file under /dev/shm.
+ // Launch the first child container, check its /dev/shm size is 128MB, it
+ // can see the file created by its parent container in /dev/shm and it is
+ // in the same IPC namespace with its parent container, and then write its
+ // IPC namespace inode to a file under /dev/shm.
launch = containerizer.get()->launch(
childContainerId1,
createContainerConfig(
@@ -630,10 +628,10 @@ TEST_F(NamespacesIsolatorTest, ROOT_ShareIPCNamespace)
EXPECT_LT(waited, process::TEST_AWAIT_TIMEOUT);
// Launch the second child container with its own rootfs, check its /dev/shm
- // size is 128MB rather than 256MB, it can see the files created by its parent
- // container and the first child container in /dev/shm and it is in the same
- // IPC namespace with its parent container and the first child container. and
- // then write its IPC namespace inode to a file under /dev/shm.
+ // size is 128MB, it can see the files created by its parent container and the
+ // first child container in /dev/shm and it is in the same IPC namespace with
+ // its parent container and the first child container, and then write its IPC
+ // namespace inode to a file under /dev/shm.
mesos::Image image;
image.set_type(mesos::Image::DOCKER);
image.mutable_docker()->set_name("alpine");
@@ -671,10 +669,9 @@ TEST_F(NamespacesIsolatorTest, ROOT_ShareIPCNamespace)
EXPECT_LT(waited, process::TEST_AWAIT_TIMEOUT);
- // Launch a grandchild container with `SHARE_PARENT` ipc mode and
- // 256MB /dev/shm under the first child container, check its /dev/shm
- // size is 128MB rather than 256MB, it can see the files created by
- // its parent and grandparent containers and it is in the same IPC
+ // Launch a grandchild container with `SHARE_PARENT` ipc mode under the first
+ // child container, check its /dev/shm size is 128MB, it can see the files
+ // created by its parent and grandparent containers and it is in the same IPC
// namespace with its parent and grandparent containers.
ContainerID grandchildContainerId;
grandchildContainerId.mutable_parent()->CopyFrom(childContainerId1);
@@ -701,16 +698,15 @@ TEST_F(NamespacesIsolatorTest, ROOT_ShareIPCNamespace)
ASSERT_TRUE(wait.get()->has_status());
EXPECT_WEXITSTATUS_EQ(0, wait.get()->status());
- // Launch a debug container with `PRIVATE` ipc mode and 256MB /dev/shm
- // under the first child container, check its /dev/shm size is 128MB
- // rather than 256MB and it is in the same IPC namespace with its parent
- // container even its ipc mode is `PRIVATE`.
+ // Launch a debug container under the first child container, check its
+ // /dev/shm size is 128MB and it is in the same IPC namespace with its
+ // parent container.
ContainerID debugContainerId1;
debugContainerId1.mutable_parent()->CopyFrom(childContainerId1);
debugContainerId1.set_value(id::UUID::random().toString());
containerInfo.clear_mesos();
- containerInfo.mutable_linux_info()->set_ipc_mode(LinuxInfo::PRIVATE);
+ containerInfo.clear_linux_info();
launch = containerizer.get()->launch(
debugContainerId1,
@@ -731,16 +727,13 @@ TEST_F(NamespacesIsolatorTest, ROOT_ShareIPCNamespace)
ASSERT_TRUE(wait.get()->has_status());
EXPECT_WEXITSTATUS_EQ(0, wait.get()->status());
- // Launch a debug container with `PRIVATE` ipc mode and 256MB /dev/shm
- // under the second child container, check its /dev/shm size is 128MB
- // rather than 256MB and it is in the same IPC namespace with its parent
- // container even its ipc mode is `PRIVATE`.
+ // Launch another debug container under the second child container, check its
+ // /dev/shm size is 128MB and it is in the same IPC namespace with its parent
+ // container.
ContainerID debugContainerId2;
debugContainerId2.mutable_parent()->CopyFrom(childContainerId2);
debugContainerId2.set_value(id::UUID::random().toString());
- containerInfo.mutable_linux_info()->set_ipc_mode(LinuxInfo::PRIVATE);
-
launch = containerizer.get()->launch(
debugContainerId2,
createContainerConfig(
[mesos] 03/03: Added a test `ROOT_DebugContainerWithPrivateIPCMode`.
Posted by gi...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
gilbert pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit 02b6467f9e8035166f400e0112015ac56c9281b6
Author: Qian Zhang <zh...@gmail.com>
AuthorDate: Fri Jul 19 15:06:08 2019 -0700
Added a test `ROOT_DebugContainerWithPrivateIPCMode`.
Review: https://reviews.apache.org/r/71122/
---
src/tests/containerizer/isolator_tests.cpp | 53 ++++++++++++++++++++++++++++++
1 file changed, 53 insertions(+)
diff --git a/src/tests/containerizer/isolator_tests.cpp b/src/tests/containerizer/isolator_tests.cpp
index 0cbe0fe..e442cdf 100644
--- a/src/tests/containerizer/isolator_tests.cpp
+++ b/src/tests/containerizer/isolator_tests.cpp
@@ -1121,6 +1121,59 @@ TEST_F(NamespacesIsolatorTest, ROOT_NonePrivateIPCModeWithShmSize)
AWAIT_FAILED(launch);
}
+
+
+// This test verifies that we do not support launching debug container
+// with private IPC mode.
+TEST_F(NamespacesIsolatorTest, ROOT_DebugContainerWithPrivateIPCMode)
+{
+ Try<Owned<MesosContainerizer>> containerizer =
+ createContainerizer("filesystem/linux,namespaces/ipc");
+
+ ASSERT_SOME(containerizer);
+
+ // Launch a top-level container.
+ process::Future<Containerizer::LaunchResult> launch =
+ containerizer.get()->launch(
+ containerId,
+ createContainerConfig(
+ None(),
+ createExecutorInfo("executor", "sleep 1000"),
+ directory),
+ std::map<string, string>(),
+ None());
+
+ AWAIT_ASSERT_EQ(Containerizer::LaunchResult::SUCCESS, launch);
+
+ // Launch a debug container with private IPC mode under the
+ // top-level container.
+ ContainerID debugContainerId;
+ debugContainerId.mutable_parent()->CopyFrom(containerId);
+ debugContainerId.set_value(id::UUID::random().toString());
+
+ ContainerInfo containerInfo;
+ containerInfo.set_type(ContainerInfo::MESOS);
+ containerInfo.mutable_linux_info()->set_ipc_mode(LinuxInfo::PRIVATE);
+
+ launch = containerizer.get()->launch(
+ debugContainerId,
+ createContainerConfig(
+ createCommandInfo("sleep 1000"),
+ containerInfo,
+ ContainerClass::DEBUG),
+ std::map<string, string>(),
+ None());
+
+ AWAIT_FAILED(launch);
+
+ Future<Option<ContainerTermination>> termination =
+ containerizer.get()->destroy(containerId);
+
+ AWAIT_READY(termination);
+ ASSERT_SOME(termination.get());
+ ASSERT_TRUE(termination.get()->has_status());
+ EXPECT_WTERMSIG_EQ(SIGKILL, termination.get()->status());
+}
#endif // __linux__
} // namespace tests {