You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@aurora.apache.org by Jason Lai <ja...@jasonlai.net> on 2017/06/08 00:13:45 UTC
Re: Review Request 57524: Support setting the rootfs on Mesos
Containers.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/57524/#review177260
-----------------------------------------------------------
Ship it!
Can we get unblocked on this patch? We found it necessary for our setup at Uber, particularly in the case of executing into the container of an existing task.
The problem we run into is that the container launched ad-hoc from the `taskfs` is not tracked by Mesos agent, but by the executor itself. When attaching into a task with the 1.2 API, the debugger shell ends up accessing the root FS of the host, which is not desirable and also imposes security risks.
- Jason Lai
On March 13, 2017, 4:36 p.m., Zameer Manji wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/57524/
> -----------------------------------------------------------
>
> (Updated March 13, 2017, 4:36 p.m.)
>
>
> Review request for Aurora, Santhosh Kumar Shanmugham and Stephan Erb.
>
>
> Bugs: AURORA-1903
> https://issues.apache.org/jira/browse/AURORA-1903
>
>
> Repository: aurora
>
>
> Description
> -------
>
> The mesos unified containerizer does not support absolute container path mounts if no rootfs is set. This allows operators to switch between our current behaviour (mounting images as a volume) and setting the rootfs. See AURORA-1903 for more detailed analysis.
>
>
> Diffs
> -----
>
> src/main/java/org/apache/aurora/scheduler/base/TaskTestUtil.java f0b148cd158d61cd89cc51dca9f3fa4c6feb1b49
> src/main/java/org/apache/aurora/scheduler/configuration/executor/ExecutorModule.java 4dac9757a65e144142d36ee921b85a02a5311fe5
> src/main/java/org/apache/aurora/scheduler/configuration/executor/ExecutorSettings.java 5c987fd051728486172c8afd34219e86d56f00d5
> src/main/java/org/apache/aurora/scheduler/mesos/MesosTaskFactory.java 0d639f66db456858278b0485c91c40975c3b45ac
> src/main/java/org/apache/aurora/scheduler/mesos/TestExecutorSettings.java e1cd81e6fbd98f23046e6e775be268be4310c62a
> src/test/java/org/apache/aurora/scheduler/mesos/MesosTaskFactoryImplTest.java 93cc34cf8393f969087cd0fd6f577228c00170e9
>
>
> Diff: https://reviews.apache.org/r/57524/diff/1/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Zameer Manji
>
>
Re: Review Request 57524: Support setting the rootfs on Mesos
Containers.
Posted by Jason Lai <ja...@jasonlai.net>.
> On June 8, 2017, 12:13 a.m., Jason Lai wrote:
> > Can we get unblocked on this patch? We found it necessary for our setup at Uber, particularly in the case of executing into the container of an existing task.
> >
> > The problem we run into is that the container launched ad-hoc from the `taskfs` is not tracked by Mesos agent, but by the executor itself. When attaching into a task with the 1.2 API, the debugger shell ends up accessing the root FS of the host, which is not desirable and also imposes security risks.
Also the container launched by Thermos executor doesn't include the common CGroup FS mounts under `/sys/fs/cgroup`, which some of our services rely on for inspecting the CPU quota applied to their containers.
- Jason
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/57524/#review177260
-----------------------------------------------------------
On March 13, 2017, 4:36 p.m., Zameer Manji wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/57524/
> -----------------------------------------------------------
>
> (Updated March 13, 2017, 4:36 p.m.)
>
>
> Review request for Aurora, Santhosh Kumar Shanmugham and Stephan Erb.
>
>
> Bugs: AURORA-1903
> https://issues.apache.org/jira/browse/AURORA-1903
>
>
> Repository: aurora
>
>
> Description
> -------
>
> The mesos unified containerizer does not support absolute container path mounts if no rootfs is set. This allows operators to switch between our current behaviour (mounting images as a volume) and setting the rootfs. See AURORA-1903 for more detailed analysis.
>
>
> Diffs
> -----
>
> src/main/java/org/apache/aurora/scheduler/base/TaskTestUtil.java f0b148cd158d61cd89cc51dca9f3fa4c6feb1b49
> src/main/java/org/apache/aurora/scheduler/configuration/executor/ExecutorModule.java 4dac9757a65e144142d36ee921b85a02a5311fe5
> src/main/java/org/apache/aurora/scheduler/configuration/executor/ExecutorSettings.java 5c987fd051728486172c8afd34219e86d56f00d5
> src/main/java/org/apache/aurora/scheduler/mesos/MesosTaskFactory.java 0d639f66db456858278b0485c91c40975c3b45ac
> src/main/java/org/apache/aurora/scheduler/mesos/TestExecutorSettings.java e1cd81e6fbd98f23046e6e775be268be4310c62a
> src/test/java/org/apache/aurora/scheduler/mesos/MesosTaskFactoryImplTest.java 93cc34cf8393f969087cd0fd6f577228c00170e9
>
>
> Diff: https://reviews.apache.org/r/57524/diff/1/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Zameer Manji
>
>