You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@mesos.apache.org by Chun-Hung Hsiao <ch...@mesosphere.io> on 2017/05/03 22:07:46 UTC
Re: Review Request 58939: Filesystem isolation check for Mesos image
provisioner.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58939/
-----------------------------------------------------------
(Updated May 3, 2017, 10:07 p.m.)
Review request for mesos, Anand Mazumdar, Gilbert Song, and Jie Yu.
Changes
-------
Added checks for 'linux' launcher dependencies.
Summary (updated)
-----------------
Filesystem isolation check for Mesos image provisioner.
Bugs: mesos-7374
https://issues.apache.org/jira/browse/mesos-7374
Repository: mesos
Description (updated)
-------
Checked if the 'filesystem/linux' isolator is enabled and the 'linux'
launcher is used when launching a mesos containerizer with an image
under Linux. This prevents the executor from messing up with the host
filesystem. The check is in `MesosContainerizerProcess::prepare()`
after provisioning and before launching, since provisioning itself
does not depend on the filesystem isolator.
Also checked that the 'filesystem/linux' is enabled and the 'linux'
launcher is used when enabling the 'docker/runtime' isolator.
Diffs (updated)
-----
src/slave/containerizer/mesos/containerizer.cpp b58baed64480e22f640a4852537f85922ed382ae
src/slave/containerizer/mesos/provisioner/provisioner.cpp be45fc59027f176b43b767e9441fd8089ceec7b4
Diff: https://reviews.apache.org/r/58939/diff/2/
Changes: https://reviews.apache.org/r/58939/diff/1-2/
Testing
-------
sudo make check
Manually tested on a simplified case of mesos-7374.
Thanks,
Chun-Hung Hsiao
Re: Review Request 58939: Filesystem isolation check for Mesos image
provisioner.
Posted by Mesos Reviewbot Windows <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58939/#review181526
-----------------------------------------------------------
Patch looks great!
Reviews applied: [58939]
Passed command: support\windows-build.bat
- Mesos Reviewbot Windows
On July 27, 2017, 2:40 a.m., Chun-Hung Hsiao wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58939/
> -----------------------------------------------------------
>
> (Updated July 27, 2017, 2:40 a.m.)
>
>
> Review request for mesos, Anand Mazumdar, Gilbert Song, and Jie Yu.
>
>
> Bugs: mesos-7374
> https://issues.apache.org/jira/browse/mesos-7374
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Checked if the 'filesystem/linux' isolator is enabled and the 'linux'
> launcher is used when launching a mesos containerizer with an image
> under Linux. This prevents the executor from messing up with the host
> filesystem. The check is in `MesosContainerizerProcess::prepare()`
> after provisioning and before launching, since provisioning itself
> does not depend on the filesystem isolator.
>
> Also checked that the 'filesystem/linux' is enabled and the 'linux'
> launcher is used when enabling the 'docker/runtime' isolator.
>
>
> Diffs
> -----
>
> src/slave/containerizer/mesos/containerizer.cpp 9376d14d66f5dc7e91c7c0e9da253f5eb9347539
> src/slave/containerizer/mesos/provisioner/store.cpp cc5cc81e05f29bb0e11ffa13cdb8d63d4397114f
>
>
> Diff: https://reviews.apache.org/r/58939/diff/8/
>
>
> Testing
> -------
>
> sudo make check
> Manually tested on a simplified case of mesos-7374.
>
>
> Thanks,
>
> Chun-Hung Hsiao
>
>
Re: Review Request 58939: Filesystem isolation check for Mesos image
provisioner.
Posted by Gilbert Song <so...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58939/#review182054
-----------------------------------------------------------
Fix it, then Ship it!
src/slave/containerizer/mesos/containerizer.cpp
Lines 244-249 (patched)
<https://reviews.apache.org/r/58939/#comment257872>
After the second thought, let's dont change it for now. I made the change in commit.
- Gilbert Song
On July 26, 2017, 7:40 p.m., Chun-Hung Hsiao wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58939/
> -----------------------------------------------------------
>
> (Updated July 26, 2017, 7:40 p.m.)
>
>
> Review request for mesos, Anand Mazumdar, Gilbert Song, and Jie Yu.
>
>
> Bugs: mesos-7374
> https://issues.apache.org/jira/browse/mesos-7374
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Checked if the 'filesystem/linux' isolator is enabled and the 'linux'
> launcher is used when launching a mesos containerizer with an image
> under Linux. This prevents the executor from messing up with the host
> filesystem. The check is in `MesosContainerizerProcess::prepare()`
> after provisioning and before launching, since provisioning itself
> does not depend on the filesystem isolator.
