Re: Review Request 68022: Enabled Seccomp filter in the containerizer launcher. (WIP)

[Andrei Budnik <ab...@mesosphere.com>]

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68022/
-----------------------------------------------------------

(Updated Aug. 6, 2018, 1:39 p.m.)


Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang.


Bugs: MESOS-9106
    https://issues.apache.org/jira/browse/MESOS-9106


Repository: mesos


Description
-------

Containerizer launcher creates an instance of `SeccompFilter`, which is
used to setup Seccomp profile using `ContainerSeccompProfile` message
prepared by the `linux/seccomp` isolator. The Seccomp filter is loaded
right before calling `execve()`, so that a container will be running
with a syscall filtering enabled.


Diffs
-----

  src/slave/containerizer/mesos/launch.cpp 7193da0a094df3e441e185c62b3a0379a0bdc4a2 


Diff: https://reviews.apache.org/r/68022/diff/1/


Testing
-------


Thanks,

Andrei Budnik

Re: Review Request 68022: Enabled Seccomp filter in the containerizer launcher.

[Andrei Budnik <ab...@mesosphere.com>]

> On Dec. 27, 2018, 9:16 a.m., Qian Zhang wrote:
> > src/slave/containerizer/mesos/launch.cpp
> > Lines 1196-1197 (patched)
> > <https://reviews.apache.org/r/68022/diff/7/?file=2110527#file2110527line1198>
> >
> >     Hmm, this seems unfortunate, will it cause container cannot be launched?

Since containerizer launcher is not multithreaded, there is no chance that the malloc's global mutex is acquired by another thread at the moment when the main thread calls `fork()`. So, it's safe to call `malloc` after forking a child process.

Currently, the only way to load a Seccomp filter via `libseccomp` is to call `seccomp_load`. When libseccomp developers add a new API call, we should use the new one instead of `seccomp_load`.


- Andrei


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68022/#review211543
-----------------------------------------------------------


On Aug. 6, 2018, 1:39 p.m., Andrei Budnik wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68022/
> -----------------------------------------------------------
> 
> (Updated Aug. 6, 2018, 1:39 p.m.)
> 
> 
> Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang.
> 
> 
> Bugs: MESOS-9106
>     https://issues.apache.org/jira/browse/MESOS-9106
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Containerizer launcher creates an instance of `SeccompFilter`, which is
> used to setup Seccomp profile using `ContainerSeccompProfile` message
> prepared by the `linux/seccomp` isolator. The Seccomp filter is loaded
> right before calling `execve()`, so that a container will be running
> with a syscall filtering enabled.
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/mesos/launch.cpp 2f1c9e7a8748c9d7eab25bc8567ca68308e680f9 
> 
> 
> Diff: https://reviews.apache.org/r/68022/diff/8/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Andrei Budnik
> 
>

Re: Review Request 68022: Enabled Seccomp filter in the containerizer launcher.

[Qian Zhang <zh...@gmail.com>]

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68022/#review211543
-----------------------------------------------------------




src/slave/containerizer/mesos/launch.cpp
Lines 1196-1197 (patched)
<https://reviews.apache.org/r/68022/#comment296871>

    Hmm, this seems unfortunate, will it cause container cannot be launched?



src/slave/containerizer/mesos/launch.cpp
Lines 1198 (patched)
<https://reviews.apache.org/r/68022/#comment296870>

    We can just use `seccompFilter->load()`.


- Qian Zhang


On Aug. 6, 2018, 9:39 p.m., Andrei Budnik wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68022/
> -----------------------------------------------------------
> 
> (Updated Aug. 6, 2018, 9:39 p.m.)
> 
> 
> Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang.
> 
> 
> Bugs: MESOS-9106
>     https://issues.apache.org/jira/browse/MESOS-9106
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Containerizer launcher creates an instance of `SeccompFilter`, which is
> used to setup Seccomp profile using `ContainerSeccompProfile` message
> prepared by the `linux/seccomp` isolator. The Seccomp filter is loaded
> right before calling `execve()`, so that a container will be running
> with a syscall filtering enabled.
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/mesos/launch.cpp 882bcdf89e2b0cca3d3f62e6d017849a51ceaead 
> 
> 
> Diff: https://reviews.apache.org/r/68022/diff/7/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Andrei Budnik
> 
>

Re: Review Request 68022: Enabled Seccomp filter in the containerizer launcher.

[Mesos Reviewbot <re...@mesos.apache.org>]

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68022/#review210419
-----------------------------------------------------------



Bad patch!

