You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by al...@apache.org on 2016/08/28 15:04:03 UTC
[03/10] mesos git commit: Unshared the mount namespace when launching
mesos-containerizer.
Unshared the mount namespace when launching mesos-containerizer.
When launching a task from the mesos-executor, ensure that the mount
namespace is not shared between the task and the executor if the task
specifies rootfs. Otherwise, `pivot_root` in the mesos-containerizer
binary would affect the mount namespace of the executor and possibly
prevent it from accessing some binaries or libraries.
Review: https://reviews.apache.org/r/51266/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/564eda0a
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/564eda0a
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/564eda0a
Branch: refs/heads/master
Commit: 564eda0a5bbb74a9a6b2b8dfdc4f34c0a213d3c6
Parents: 537584c
Author: haosdent huang <ha...@gmail.com>
Authored: Fri Aug 26 16:31:07 2016 +0200
Committer: Alexander Rukletsov <al...@apache.org>
Committed: Sun Aug 28 16:31:54 2016 +0200
----------------------------------------------------------------------
src/launcher/posix/executor.cpp | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/564eda0a/src/launcher/posix/executor.cpp
----------------------------------------------------------------------
diff --git a/src/launcher/posix/executor.cpp b/src/launcher/posix/executor.cpp
index 50b9b30..7c40ebe 100644
--- a/src/launcher/posix/executor.cpp
+++ b/src/launcher/posix/executor.cpp
@@ -60,6 +60,9 @@ pid_t launchTaskPosix(
const Option<string>& sandboxDirectory,
const Option<string>& workingDirectory)
{
+ // Prepare the flags to pass to the launch process.
+ MesosContainerizerLaunch::Flags launchFlags;
+
if (rootfs.isSome()) {
// The command executor is responsible for chrooting into the
// root filesystem and changing the user before exec-ing the
@@ -73,14 +76,16 @@ pid_t launchTaskPosix(
} else if (_user.get() != "root") {
ABORT("The command executor requires root with rootfs");
}
+
+ // Ensure that mount namespace of the executor is not affected by
+ // changes in its task's namespace induced by calling `pivot_root`
+ // as part of the task setup in mesos-containerizer binary.
+ launchFlags.unshare_namespace_mnt = true;
#else
ABORT("Not expecting root volume with non-linux platform");
#endif // __linux__
}
- // Prepare the flags to pass to the launch process.
- MesosContainerizerLaunch::Flags launchFlags;
-
launchFlags.command = JSON::protobuf(command);
if (rootfs.isSome()) {