>
> Also checked that the 'filesystem/linux' is enabled and the 'linux'
> launcher is used when enabling the 'docker/runtime' isolator.
>
>
> Diffs
> -----
>
> src/slave/containerizer/mesos/containerizer.cpp 9376d14d66f5dc7e91c7c0e9da253f5eb9347539
> src/slave/containerizer/mesos/provisioner/store.cpp cc5cc81e05f29bb0e11ffa13cdb8d63d4397114f
>
>
> Diff: https://reviews.apache.org/r/58939/diff/8/
>
>
> Testing
> -------
>
> sudo make check
> Manually tested on a simplified case of mesos-7374.
>
>
> Thanks,
>
> Chun-Hung Hsiao
>
>
Re: Review Request 58939: Filesystem isolation check for Mesos image
provisioner.
Posted by Chun-Hung Hsiao <ch...@mesosphere.io>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58939/
-----------------------------------------------------------
(Updated July 27, 2017, 2:40 a.m.)
Review request for mesos, Anand Mazumdar, Gilbert Song, and Jie Yu.
Changes
-------
Fixed a typo.
Bugs: mesos-7374
https://issues.apache.org/jira/browse/mesos-7374
Repository: mesos
Description
-------
Checked if the 'filesystem/linux' isolator is enabled and the 'linux'
launcher is used when launching a mesos containerizer with an image
under Linux. This prevents the executor from messing up with the host
filesystem. The check is in `MesosContainerizerProcess::prepare()`
after provisioning and before launching, since provisioning itself
does not depend on the filesystem isolator.
Also checked that the 'filesystem/linux' is enabled and the 'linux'
launcher is used when enabling the 'docker/runtime' isolator.
Diffs (updated)
-----
src/slave/containerizer/mesos/containerizer.cpp 9376d14d66f5dc7e91c7c0e9da253f5eb9347539
src/slave/containerizer/mesos/provisioner/store.cpp cc5cc81e05f29bb0e11ffa13cdb8d63d4397114f
Diff: https://reviews.apache.org/r/58939/diff/8/
Changes: https://reviews.apache.org/r/58939/diff/7-8/
Testing
-------
sudo make check
Manually tested on a simplified case of mesos-7374.
Thanks,
Chun-Hung Hsiao
Re: Review Request 58939: Filesystem isolation check for Mesos image
provisioner.
Posted by Mesos Reviewbot Windows <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58939/#review181508
-----------------------------------------------------------
Patch looks great!
Reviews applied: [58939]
Passed command: support\windows-build.bat
- Mesos Reviewbot Windows
On July 26, 2017, 11:29 p.m., Chun-Hung Hsiao wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58939/
> -----------------------------------------------------------
>
> (Updated July 26, 2017, 11:29 p.m.)
>
>
> Review request for mesos, Anand Mazumdar, Gilbert Song, and Jie Yu.
>
>
> Bugs: mesos-7374
> https://issues.apache.org/jira/browse/mesos-7374
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Checked if the 'filesystem/linux' isolator is enabled and the 'linux'
> launcher is used when launching a mesos containerizer with an image
> under Linux. This prevents the executor from messing up with the host
> filesystem. The check is in `MesosContainerizerProcess::prepare()`
> after provisioning and before launching, since provisioning itself
> does not depend on the filesystem isolator.
>
> Also checked that the 'filesystem/linux' is enabled and the 'linux'
> launcher is used when enabling the 'docker/runtime' isolator.
>
>
> Diffs
> -----
>
> src/slave/containerizer/mesos/containerizer.cpp 9376d14d66f5dc7e91c7c0e9da253f5eb9347539
> src/slave/containerizer/mesos/provisioner/store.cpp cc5cc81e05f29bb0e11ffa13cdb8d63d4397114f
>
>
> Diff: https://reviews.apache.org/r/58939/diff/7/
>
>
> Testing
> -------
>
> sudo make check
> Manually tested on a simplified case of mesos-7374.
>
>
> Thanks,
>
> Chun-Hung Hsiao
>
>
Re: Review Request 58939: Filesystem isolation check for Mesos image
provisioner.
Posted by Chun-Hung Hsiao <ch...@mesosphere.io>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58939/
-----------------------------------------------------------
(Updated July 26, 2017, 11:29 p.m.)
Review request for mesos, Anand Mazumdar, Gilbert Song, and Jie Yu.
Changes
-------
Adderessed Gilbert's comments and rebased.