Reviews applied: [68022, 68021, 68020, 68019, 68018, 68017, 68016, 67844]

Failed command: /usr/bin/python3 support/apply-reviews.py -n -r 67844

Error:
2018-11-08 18:16:55 URL:https://reviews.apache.org/r/67844/diff/raw/ [260/260] -> "67844.patch" [1]
error: missing binary patch data for '3rdparty/libseccomp-2.3.3.tar.gz'
error: binary patch does not apply to '3rdparty/libseccomp-2.3.3.tar.gz'
error: 3rdparty/libseccomp-2.3.3.tar.gz: patch does not apply

Full log: https://builds.apache.org/job/Mesos-Reviewbot/23543/console

- Mesos Reviewbot


On Aug. 6, 2018, 1:39 p.m., Andrei Budnik wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68022/
> -----------------------------------------------------------
> 
> (Updated Aug. 6, 2018, 1:39 p.m.)
> 
> 
> Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang.
> 
> 
> Bugs: MESOS-9106
>     https://issues.apache.org/jira/browse/MESOS-9106
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Containerizer launcher creates an instance of `SeccompFilter`, which is
> used to setup Seccomp profile using `ContainerSeccompProfile` message
> prepared by the `linux/seccomp` isolator. The Seccomp filter is loaded
> right before calling `execve()`, so that a container will be running
> with a syscall filtering enabled.
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/mesos/launch.cpp 7193da0a094df3e441e185c62b3a0379a0bdc4a2 
> 
> 
> Diff: https://reviews.apache.org/r/68022/diff/4/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Andrei Budnik
> 
>

Re: Review Request 68022: Enabled Seccomp filter in the containerizer launcher.

[Gilbert Song <so...@gmail.com>]

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68022/#review212371
-----------------------------------------------------------


Ship it!




Ship It!

- Gilbert Song


On Aug. 6, 2018, 6:39 a.m., Andrei Budnik wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68022/
> -----------------------------------------------------------
> 
> (Updated Aug. 6, 2018, 6:39 a.m.)
> 
> 
> Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang.
> 
> 
> Bugs: MESOS-9106
>     https://issues.apache.org/jira/browse/MESOS-9106
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Containerizer launcher creates an instance of `SeccompFilter`, which is
> used to setup Seccomp profile using `ContainerSeccompProfile` message
> prepared by the `linux/seccomp` isolator.
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/mesos/launch.cpp 2f1c9e7a8748c9d7eab25bc8567ca68308e680f9 
> 
> 
> Diff: https://reviews.apache.org/r/68022/diff/10/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Andrei Budnik
> 
>

Re: Review Request 68022: Enabled Seccomp filter in the containerizer launcher.

[Gilbert Song <so...@gmail.com>]

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68022/#review212210
-----------------------------------------------------------


Fix it, then Ship it!





src/slave/containerizer/mesos/launch.cpp
Lines 501 (patched)
<https://reviews.apache.org/r/68022/#comment297920>

    Pass a pointer instead?


- Gilbert Song


On Aug. 6, 2018, 6:39 a.m., Andrei Budnik wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68022/
> -----------------------------------------------------------
> 
> (Updated Aug. 6, 2018, 6:39 a.m.)
> 
> 
> Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang.
> 
> 
> Bugs: MESOS-9106
>     https://issues.apache.org/jira/browse/MESOS-9106
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Containerizer launcher creates an instance of `SeccompFilter`, which is
> used to setup Seccomp profile using `ContainerSeccompProfile` message
> prepared by the `linux/seccomp` isolator.
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/mesos/launch.cpp 2f1c9e7a8748c9d7eab25bc8567ca68308e680f9 
> 
> 
> Diff: https://reviews.apache.org/r/68022/diff/9/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Andrei Budnik
> 
>

Re: Review Request 68022: Enabled Seccomp filter in the containerizer launcher.

[Mesos Reviewbot Windows <re...@mesos.apache.org>]

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68022/#review210417
-----------------------------------------------------------



FAIL: Failed to apply the dependent review: 67844.

