You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by gi...@apache.org on 2019/05/20 22:08:14 UTC
[mesos] 05/05: Revert "Made nested contaienr can access its sandbox
via `MESOS_SANDBOX`."
This is an automated email from the ASF dual-hosted git repository.
gilbert pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit eecb82c77117998af0c67a53c64e9b1e975acfa4
Author: Gilbert Song <so...@gmail.com>
AuthorDate: Mon May 20 14:46:18 2019 -0700
Revert "Made nested contaienr can access its sandbox via `MESOS_SANDBOX`."
This reverts commit 40beae143a24a35f85b047ef8ee243581f1c3c69.
---
src/slave/containerizer/mesos/containerizer.cpp | 24 +++++++---------------
.../mesos/isolators/filesystem/linux.cpp | 23 ---------------------
2 files changed, 7 insertions(+), 40 deletions(-)
diff --git a/src/slave/containerizer/mesos/containerizer.cpp b/src/slave/containerizer/mesos/containerizer.cpp
index c4a6827..0432448 100644
--- a/src/slave/containerizer/mesos/containerizer.cpp
+++ b/src/slave/containerizer/mesos/containerizer.cpp
@@ -1837,25 +1837,15 @@ Future<Containerizer::LaunchResult> MesosContainerizerProcess::_launch(
if (container->containerClass() == ContainerClass::DEFAULT) {
// TODO(jieyu): Consider moving this to filesystem isolator.
//
- // NOTE: For the command executor case, although it uses the host filesystem
- // for itself, we still set `MESOS_SANDBOX` according to the root filesystem
- // of the task (if specified). Command executor itself does not use this
- // environment variable. For nested container which does not have its own
- // rootfs, if the `filesystem/linux` isolator is enabled, we will also set
- // `MESOS_SANDBOX` to `flags.sandbox_directory` since in `prepare` method
- // of the `filesystem/linux` isolator we bind mount such nested container's
- // sandbox to `flags.sandbox_directory`. Since such bind mount is only done
- // by the `filesystem/linux` isolator, if another filesystem isolator (e.g.,
- // `filesystem/posix`) is enabled instead, nested container may still have
- // no permission to access its sandbox via `MESOS_SANDBOX`.
+ // NOTE: For the command executor case, although it uses the host
+ // filesystem for itself, we still set 'MESOS_SANDBOX' according to
+ // the root filesystem of the task (if specified). Command executor
+ // itself does not use this environment variable.
Environment::Variable* variable = containerEnvironment.add_variables();
variable->set_name("MESOS_SANDBOX");
- variable->set_value(
- (container->config->has_rootfs() ||
- (strings::contains(flags.isolation, "filesystem/linux") &&
- containerId.has_parent()))
- ? flags.sandbox_directory
- : container->config->directory());
+ variable->set_value(container->config->has_rootfs()
+ ? flags.sandbox_directory
+ : container->config->directory());
}
// `launchInfo.environment` contains the environment returned by
diff --git a/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp b/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
index 7b50258..725754f 100644
--- a/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
+++ b/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
@@ -502,16 +502,6 @@ Try<Isolator*> LinuxFilesystemIsolatorProcess::create(
containersRuntimeDir + "': " + mkdir.error());
}
- // Create sandbox directory. We will bind mount the sandbox of nested
- // container which does not have its own rootfs to this directory. See
- // `prepare` for details.
- mkdir = os::mkdir(flags.sandbox_directory);
- if (mkdir.isError()) {
- return Error(
- "Failed to create sandbox directory at '" +
- flags.sandbox_directory + "': " + mkdir.error());
- }
-
Try<Nothing> containersDirMount = ensureAllowDevices(containersRuntimeDir);
if (containersDirMount.isError()) {
return Error(containersDirMount.error());
@@ -754,19 +744,6 @@ Future<Option<ContainerLaunchInfo>> LinuxFilesystemIsolatorProcess::prepare(
*launchInfo.add_mounts() = createContainerMount(
containerConfig.directory(), sandbox, MS_BIND | MS_REC);
- } else if (containerId.has_parent()) {
- // For nested container which does not have its own rootfs, bind mount its
- // sandbox to the directory specified via `flags.sandbox_directory` (e.g.,
- // `/mnt/mesos/sandbox`) in its own mount namespace and set the environment
- // variable `MESOS_SANDBOX` to `flags.sandbox_directory` (see the `_launch`
- // method of `MesosContainerizerProcess` for details). The reason that we do
- // this is, in MESOS-8332 we narrowed task sandbox permissions from 0755 to
- // 0750, since nested container's sandbox is subdirectory under its parent's
- // sandbox, if we still set `MESOS_SANDBOX` to `containerConfig.directory()`
- // for nested container, it will not have permission to access its sandbox
- // via `MESOS_SANDBOX` if its user is different from its parent's user.
- *launchInfo.add_mounts() = createContainerMount(
- containerConfig.directory(), flags.sandbox_directory, MS_BIND | MS_REC);
}
// Currently, we only need to update resources for top level containers.