Bugs: mesos-7374
https://issues.apache.org/jira/browse/mesos-7374
Repository: mesos
Description
-------
Checked if the 'filesystem/linux' isolator is enabled and the 'linux'
launcher is used when launching a mesos containerizer with an image
under Linux. This prevents the executor from messing up with the host
filesystem. The check is in `MesosContainerizerProcess::prepare()`
after provisioning and before launching, since provisioning itself
does not depend on the filesystem isolator.
Also checked that the 'filesystem/linux' is enabled and the 'linux'
launcher is used when enabling the 'docker/runtime' isolator.
Diffs (updated)
-----
src/slave/containerizer/mesos/containerizer.cpp 9376d14d66f5dc7e91c7c0e9da253f5eb9347539
src/slave/containerizer/mesos/provisioner/store.cpp cc5cc81e05f29bb0e11ffa13cdb8d63d4397114f
Diff: https://reviews.apache.org/r/58939/diff/7/
Changes: https://reviews.apache.org/r/58939/diff/6-7/
Testing
-------
sudo make check
Manually tested on a simplified case of mesos-7374.
Thanks,
Chun-Hung Hsiao
Re: Review Request 58939: Filesystem isolation check for Mesos image
provisioner.
Posted by Mesos Reviewbot <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58939/#review174425
-----------------------------------------------------------
Patch looks great!
Reviews applied: [58939]
Passed command: export OS='ubuntu:14.04' BUILDTOOL='autotools' COMPILER='gcc' CONFIGURATION='--verbose' ENVIRONMENT='GLOG_v=1 MESOS_VERBOSE=1'; ./support/docker-build.sh
- Mesos Reviewbot
On May 9, 2017, 8:08 p.m., Chun-Hung Hsiao wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58939/
> -----------------------------------------------------------
>
> (Updated May 9, 2017, 8:08 p.m.)
>
>
> Review request for mesos, Anand Mazumdar, Gilbert Song, and Jie Yu.
>
>
> Bugs: mesos-7374
> https://issues.apache.org/jira/browse/mesos-7374
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Checked if the 'filesystem/linux' isolator is enabled and the 'linux'
> launcher is used when launching a mesos containerizer with an image
> under Linux. This prevents the executor from messing up with the host
> filesystem. The check is in `MesosContainerizerProcess::prepare()`
> after provisioning and before launching, since provisioning itself
> does not depend on the filesystem isolator.
>
> Also checked that the 'filesystem/linux' is enabled and the 'linux'
> launcher is used when enabling the 'docker/runtime' isolator.
>
>
> Diffs
> -----
>
> src/slave/containerizer/mesos/containerizer.cpp 58ab74571fb14c6dbb1907151dc421f93e324bb5
> src/slave/containerizer/mesos/isolators/docker/runtime.cpp 2a6e0b179394e0485d2495ceb4bbbcb184af08fe
> src/tests/containerizer/docker_volume_isolator_tests.cpp b47a6b5081a63ac474ac4634701b1a572eb58137
> src/tests/containerizer/mesos_containerizer_tests.cpp 13e0f7e603a3ffdd0965b253d7abfe6a069cd2b4
>
>
> Diff: https://reviews.apache.org/r/58939/diff/6/
>
>
> Testing
> -------
>
> sudo make check
> Manually tested on a simplified case of mesos-7374.
>
>
> Thanks,
>
> Chun-Hung Hsiao
>
>
Re: Review Request 58939: Filesystem isolation check for Mesos image
provisioner.
Posted by Chun-Hung Hsiao <ch...@mesosphere.io>.
> On July 20, 2017, 8:19 a.m., Gilbert Song wrote:
> > src/slave/containerizer/mesos/containerizer.cpp
> > Lines 1112-1126 (patched)
> > <https://reviews.apache.org/r/58939/diff/6/?file=1711635#file1711635line1112>
> >
> > I don't like the checks here, since we have the following case:
> >
> > what if we have a task with volumes specified in its containerinfo but no image?
> >
> > Let's add `filesystem/isolator` check at docker::store::create().
Based on our discussion, let's put the checks in `MesosContainerizer::create()`.
> On July 20, 2017, 8:19 a.m., Gilbert Song wrote:
> > src/slave/containerizer/mesos/isolators/docker/runtime.cpp
> > Lines 70-79 (patched)
> > <https://reviews.apache.org/r/58939/diff/6/?file=1711636#file1711636line70>
> >
> > Basically we dont add isolator dependencies inside of any isolator, nor the launcher since the launcher is supposed to be a component for containerizer.