Failed command: `python.exe .\support\apply-reviews.py -n -r 67844`

All the build artifacts available at: http://dcos-win.westus2.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2584/mesos-review-68022

Relevant logs:

- [apply-review-67844.log](http://dcos-win.westus2.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2584/mesos-review-68022/logs/apply-review-67844.log):

```
error: missing binary patch data for '3rdparty/libseccomp-2.3.3.tar.gz'
error: binary patch does not apply to '3rdparty/libseccomp-2.3.3.tar.gz'
error: 3rdparty/libseccomp-2.3.3.tar.gz: patch does not apply
```

- Mesos Reviewbot Windows


On Aug. 6, 2018, 1:39 p.m., Andrei Budnik wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68022/
> -----------------------------------------------------------
> 
> (Updated Aug. 6, 2018, 1:39 p.m.)
> 
> 
> Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang.
> 
> 
> Bugs: MESOS-9106
>     https://issues.apache.org/jira/browse/MESOS-9106
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Containerizer launcher creates an instance of `SeccompFilter`, which is
> used to setup Seccomp profile using `ContainerSeccompProfile` message
> prepared by the `linux/seccomp` isolator. The Seccomp filter is loaded
> right before calling `execve()`, so that a container will be running
> with a syscall filtering enabled.
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/mesos/launch.cpp 7193da0a094df3e441e185c62b3a0379a0bdc4a2 
> 
> 
> Diff: https://reviews.apache.org/r/68022/diff/4/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Andrei Budnik
> 
>

Re: Review Request 68022: Enabled Seccomp filter in the containerizer launcher.

[Mesos Reviewbot <re...@mesos.apache.org>]

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68022/#review206965
-----------------------------------------------------------



Bad patch!

Reviews applied: [68022, 68021, 68020, 68019, 68018, 68017, 68016, 67844]

Failed command: python support/apply-reviews.py -n -r 67844

Error:
The support scripts will be upgraded to Python 3 by July 1st.
Make sure to install Python 3.6 on your machine before.
2018-08-08 02:26:55 URL:https://reviews.apache.org/r/67844/diff/raw/ [260/260] -> "67844.patch" [1]
error: missing binary patch data for '3rdparty/libseccomp-2.3.3.tar.gz'
error: binary patch does not apply to '3rdparty/libseccomp-2.3.3.tar.gz'
error: 3rdparty/libseccomp-2.3.3.tar.gz: patch does not apply

Full log: https://builds.apache.org/job/Mesos-Reviewbot/23011/console

- Mesos Reviewbot


On Aug. 6, 2018, 9:39 p.m., Andrei Budnik wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68022/
> -----------------------------------------------------------
> 
> (Updated Aug. 6, 2018, 9:39 p.m.)
> 
> 
> Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang.
> 
> 
> Bugs: MESOS-9106
>     https://issues.apache.org/jira/browse/MESOS-9106
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Containerizer launcher creates an instance of `SeccompFilter`, which is
> used to setup Seccomp profile using `ContainerSeccompProfile` message
> prepared by the `linux/seccomp` isolator. The Seccomp filter is loaded
> right before calling `execve()`, so that a container will be running
> with a syscall filtering enabled.
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/mesos/launch.cpp 7193da0a094df3e441e185c62b3a0379a0bdc4a2 
> 
> 
> Diff: https://reviews.apache.org/r/68022/diff/2/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Andrei Budnik
> 
>

Re: Review Request 68022: Enabled Seccomp filter in the containerizer launcher.

[Gilbert Song <so...@gmail.com>]

> On Jan. 22, 2019, 12:31 a.m., Qian Zhang wrote:
> > src/slave/containerizer/mesos/launch.cpp
> > Line 945 (original), 1028 (patched)
> > <https://reviews.apache.org/r/68022/diff/9/?file=2120371#file2120371line1030>
> >
> >     So we call `calculateCapabilities` twice in this file, can we merge them into one?

I think it is because setuid would mutate the effective CAP and we do need to pass the capabilities to SeccompFilter::create()


- Gilbert


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68022/#review212191
-----------------------------------------------------------


On Aug. 6, 2018, 6:39 a.m., Andrei Budnik wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68022/
> -----------------------------------------------------------
> 
> (Updated Aug. 6, 2018, 6:39 a.m.)
> 
> 
> Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang.
> 
> 
> Bugs: MESOS-9106
>     https://issues.apache.org/jira/browse/MESOS-9106
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Containerizer launcher creates an instance of `SeccompFilter`, which is
> used to setup Seccomp profile using `ContainerSeccompProfile` message
> prepared by the `linux/seccomp` isolator.
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/mesos/launch.cpp 2f1c9e7a8748c9d7eab25bc8567ca68308e680f9 
> 
> 
> Diff: https://reviews.apache.org/r/68022/diff/9/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Andrei Budnik
> 
>

Re: Review Request 68022: Enabled Seccomp filter in the containerizer launcher.

[Qian Zhang <zh...@gmail.com>]

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68022/#review212191
-----------------------------------------------------------




src/slave/containerizer/mesos/launch.cpp
Line 945 (original), 1028 (patched)
<https://reviews.apache.org/r/68022/#comment297873>

    So we call `calculateCapabilities` twice in this file, can we merge them into one?


