You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@mesos.apache.org by Andrei Budnik <ab...@mesosphere.com> on 2018/08/06 13:39:34 UTC
Re: Review Request 68022: Enabled Seccomp filter in the containerizer
launcher. (WIP)
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68022/
-----------------------------------------------------------
(Updated Aug. 6, 2018, 1:39 p.m.)
Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang.
Bugs: MESOS-9106
https://issues.apache.org/jira/browse/MESOS-9106
Repository: mesos
Description
-------
Containerizer launcher creates an instance of `SeccompFilter`, which is
used to setup Seccomp profile using `ContainerSeccompProfile` message
prepared by the `linux/seccomp` isolator. The Seccomp filter is loaded
right before calling `execve()`, so that a container will be running
with a syscall filtering enabled.
Diffs
-----
src/slave/containerizer/mesos/launch.cpp 7193da0a094df3e441e185c62b3a0379a0bdc4a2
Diff: https://reviews.apache.org/r/68022/diff/1/
Testing
-------
Thanks,
Andrei Budnik
Re: Review Request 68022: Enabled Seccomp filter in the containerizer
launcher.
Posted by Andrei Budnik <ab...@mesosphere.com>.
> On Dec. 27, 2018, 9:16 a.m., Qian Zhang wrote:
> > src/slave/containerizer/mesos/launch.cpp
> > Lines 1196-1197 (patched)
> > <https://reviews.apache.org/r/68022/diff/7/?file=2110527#file2110527line1198>
> >
> > Hmm, this seems unfortunate, will it cause container cannot be launched?
Since containerizer launcher is not multithreaded, there is no chance that the malloc's global mutex is acquired by another thread at the moment when the main thread calls `fork()`. So, it's safe to call `malloc` after forking a child process.
Currently, the only way to load a Seccomp filter via `libseccomp` is to call `seccomp_load`. When libseccomp developers add a new API call, we should use the new one instead of `seccomp_load`.
- Andrei
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68022/#review211543
-----------------------------------------------------------
On Aug. 6, 2018, 1:39 p.m., Andrei Budnik wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68022/
> -----------------------------------------------------------
>
> (Updated Aug. 6, 2018, 1:39 p.m.)
>
>
> Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang.
>
>
> Bugs: MESOS-9106
> https://issues.apache.org/jira/browse/MESOS-9106
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Containerizer launcher creates an instance of `SeccompFilter`, which is
> used to setup Seccomp profile using `ContainerSeccompProfile` message
> prepared by the `linux/seccomp` isolator. The Seccomp filter is loaded
> right before calling `execve()`, so that a container will be running
> with a syscall filtering enabled.
>
>
> Diffs
> -----
>
> src/slave/containerizer/mesos/launch.cpp 2f1c9e7a8748c9d7eab25bc8567ca68308e680f9
>
>
> Diff: https://reviews.apache.org/r/68022/diff/8/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Andrei Budnik
>
>
Re: Review Request 68022: Enabled Seccomp filter in the containerizer
launcher.
Posted by Qian Zhang <zh...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68022/#review211543
-----------------------------------------------------------
src/slave/containerizer/mesos/launch.cpp
Lines 1196-1197 (patched)
<https://reviews.apache.org/r/68022/#comment296871>
Hmm, this seems unfortunate, will it cause container cannot be launched?
src/slave/containerizer/mesos/launch.cpp
Lines 1198 (patched)
<https://reviews.apache.org/r/68022/#comment296870>
We can just use `seccompFilter->load()`.
- Qian Zhang
On Aug. 6, 2018, 9:39 p.m., Andrei Budnik wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68022/
> -----------------------------------------------------------
>
> (Updated Aug. 6, 2018, 9:39 p.m.)
>
>
> Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang.
>
>
> Bugs: MESOS-9106
> https://issues.apache.org/jira/browse/MESOS-9106
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Containerizer launcher creates an instance of `SeccompFilter`, which is
> used to setup Seccomp profile using `ContainerSeccompProfile` message
> prepared by the `linux/seccomp` isolator. The Seccomp filter is loaded
> right before calling `execve()`, so that a container will be running
> with a syscall filtering enabled.
>
>
> Diffs
> -----
>
> src/slave/containerizer/mesos/launch.cpp 882bcdf89e2b0cca3d3f62e6d017849a51ceaead
>
>
> Diff: https://reviews.apache.org/r/68022/diff/7/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Andrei Budnik
>
>
Re: Review Request 68022: Enabled Seccomp filter in the containerizer
launcher.
Posted by Mesos Reviewbot <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68022/#review210419
-----------------------------------------------------------
Bad patch!