Should I move this check into `MesosContainerizer::create()` or just remove it, since we already plan to check these two conditions when `--image_provider` is set?
- Chun-Hung
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58939/#review181016
-----------------------------------------------------------
On May 9, 2017, 6:08 p.m., Chun-Hung Hsiao wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58939/
> -----------------------------------------------------------
>
> (Updated May 9, 2017, 6:08 p.m.)
>
>
> Review request for mesos, Anand Mazumdar, Gilbert Song, and Jie Yu.
>
>
> Bugs: mesos-7374
> https://issues.apache.org/jira/browse/mesos-7374
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Checked if the 'filesystem/linux' isolator is enabled and the 'linux'
> launcher is used when launching a mesos containerizer with an image
> under Linux. This prevents the executor from messing up with the host
> filesystem. The check is in `MesosContainerizerProcess::prepare()`
> after provisioning and before launching, since provisioning itself
> does not depend on the filesystem isolator.
>
> Also checked that the 'filesystem/linux' is enabled and the 'linux'
> launcher is used when enabling the 'docker/runtime' isolator.
>
>
> Diffs
> -----
>
> src/slave/containerizer/mesos/containerizer.cpp 58ab74571fb14c6dbb1907151dc421f93e324bb5
> src/slave/containerizer/mesos/isolators/docker/runtime.cpp 2a6e0b179394e0485d2495ceb4bbbcb184af08fe
> src/tests/containerizer/docker_volume_isolator_tests.cpp b47a6b5081a63ac474ac4634701b1a572eb58137
> src/tests/containerizer/mesos_containerizer_tests.cpp 13e0f7e603a3ffdd0965b253d7abfe6a069cd2b4
>
>
> Diff: https://reviews.apache.org/r/58939/diff/6/
>
>
> Testing
> -------
>
> sudo make check
> Manually tested on a simplified case of mesos-7374.
>
>
> Thanks,
>
> Chun-Hung Hsiao
>
>
Re: Review Request 58939: Filesystem isolation check for Mesos image
provisioner.
Posted by Gilbert Song <so...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58939/#review181016
-----------------------------------------------------------
src/slave/containerizer/mesos/containerizer.cpp
Lines 1112-1126 (patched)
<https://reviews.apache.org/r/58939/#comment256447>
I don't like the checks here, since we have the following case:
what if we have a task with volumes specified in its containerinfo but no image?
Let's add `filesystem/isolator` check at docker::store::create().
src/slave/containerizer/mesos/containerizer.cpp
Lines 1113 (patched)
<https://reviews.apache.org/r/58939/#comment256439>
s/is/are/g
src/slave/containerizer/mesos/containerizer.cpp
Lines 1114 (patched)
<https://reviews.apache.org/r/58939/#comment256440>
s/to create a new mount namespace/to support container images/g
src/slave/containerizer/mesos/containerizer.cpp
Lines 1118-1119 (patched)
<https://reviews.apache.org/r/58939/#comment256441>
I would prefer:
The 'filesystem/linux' isolator must be enabled for container images support.
src/slave/containerizer/mesos/containerizer.cpp
Lines 1123-1124 (patched)
<https://reviews.apache.org/r/58939/#comment256442>
Ditto.
src/slave/containerizer/mesos/isolators/docker/runtime.cpp
Lines 70-79 (patched)
<https://reviews.apache.org/r/58939/#comment256449>
Basically we dont add isolator dependencies inside of any isolator, nor the launcher since the launcher is supposed to be a component for containerizer.
src/slave/containerizer/mesos/isolators/docker/runtime.cpp
Lines 71 (patched)
<https://reviews.apache.org/r/58939/#comment256443>
"The 'filesystem/linux' isolator ..."
src/tests/containerizer/docker_volume_isolator_tests.cpp
Lines 231 (patched)
<https://reviews.apache.org/r/58939/#comment256450>
No dependency on linux filesystem isolation.
src/tests/containerizer/docker_volume_isolator_tests.cpp
Lines 386 (patched)
<https://reviews.apache.org/r/58939/#comment256451>
Ditto.
src/tests/containerizer/docker_volume_isolator_tests.cpp
Lines 487 (patched)
<https://reviews.apache.org/r/58939/#comment256452>
Ditto.
src/tests/containerizer/docker_volume_isolator_tests.cpp
Lines 685 (patched)
<https://reviews.apache.org/r/58939/#comment256453>
Ditto.
src/tests/containerizer/mesos_containerizer_tests.cpp
Lines 906-911 (original), 914-930 (patched)
<https://reviews.apache.org/r/58939/#comment256454>
No need to change this test if you do the check in docker store create().
src/tests/containerizer/mesos_containerizer_tests.cpp
Lines 997-999 (original), 1016-1029 (patched)
<https://reviews.apache.org/r/58939/#comment256455>
Ditto.
src/tests/containerizer/mesos_containerizer_tests.cpp
Lines 1087-1089 (original), 1117-1130 (patched)
<https://reviews.apache.org/r/58939/#comment256456>
Ditto.