- Qian Zhang


On Aug. 6, 2018, 9:39 p.m., Andrei Budnik wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68022/
> -----------------------------------------------------------
> 
> (Updated Aug. 6, 2018, 9:39 p.m.)
> 
> 
> Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang.
> 
> 
> Bugs: MESOS-9106
>     https://issues.apache.org/jira/browse/MESOS-9106
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Containerizer launcher creates an instance of `SeccompFilter`, which is
> used to setup Seccomp profile using `ContainerSeccompProfile` message
> prepared by the `linux/seccomp` isolator.
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/mesos/launch.cpp 2f1c9e7a8748c9d7eab25bc8567ca68308e680f9 
> 
> 
> Diff: https://reviews.apache.org/r/68022/diff/9/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Andrei Budnik
> 
>

Re: Review Request 68022: Enabled Seccomp filter in the containerizer launcher.

[Mesos Reviewbot Windows <re...@mesos.apache.org>]

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68022/#review206922
-----------------------------------------------------------



FAIL: Failed to apply the dependent review: 67844.

Failed command: `python.exe .\support\python3\apply-reviews.py -n -r 67844`

All the build artifacts available at: http://dcos-win.westus.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2106/mesos-review-68022

Relevant logs:

- [apply-review-67844.log](http://dcos-win.westus.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2106/mesos-review-68022/logs/apply-review-67844.log):

```
error: missing binary patch data for '3rdparty/libseccomp-2.3.3.tar.gz'
error: binary patch does not apply to '3rdparty/libseccomp-2.3.3.tar.gz'
error: 3rdparty/libseccomp-2.3.3.tar.gz: patch does not apply
```

- Mesos Reviewbot Windows


On Aug. 6, 2018, 6:39 a.m., Andrei Budnik wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68022/
> -----------------------------------------------------------
> 
> (Updated Aug. 6, 2018, 6:39 a.m.)
> 
> 
> Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang.
> 
> 
> Bugs: MESOS-9106
>     https://issues.apache.org/jira/browse/MESOS-9106
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Containerizer launcher creates an instance of `SeccompFilter`, which is
> used to setup Seccomp profile using `ContainerSeccompProfile` message
> prepared by the `linux/seccomp` isolator. The Seccomp filter is loaded
> right before calling `execve()`, so that a container will be running
> with a syscall filtering enabled.
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/mesos/launch.cpp 7193da0a094df3e441e185c62b3a0379a0bdc4a2 
> 
> 
> Diff: https://reviews.apache.org/r/68022/diff/2/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Andrei Budnik
> 
>

Re: Review Request 68022: Enabled Seccomp filter in the containerizer launcher.

[Mesos Reviewbot <re...@mesos.apache.org>]

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68022/#review209904
-----------------------------------------------------------



Bad patch!

Reviews applied: [68022, 68021, 68020, 68019, 68018, 68017, 68016, 67844]

Failed command: /usr/bin/python3 support/apply-reviews.py -n -r 67844

Error:
2018-10-22 22:52:21 URL:https://reviews.apache.org/r/67844/diff/raw/ [260/260] -> "67844.patch" [1]
error: missing binary patch data for '3rdparty/libseccomp-2.3.3.tar.gz'
error: binary patch does not apply to '3rdparty/libseccomp-2.3.3.tar.gz'
error: 3rdparty/libseccomp-2.3.3.tar.gz: patch does not apply

Full log: https://builds.apache.org/job/Mesos-Reviewbot/23502/console

- Mesos Reviewbot


On Aug. 6, 2018, 1:39 p.m., Andrei Budnik wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68022/
> -----------------------------------------------------------
> 
> (Updated Aug. 6, 2018, 1:39 p.m.)
> 
> 
> Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang.
> 
> 
> Bugs: MESOS-9106
>     https://issues.apache.org/jira/browse/MESOS-9106
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Containerizer launcher creates an instance of `SeccompFilter`, which is
> used to setup Seccomp profile using `ContainerSeccompProfile` message
> prepared by the `linux/seccomp` isolator. The Seccomp filter is loaded
> right before calling `execve()`, so that a container will be running
> with a syscall filtering enabled.
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/mesos/launch.cpp 7193da0a094df3e441e185c62b3a0379a0bdc4a2 
> 
> 
> Diff: https://reviews.apache.org/r/68022/diff/3/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Andrei Budnik
> 
>

Re: Review Request 68022: Enabled Seccomp filter in the containerizer launcher.