Reviews applied: [68022, 68021, 68020, 68019, 68018, 68017, 68016, 67844]
Failed command: /usr/bin/python3 support/apply-reviews.py -n -r 67844
Error:
2018-11-08 18:16:55 URL:https://reviews.apache.org/r/67844/diff/raw/ [260/260] -> "67844.patch" [1]
error: missing binary patch data for '3rdparty/libseccomp-2.3.3.tar.gz'
error: binary patch does not apply to '3rdparty/libseccomp-2.3.3.tar.gz'
error: 3rdparty/libseccomp-2.3.3.tar.gz: patch does not apply
Full log: https://builds.apache.org/job/Mesos-Reviewbot/23543/console
- Mesos Reviewbot
On Aug. 6, 2018, 1:39 p.m., Andrei Budnik wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68022/
> -----------------------------------------------------------
>
> (Updated Aug. 6, 2018, 1:39 p.m.)
>
>
> Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang.
>
>
> Bugs: MESOS-9106
> https://issues.apache.org/jira/browse/MESOS-9106
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Containerizer launcher creates an instance of `SeccompFilter`, which is
> used to setup Seccomp profile using `ContainerSeccompProfile` message
> prepared by the `linux/seccomp` isolator. The Seccomp filter is loaded
> right before calling `execve()`, so that a container will be running
> with a syscall filtering enabled.
>
>
> Diffs
> -----
>
> src/slave/containerizer/mesos/launch.cpp 7193da0a094df3e441e185c62b3a0379a0bdc4a2
>
>
> Diff: https://reviews.apache.org/r/68022/diff/4/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Andrei Budnik
>
>
Re: Review Request 68022: Enabled Seccomp filter in the containerizer
launcher.
Posted by Gilbert Song <so...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68022/#review212371
-----------------------------------------------------------
Ship it!
Ship It!
- Gilbert Song
On Aug. 6, 2018, 6:39 a.m., Andrei Budnik wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68022/
> -----------------------------------------------------------
>
> (Updated Aug. 6, 2018, 6:39 a.m.)
>
>
> Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang.
>
>
> Bugs: MESOS-9106
> https://issues.apache.org/jira/browse/MESOS-9106
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Containerizer launcher creates an instance of `SeccompFilter`, which is
> used to setup Seccomp profile using `ContainerSeccompProfile` message
> prepared by the `linux/seccomp` isolator.
>
>
> Diffs
> -----
>
> src/slave/containerizer/mesos/launch.cpp 2f1c9e7a8748c9d7eab25bc8567ca68308e680f9
>
>
> Diff: https://reviews.apache.org/r/68022/diff/10/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Andrei Budnik
>
>
Re: Review Request 68022: Enabled Seccomp filter in the containerizer
launcher.
Posted by Gilbert Song <so...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68022/#review212210
-----------------------------------------------------------
Fix it, then Ship it!
src/slave/containerizer/mesos/launch.cpp
Lines 501 (patched)
<https://reviews.apache.org/r/68022/#comment297920>
Pass a pointer instead?
- Gilbert Song
On Aug. 6, 2018, 6:39 a.m., Andrei Budnik wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68022/
> -----------------------------------------------------------
>
> (Updated Aug. 6, 2018, 6:39 a.m.)
>
>
> Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang.
>
>
> Bugs: MESOS-9106
> https://issues.apache.org/jira/browse/MESOS-9106
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Containerizer launcher creates an instance of `SeccompFilter`, which is
> used to setup Seccomp profile using `ContainerSeccompProfile` message
> prepared by the `linux/seccomp` isolator.
>
>
> Diffs
> -----
>
> src/slave/containerizer/mesos/launch.cpp 2f1c9e7a8748c9d7eab25bc8567ca68308e680f9
>
>
> Diff: https://reviews.apache.org/r/68022/diff/9/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Andrei Budnik
>
>
Re: Review Request 68022: Enabled Seccomp filter in the containerizer
launcher.
Posted by Mesos Reviewbot Windows <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68022/#review210417
-----------------------------------------------------------
FAIL: Failed to apply the dependent review: 67844.
Failed command: `python.exe .\support\apply-reviews.py -n -r 67844`
All the build artifacts available at: http://dcos-win.westus2.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2584/mesos-review-68022
Relevant logs:
- [apply-review-67844.log](http://dcos-win.westus2.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2584/mesos-review-68022/logs/apply-review-67844.log):
```
error: missing binary patch data for '3rdparty/libseccomp-2.3.3.tar.gz'
error: binary patch does not apply to '3rdparty/libseccomp-2.3.3.tar.gz'
error: 3rdparty/libseccomp-2.3.3.tar.gz: patch does not apply
```
- Mesos Reviewbot Windows
On Aug. 6, 2018, 1:39 p.m., Andrei Budnik wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68022/
> -----------------------------------------------------------
>
> (Updated Aug. 6, 2018, 1:39 p.m.)
>
>
> Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang.