- Gilbert Song
On May 9, 2017, 11:08 a.m., Chun-Hung Hsiao wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58939/
> -----------------------------------------------------------
>
> (Updated May 9, 2017, 11:08 a.m.)
>
>
> Review request for mesos, Anand Mazumdar, Gilbert Song, and Jie Yu.
>
>
> Bugs: mesos-7374
> https://issues.apache.org/jira/browse/mesos-7374
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Checked if the 'filesystem/linux' isolator is enabled and the 'linux'
> launcher is used when launching a mesos containerizer with an image
> under Linux. This prevents the executor from messing up with the host
> filesystem. The check is in `MesosContainerizerProcess::prepare()`
> after provisioning and before launching, since provisioning itself
> does not depend on the filesystem isolator.
>
> Also checked that the 'filesystem/linux' is enabled and the 'linux'
> launcher is used when enabling the 'docker/runtime' isolator.
>
>
> Diffs
> -----
>
> src/slave/containerizer/mesos/containerizer.cpp 58ab74571fb14c6dbb1907151dc421f93e324bb5
> src/slave/containerizer/mesos/isolators/docker/runtime.cpp 2a6e0b179394e0485d2495ceb4bbbcb184af08fe
> src/tests/containerizer/docker_volume_isolator_tests.cpp b47a6b5081a63ac474ac4634701b1a572eb58137
> src/tests/containerizer/mesos_containerizer_tests.cpp 13e0f7e603a3ffdd0965b253d7abfe6a069cd2b4
>
>
> Diff: https://reviews.apache.org/r/58939/diff/6/
>
>
> Testing
> -------
>
> sudo make check
> Manually tested on a simplified case of mesos-7374.
>
>
> Thanks,
>
> Chun-Hung Hsiao
>
>
Re: Review Request 58939: Filesystem isolation check for Mesos image
provisioner.
Posted by Mesos Reviewbot Windows <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58939/#review181487
-----------------------------------------------------------
Bad patch!
Reviews applied: [58939]
Failed command: python support/apply-reviews.py -n -r 58939
Error:
error: patch failed: src/slave/containerizer/mesos/containerizer.cpp:1109
error: src/slave/containerizer/mesos/containerizer.cpp: patch does not apply
Full log: http://mesos-winbot.westus.cloudapp.azure.com/logs/202/console
- Mesos Reviewbot Windows
On May 9, 2017, 6:08 p.m., Chun-Hung Hsiao wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58939/
> -----------------------------------------------------------
>
> (Updated May 9, 2017, 6:08 p.m.)
>
>
> Review request for mesos, Anand Mazumdar, Gilbert Song, and Jie Yu.
>
>
> Bugs: mesos-7374
> https://issues.apache.org/jira/browse/mesos-7374
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Checked if the 'filesystem/linux' isolator is enabled and the 'linux'
> launcher is used when launching a mesos containerizer with an image
> under Linux. This prevents the executor from messing up with the host
> filesystem. The check is in `MesosContainerizerProcess::prepare()`
> after provisioning and before launching, since provisioning itself
> does not depend on the filesystem isolator.
>
> Also checked that the 'filesystem/linux' is enabled and the 'linux'
> launcher is used when enabling the 'docker/runtime' isolator.
>
>
> Diffs
> -----
>
> src/slave/containerizer/mesos/containerizer.cpp 58ab74571fb14c6dbb1907151dc421f93e324bb5
> src/slave/containerizer/mesos/isolators/docker/runtime.cpp 2a6e0b179394e0485d2495ceb4bbbcb184af08fe
> src/tests/containerizer/docker_volume_isolator_tests.cpp b47a6b5081a63ac474ac4634701b1a572eb58137
> src/tests/containerizer/mesos_containerizer_tests.cpp 13e0f7e603a3ffdd0965b253d7abfe6a069cd2b4
>
>
> Diff: https://reviews.apache.org/r/58939/diff/6/
>
>
> Testing
> -------
>
> sudo make check
> Manually tested on a simplified case of mesos-7374.
