You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by ji...@apache.org on 2017/07/01 00:23:29 UTC
[3/7] mesos git commit: Allow frameworks to specify the capabilities
bounding set.
Allow frameworks to specify the capabilities bounding set.
Allow frameworks to specify the capabilities bounding set in the
LinuxInfo message. We need to explicitly make sure that this does
not exceed and bounding set specified by the operator, since that
is the outer limit of allowed privilege.
Review: https://reviews.apache.org/r/60411/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/508f73e3
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/508f73e3
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/508f73e3
Branch: refs/heads/master
Commit: 508f73e3b45bc6003d1ba862842aea34b0be6735
Parents: d197be3
Author: James Peach <jp...@apache.org>
Authored: Fri Jun 30 17:12:29 2017 -0700
Committer: Jie Yu <yu...@gmail.com>
Committed: Fri Jun 30 17:12:29 2017 -0700
----------------------------------------------------------------------
.../mesos/isolators/linux/capabilities.cpp | 33 ++++++++++++++------
1 file changed, 23 insertions(+), 10 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/508f73e3/src/slave/containerizer/mesos/isolators/linux/capabilities.cpp
----------------------------------------------------------------------
diff --git a/src/slave/containerizer/mesos/isolators/linux/capabilities.cpp b/src/slave/containerizer/mesos/isolators/linux/capabilities.cpp
index ff7b9f1..5c79619 100644
--- a/src/slave/containerizer/mesos/isolators/linux/capabilities.cpp
+++ b/src/slave/containerizer/mesos/isolators/linux/capabilities.cpp
@@ -86,13 +86,16 @@ Future<Option<ContainerLaunchInfo>> LinuxCapabilitiesIsolatorProcess::prepare(
// that the effective set is at least as restrictive as the
// bounding set.
if (containerConfig.has_container_info() &&
- containerConfig.container_info().has_linux_info() &&
- containerConfig.container_info().linux_info().has_capability_info()) {
- effective =
- containerConfig.container_info().linux_info().capability_info();
+ containerConfig.container_info().has_linux_info()) {
+ const auto& linuxInfo = containerConfig.container_info().linux_info();
- // TODO(jpeach): MESOS-7671: Let the framework specify a bounding
- // capability set too.
+ if (linuxInfo.has_capability_info()) {
+ effective = linuxInfo.capability_info();
+ }
+
+ if (linuxInfo.has_bounding_capabilities()) {
+ bounding = linuxInfo.bounding_capabilities();
+ }
}
// If the framework didn't specify, use the operator effective set.
@@ -100,8 +103,19 @@ Future<Option<ContainerLaunchInfo>> LinuxCapabilitiesIsolatorProcess::prepare(
effective = flags.effective_capabilities;
}
- // TODO(jpeach): MESOS-7671: If the framework specified a bounding set,
- // test it against flags.bounding_capabilities.
+ // If the framework specified a bounding set, test it against
+ // flags.bounding_capabilities since that defines the limits of
+ // what the operator is willing to allow.
+ if (bounding.isSome() && flags.bounding_capabilities.isSome()) {
+ const set<Capability> requested = convert(bounding.get());
+ const set<Capability> allowed = convert(flags.bounding_capabilities.get());
+
+ if ((requested & allowed).size() != requested.size()) {
+ return Failure(
+ "Bounding capabilities '" + stringify(requested) + "', "
+ "but only '" + stringify(allowed) + "' are allowed");
+ }
+ }
// If the framework didn't specify, use the operator bounding set and fall
// back to the effective set if necessary.
@@ -113,8 +127,7 @@ Future<Option<ContainerLaunchInfo>> LinuxCapabilitiesIsolatorProcess::prepare(
bounding = effective;
}
- // If the operator specified a bounding set, require effective task
- // capabilities to be within that set.
+ // Require the effective task capabilities to be within the bounding set.
if (effective.isSome()) {
CHECK_SOME(bounding);