[Mesos Reviewbot Windows <re...@mesos.apache.org>]

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68022/#review209888
-----------------------------------------------------------



FAIL: Failed to apply the dependent review: 67844.

Failed command: `python.exe .\support\apply-reviews.py -n -r 67844`

All the build artifacts available at: http://dcos-win.westus2.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2510/mesos-review-68022

Relevant logs:

- [apply-review-67844.log](http://dcos-win.westus2.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2510/mesos-review-68022/logs/apply-review-67844.log):

```
error: missing binary patch data for '3rdparty/libseccomp-2.3.3.tar.gz'
error: binary patch does not apply to '3rdparty/libseccomp-2.3.3.tar.gz'
error: 3rdparty/libseccomp-2.3.3.tar.gz: patch does not apply
```

- Mesos Reviewbot Windows


On Aug. 6, 2018, 1:39 p.m., Andrei Budnik wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68022/
> -----------------------------------------------------------
> 
> (Updated Aug. 6, 2018, 1:39 p.m.)
> 
> 
> Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang.
> 
> 
> Bugs: MESOS-9106
>     https://issues.apache.org/jira/browse/MESOS-9106
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Containerizer launcher creates an instance of `SeccompFilter`, which is
> used to setup Seccomp profile using `ContainerSeccompProfile` message
> prepared by the `linux/seccomp` isolator. The Seccomp filter is loaded
> right before calling `execve()`, so that a container will be running
> with a syscall filtering enabled.
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/mesos/launch.cpp 7193da0a094df3e441e185c62b3a0379a0bdc4a2 
> 
> 
> Diff: https://reviews.apache.org/r/68022/diff/3/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Andrei Budnik
> 
>

Re: Review Request 68022: Enabled Seccomp filter in the containerizer launcher.

[Qian Zhang <zh...@gmail.com>]

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68022/#review211988
-----------------------------------------------------------


Ship it!




Ship It!

- Qian Zhang


On Aug. 6, 2018, 9:39 p.m., Andrei Budnik wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68022/
> -----------------------------------------------------------
> 
> (Updated Aug. 6, 2018, 9:39 p.m.)
> 
> 
> Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang.
> 
> 
> Bugs: MESOS-9106
>     https://issues.apache.org/jira/browse/MESOS-9106
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Containerizer launcher creates an instance of `SeccompFilter`, which is
> used to setup Seccomp profile using `ContainerSeccompProfile` message
> prepared by the `linux/seccomp` isolator. The Seccomp filter is loaded
> right before calling `execve()`, so that a container will be running
> with a syscall filtering enabled.
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/mesos/launch.cpp 2f1c9e7a8748c9d7eab25bc8567ca68308e680f9 
> 
> 
> Diff: https://reviews.apache.org/r/68022/diff/8/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Andrei Budnik
> 
>

Re: Review Request 68022: Enabled Seccomp filter in the containerizer launcher.

[Mesos Reviewbot Windows <re...@mesos.apache.org>]

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68022/#review210549
-----------------------------------------------------------



FAIL: Failed to apply the dependent review: 67844.

Failed command: `python.exe .\support\apply-reviews.py -n -r 67844`

All the build artifacts available at: http://dcos-win.westus2.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2599/mesos-review-68022

Relevant logs:

- [apply-review-67844.log](http://dcos-win.westus2.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2599/mesos-review-68022/logs/apply-review-67844.log):

```
error: missing binary patch data for '3rdparty/libseccomp-2.3.3.tar.gz'
error: binary patch does not apply to '3rdparty/libseccomp-2.3.3.tar.gz'
error: 3rdparty/libseccomp-2.3.3.tar.gz: patch does not apply
```

- Mesos Reviewbot Windows


On Aug. 6, 2018, 1:39 p.m., Andrei Budnik wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68022/
> -----------------------------------------------------------
> 
> (Updated Aug. 6, 2018, 1:39 p.m.)
> 
> 
> Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang.
> 
> 
> Bugs: MESOS-9106
>     https://issues.apache.org/jira/browse/MESOS-9106
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Containerizer launcher creates an instance of `SeccompFilter`, which is
> used to setup Seccomp profile using `ContainerSeccompProfile` message
> prepared by the `linux/seccomp` isolator. The Seccomp filter is loaded
> right before calling `execve()`, so that a container will be running
> with a syscall filtering enabled.
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/mesos/launch.cpp 882bcdf89e2b0cca3d3f62e6d017849a51ceaead 
> 
> 
> Diff: https://reviews.apache.org/r/68022/diff/5/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Andrei Budnik
> 
>