>
>
> Thanks,
>
> Chun-Hung Hsiao
>
>
Re: Review Request 58939: Filesystem isolation check for Mesos image
provisioner.
Posted by Chun-Hung Hsiao <ch...@mesosphere.io>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58939/
-----------------------------------------------------------
(Updated May 9, 2017, 6:08 p.m.)
Review request for mesos, Anand Mazumdar, Gilbert Song, and Jie Yu.
Changes
-------
Changed the unit tests requiring the linux launcher to root tests.
Bugs: mesos-7374
https://issues.apache.org/jira/browse/mesos-7374
Repository: mesos
Description
-------
Checked if the 'filesystem/linux' isolator is enabled and the 'linux'
launcher is used when launching a mesos containerizer with an image
under Linux. This prevents the executor from messing up with the host
filesystem. The check is in `MesosContainerizerProcess::prepare()`
after provisioning and before launching, since provisioning itself
does not depend on the filesystem isolator.
Also checked that the 'filesystem/linux' is enabled and the 'linux'
launcher is used when enabling the 'docker/runtime' isolator.
Diffs (updated)
-----
src/slave/containerizer/mesos/containerizer.cpp 58ab74571fb14c6dbb1907151dc421f93e324bb5
src/slave/containerizer/mesos/isolators/docker/runtime.cpp 2a6e0b179394e0485d2495ceb4bbbcb184af08fe
src/tests/containerizer/docker_volume_isolator_tests.cpp b47a6b5081a63ac474ac4634701b1a572eb58137
src/tests/containerizer/mesos_containerizer_tests.cpp 13e0f7e603a3ffdd0965b253d7abfe6a069cd2b4
Diff: https://reviews.apache.org/r/58939/diff/6/
Changes: https://reviews.apache.org/r/58939/diff/5-6/
Testing
-------
sudo make check
Manually tested on a simplified case of mesos-7374.
Thanks,
Chun-Hung Hsiao
Re: Review Request 58939: Filesystem isolation check for Mesos image
provisioner.
Posted by Chun-Hung Hsiao <ch...@mesosphere.io>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58939/
-----------------------------------------------------------
(Updated May 8, 2017, 9:43 p.m.)
Review request for mesos, Anand Mazumdar, Gilbert Song, and Jie Yu.
Bugs: mesos-7374
https://issues.apache.org/jira/browse/mesos-7374
Repository: mesos
Description
-------
Checked if the 'filesystem/linux' isolator is enabled and the 'linux'
launcher is used when launching a mesos containerizer with an image
under Linux. This prevents the executor from messing up with the host
filesystem. The check is in `MesosContainerizerProcess::prepare()`
after provisioning and before launching, since provisioning itself
does not depend on the filesystem isolator.
Also checked that the 'filesystem/linux' is enabled and the 'linux'
launcher is used when enabling the 'docker/runtime' isolator.
Diffs (updated)
-----
src/slave/containerizer/mesos/containerizer.cpp 58ab74571fb14c6dbb1907151dc421f93e324bb5
src/slave/containerizer/mesos/isolators/docker/runtime.cpp 2a6e0b179394e0485d2495ceb4bbbcb184af08fe
src/tests/containerizer/docker_volume_isolator_tests.cpp b47a6b5081a63ac474ac4634701b1a572eb58137
src/tests/containerizer/mesos_containerizer_tests.cpp 13e0f7e603a3ffdd0965b253d7abfe6a069cd2b4
Diff: https://reviews.apache.org/r/58939/diff/5/
Changes: https://reviews.apache.org/r/58939/diff/4-5/
Testing
-------
sudo make check
Manually tested on a simplified case of mesos-7374.
Thanks,
Chun-Hung Hsiao
Re: Review Request 58939: Filesystem isolation check for Mesos image
provisioner.
Posted by Chun-Hung Hsiao <ch...@mesosphere.io>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58939/
-----------------------------------------------------------
(Updated May 8, 2017, 7:03 p.m.)
Review request for mesos, Anand Mazumdar, Gilbert Song, and Jie Yu.
Changes
-------
Addressed Jie's comment.
Bugs: mesos-7374
https://issues.apache.org/jira/browse/mesos-7374
Repository: mesos
Description
-------
Checked if the 'filesystem/linux' isolator is enabled and the 'linux'
launcher is used when launching a mesos containerizer with an image
under Linux. This prevents the executor from messing up with the host
filesystem. The check is in `MesosContainerizerProcess::prepare()`
after provisioning and before launching, since provisioning itself
does not depend on the filesystem isolator.