>
>
> Bugs: MESOS-9106
> https://issues.apache.org/jira/browse/MESOS-9106
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Containerizer launcher creates an instance of `SeccompFilter`, which is
> used to setup Seccomp profile using `ContainerSeccompProfile` message
> prepared by the `linux/seccomp` isolator. The Seccomp filter is loaded
> right before calling `execve()`, so that a container will be running
> with a syscall filtering enabled.
>
>
> Diffs
> -----
>
> src/slave/containerizer/mesos/launch.cpp 7193da0a094df3e441e185c62b3a0379a0bdc4a2
>
>
> Diff: https://reviews.apache.org/r/68022/diff/4/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Andrei Budnik
>
>
Re: Review Request 68022: Enabled Seccomp filter in the containerizer
launcher.
Posted by Mesos Reviewbot <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68022/#review206965
-----------------------------------------------------------
Bad patch!
Reviews applied: [68022, 68021, 68020, 68019, 68018, 68017, 68016, 67844]
Failed command: python support/apply-reviews.py -n -r 67844
Error:
The support scripts will be upgraded to Python 3 by July 1st.
Make sure to install Python 3.6 on your machine before.
2018-08-08 02:26:55 URL:https://reviews.apache.org/r/67844/diff/raw/ [260/260] -> "67844.patch" [1]
error: missing binary patch data for '3rdparty/libseccomp-2.3.3.tar.gz'
error: binary patch does not apply to '3rdparty/libseccomp-2.3.3.tar.gz'
error: 3rdparty/libseccomp-2.3.3.tar.gz: patch does not apply
Full log: https://builds.apache.org/job/Mesos-Reviewbot/23011/console
- Mesos Reviewbot
On Aug. 6, 2018, 9:39 p.m., Andrei Budnik wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68022/
> -----------------------------------------------------------
>
> (Updated Aug. 6, 2018, 9:39 p.m.)
>
>
> Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang.
>
>
> Bugs: MESOS-9106
> https://issues.apache.org/jira/browse/MESOS-9106
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Containerizer launcher creates an instance of `SeccompFilter`, which is
> used to setup Seccomp profile using `ContainerSeccompProfile` message
> prepared by the `linux/seccomp` isolator. The Seccomp filter is loaded
> right before calling `execve()`, so that a container will be running
> with a syscall filtering enabled.
>
>
> Diffs
> -----
>
> src/slave/containerizer/mesos/launch.cpp 7193da0a094df3e441e185c62b3a0379a0bdc4a2
>
>
> Diff: https://reviews.apache.org/r/68022/diff/2/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Andrei Budnik
>
>
Re: Review Request 68022: Enabled Seccomp filter in the containerizer
launcher.
Posted by Gilbert Song <so...@gmail.com>.
> On Jan. 22, 2019, 12:31 a.m., Qian Zhang wrote:
> > src/slave/containerizer/mesos/launch.cpp
> > Line 945 (original), 1028 (patched)
> > <https://reviews.apache.org/r/68022/diff/9/?file=2120371#file2120371line1030>
> >
> > So we call `calculateCapabilities` twice in this file, can we merge them into one?
I think it is because setuid would mutate the effective CAP and we do need to pass the capabilities to SeccompFilter::create()
- Gilbert
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68022/#review212191
-----------------------------------------------------------
On Aug. 6, 2018, 6:39 a.m., Andrei Budnik wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68022/
> -----------------------------------------------------------
>
> (Updated Aug. 6, 2018, 6:39 a.m.)
>
>
> Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang.
>
>
> Bugs: MESOS-9106
> https://issues.apache.org/jira/browse/MESOS-9106
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Containerizer launcher creates an instance of `SeccompFilter`, which is
> used to setup Seccomp profile using `ContainerSeccompProfile` message
> prepared by the `linux/seccomp` isolator.
>
>
> Diffs
> -----
>
> src/slave/containerizer/mesos/launch.cpp 2f1c9e7a8748c9d7eab25bc8567ca68308e680f9
>
>
> Diff: https://reviews.apache.org/r/68022/diff/9/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Andrei Budnik
>
>
Re: Review Request 68022: Enabled Seccomp filter in the containerizer
launcher.
Posted by Qian Zhang <zh...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68022/#review212191
-----------------------------------------------------------
src/slave/containerizer/mesos/launch.cpp
Line 945 (original), 1028 (patched)
<https://reviews.apache.org/r/68022/#comment297873>
So we call `calculateCapabilities` twice in this file, can we merge them into one?
- Qian Zhang
On Aug. 6, 2018, 9:39 p.m., Andrei Budnik wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68022/
> -----------------------------------------------------------
>
> (Updated Aug. 6, 2018, 9:39 p.m.)
>
>
> Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang.