Also checked that the 'filesystem/linux' is enabled and the 'linux'
launcher is used when enabling the 'docker/runtime' isolator.
Diffs (updated)
-----
src/slave/containerizer/mesos/containerizer.cpp 58ab74571fb14c6dbb1907151dc421f93e324bb5
src/slave/containerizer/mesos/isolators/docker/runtime.cpp 2a6e0b179394e0485d2495ceb4bbbcb184af08fe
src/tests/containerizer/docker_volume_isolator_tests.cpp b47a6b5081a63ac474ac4634701b1a572eb58137
src/tests/containerizer/mesos_containerizer_tests.cpp 13e0f7e603a3ffdd0965b253d7abfe6a069cd2b4
Diff: https://reviews.apache.org/r/58939/diff/4/
Changes: https://reviews.apache.org/r/58939/diff/3-4/
Testing
-------
sudo make check
Manually tested on a simplified case of mesos-7374.
Thanks,
Chun-Hung Hsiao
Re: Review Request 58939: Filesystem isolation check for Mesos image
provisioner.
Posted by Mesos Reviewbot <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58939/#review174123
-----------------------------------------------------------
Bad patch!
Reviews applied: [58939]
Failed command: python support/apply-reviews.py -n -r 58939
Error:
2017-05-07 03:00:19 URL:https://reviews.apache.org/r/58939/diff/raw/ [2628/2628] -> "58939.patch" [1]
error: patch failed: src/slave/containerizer/mesos/provisioner/provisioner.cpp:218
error: src/slave/containerizer/mesos/provisioner/provisioner.cpp: patch does not apply
Full log: https://builds.apache.org/job/Mesos-Reviewbot/17979/console
- Mesos Reviewbot
On May 5, 2017, 6:07 p.m., Chun-Hung Hsiao wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58939/
> -----------------------------------------------------------
>
> (Updated May 5, 2017, 6:07 p.m.)
>
>
> Review request for mesos, Anand Mazumdar, Gilbert Song, and Jie Yu.
>
>
> Bugs: mesos-7374
> https://issues.apache.org/jira/browse/mesos-7374
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Checked if the 'filesystem/linux' isolator is enabled and the 'linux'
> launcher is used when launching a mesos containerizer with an image
> under Linux. This prevents the executor from messing up with the host
> filesystem. The check is in `MesosContainerizerProcess::prepare()`
> after provisioning and before launching, since provisioning itself
> does not depend on the filesystem isolator.
>
> Also checked that the 'filesystem/linux' is enabled and the 'linux'
> launcher is used when enabling the 'docker/runtime' isolator.
>
>
> Diffs
> -----
>
> src/slave/containerizer/mesos/containerizer.cpp b58baed64480e22f640a4852537f85922ed382ae
> src/slave/containerizer/mesos/isolators/docker/runtime.cpp 08350e638a0f20746e369cdc78c96126f2e1df3f
> src/slave/containerizer/mesos/provisioner/provisioner.cpp be45fc59027f176b43b767e9441fd8089ceec7b4
>
>
> Diff: https://reviews.apache.org/r/58939/diff/3/
>
>
> Testing
> -------
>
> sudo make check
> Manually tested on a simplified case of mesos-7374.
>
>
> Thanks,
>
> Chun-Hung Hsiao
>
>
Re: Review Request 58939: Filesystem isolation check for Mesos image
provisioner.
Posted by Jie Yu <yu...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58939/#review174106
-----------------------------------------------------------
src/slave/containerizer/mesos/containerizer.cpp
Lines 1162-1172 (patched)
<https://reviews.apache.org/r/58939/#comment247209>
Why doing this check after the rootfs has been provisioned? I'd prefer if we can check before provisioning the fs.
- Jie Yu
On May 5, 2017, 6:07 p.m., Chun-Hung Hsiao wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58939/
> -----------------------------------------------------------
>
> (Updated May 5, 2017, 6:07 p.m.)
>
>
> Review request for mesos, Anand Mazumdar, Gilbert Song, and Jie Yu.
>
>
> Bugs: mesos-7374
> https://issues.apache.org/jira/browse/mesos-7374
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Checked if the 'filesystem/linux' isolator is enabled and the 'linux'
> launcher is used when launching a mesos containerizer with an image
> under Linux. This prevents the executor from messing up with the host
> filesystem. The check is in `MesosContainerizerProcess::prepare()`
> after provisioning and before launching, since provisioning itself
> does not depend on the filesystem isolator.
>
> Also checked that the 'filesystem/linux' is enabled and the 'linux'
> launcher is used when enabling the 'docker/runtime' isolator.
>
>
> Diffs
> -----
>
> src/slave/containerizer/mesos/containerizer.cpp b58baed64480e22f640a4852537f85922ed382ae
> src/slave/containerizer/mesos/isolators/docker/runtime.cpp 08350e638a0f20746e369cdc78c96126f2e1df3f
> src/slave/containerizer/mesos/provisioner/provisioner.cpp be45fc59027f176b43b767e9441fd8089ceec7b4
>
>
> Diff: https://reviews.apache.org/r/58939/diff/3/
>
>
> Testing
> -------
>
> sudo make check
> Manually tested on a simplified case of mesos-7374.
>
>
> Thanks,
>
> Chun-Hung Hsiao
>
>
Re: Review Request 58939: Filesystem isolation check for Mesos image
provisioner.
Posted by Chun-Hung Hsiao <ch...@mesosphere.io>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58939/
-----------------------------------------------------------
(Updated May 5, 2017, 6:07 p.m.)
Review request for mesos, Anand Mazumdar, Gilbert Song, and Jie Yu.
Changes
-------
Move the checks for 'docker/runtime' into `DockerRuntimeIsolatorProcess::create()`.
Bugs: mesos-7374
https://issues.apache.org/jira/browse/mesos-7374
Repository: mesos
Description
-------
Checked if the 'filesystem/linux' isolator is enabled and the 'linux'
launcher is used when launching a mesos containerizer with an image
under Linux. This prevents the executor from messing up with the host
filesystem. The check is in `MesosContainerizerProcess::prepare()`
after provisioning and before launching, since provisioning itself
does not depend on the filesystem isolator.
Also checked that the 'filesystem/linux' is enabled and the 'linux'
launcher is used when enabling the 'docker/runtime' isolator.
Diffs (updated)
-----
src/slave/containerizer/mesos/containerizer.cpp b58baed64480e22f640a4852537f85922ed382ae
src/slave/containerizer/mesos/isolators/docker/runtime.cpp 08350e638a0f20746e369cdc78c96126f2e1df3f
src/slave/containerizer/mesos/provisioner/provisioner.cpp be45fc59027f176b43b767e9441fd8089ceec7b4
Diff: https://reviews.apache.org/r/58939/diff/3/
Changes: https://reviews.apache.org/r/58939/diff/2-3/
Testing
-------
sudo make check
Manually tested on a simplified case of mesos-7374.
Thanks,
Chun-Hung Hsiao
Re: Review Request 58939: Filesystem isolation check for Mesos image
provisioner.
Posted by Mesos Reviewbot <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58939/#review173890
-----------------------------------------------------------
Patch looks great!
Reviews applied: [58939]
Passed command: export OS='ubuntu:14.04' BUILDTOOL='autotools' COMPILER='gcc' CONFIGURATION='--verbose' ENVIRONMENT='GLOG_v=1 MESOS_VERBOSE=1'; ./support/docker-build.sh
- Mesos Reviewbot
On May 3, 2017, 10:07 p.m., Chun-Hung Hsiao wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58939/
> -----------------------------------------------------------
>
> (Updated May 3, 2017, 10:07 p.m.)
>
>
> Review request for mesos, Anand Mazumdar, Gilbert Song, and Jie Yu.
>
>
> Bugs: mesos-7374
> https://issues.apache.org/jira/browse/mesos-7374
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Checked if the 'filesystem/linux' isolator is enabled and the 'linux'
> launcher is used when launching a mesos containerizer with an image
> under Linux. This prevents the executor from messing up with the host
> filesystem. The check is in `MesosContainerizerProcess::prepare()`
> after provisioning and before launching, since provisioning itself
> does not depend on the filesystem isolator.
>
> Also checked that the 'filesystem/linux' is enabled and the 'linux'
> launcher is used when enabling the 'docker/runtime' isolator.
>
>
> Diffs
> -----
>
> src/slave/containerizer/mesos/containerizer.cpp b58baed64480e22f640a4852537f85922ed382ae
> src/slave/containerizer/mesos/provisioner/provisioner.cpp be45fc59027f176b43b767e9441fd8089ceec7b4
>
>
> Diff: https://reviews.apache.org/r/58939/diff/2/
>
>
> Testing
> -------
>
> sudo make check
> Manually tested on a simplified case of mesos-7374.
>
>
> Thanks,
>
> Chun-Hung Hsiao
>
>