>
>
> Bugs: MESOS-9106
> https://issues.apache.org/jira/browse/MESOS-9106
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Containerizer launcher creates an instance of `SeccompFilter`, which is
> used to setup Seccomp profile using `ContainerSeccompProfile` message
> prepared by the `linux/seccomp` isolator.
>
>
> Diffs
> -----
>
> src/slave/containerizer/mesos/launch.cpp 2f1c9e7a8748c9d7eab25bc8567ca68308e680f9
>
>
> Diff: https://reviews.apache.org/r/68022/diff/9/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Andrei Budnik
>
>
Re: Review Request 68022: Enabled Seccomp filter in the containerizer
launcher.
Posted by Mesos Reviewbot Windows <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68022/#review206922
-----------------------------------------------------------
FAIL: Failed to apply the dependent review: 67844.
Failed command: `python.exe .\support\python3\apply-reviews.py -n -r 67844`
All the build artifacts available at: http://dcos-win.westus.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2106/mesos-review-68022
Relevant logs:
- [apply-review-67844.log](http://dcos-win.westus.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2106/mesos-review-68022/logs/apply-review-67844.log):
```
error: missing binary patch data for '3rdparty/libseccomp-2.3.3.tar.gz'
error: binary patch does not apply to '3rdparty/libseccomp-2.3.3.tar.gz'
error: 3rdparty/libseccomp-2.3.3.tar.gz: patch does not apply
```
- Mesos Reviewbot Windows
On Aug. 6, 2018, 6:39 a.m., Andrei Budnik wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68022/
> -----------------------------------------------------------
>
> (Updated Aug. 6, 2018, 6:39 a.m.)
>
>
> Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang.
>
>
> Bugs: MESOS-9106
> https://issues.apache.org/jira/browse/MESOS-9106
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Containerizer launcher creates an instance of `SeccompFilter`, which is
> used to setup Seccomp profile using `ContainerSeccompProfile` message
> prepared by the `linux/seccomp` isolator. The Seccomp filter is loaded
> right before calling `execve()`, so that a container will be running
> with a syscall filtering enabled.
>
>
> Diffs
> -----
>
> src/slave/containerizer/mesos/launch.cpp 7193da0a094df3e441e185c62b3a0379a0bdc4a2
>
>
> Diff: https://reviews.apache.org/r/68022/diff/2/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Andrei Budnik
>
>
Re: Review Request 68022: Enabled Seccomp filter in the containerizer
launcher.
Posted by Mesos Reviewbot <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68022/#review209904
-----------------------------------------------------------
Bad patch!
Reviews applied: [68022, 68021, 68020, 68019, 68018, 68017, 68016, 67844]
Failed command: /usr/bin/python3 support/apply-reviews.py -n -r 67844
Error:
2018-10-22 22:52:21 URL:https://reviews.apache.org/r/67844/diff/raw/ [260/260] -> "67844.patch" [1]
error: missing binary patch data for '3rdparty/libseccomp-2.3.3.tar.gz'
error: binary patch does not apply to '3rdparty/libseccomp-2.3.3.tar.gz'
error: 3rdparty/libseccomp-2.3.3.tar.gz: patch does not apply
Full log: https://builds.apache.org/job/Mesos-Reviewbot/23502/console
- Mesos Reviewbot
On Aug. 6, 2018, 1:39 p.m., Andrei Budnik wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68022/
> -----------------------------------------------------------
>
> (Updated Aug. 6, 2018, 1:39 p.m.)
>
>
> Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang.
>
>
> Bugs: MESOS-9106
> https://issues.apache.org/jira/browse/MESOS-9106
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Containerizer launcher creates an instance of `SeccompFilter`, which is
> used to setup Seccomp profile using `ContainerSeccompProfile` message
> prepared by the `linux/seccomp` isolator. The Seccomp filter is loaded
> right before calling `execve()`, so that a container will be running
> with a syscall filtering enabled.
>
>
> Diffs
> -----
>
> src/slave/containerizer/mesos/launch.cpp 7193da0a094df3e441e185c62b3a0379a0bdc4a2
>
>
> Diff: https://reviews.apache.org/r/68022/diff/3/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Andrei Budnik
>
>
Re: Review Request 68022: Enabled Seccomp filter in the containerizer
launcher.
Posted by Mesos Reviewbot Windows <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68022/#review209888
-----------------------------------------------------------
FAIL: Failed to apply the dependent review: 67844.
Failed command: `python.exe .\support\apply-reviews.py -n -r 67844`
All the build artifacts available at: http://dcos-win.westus2.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2510/mesos-review-68022
Relevant logs:
- [apply-review-67844.log](http://dcos-win.westus2.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2510/mesos-review-68022/logs/apply-review-67844.log):
```
error: missing binary patch data for '3rdparty/libseccomp-2.3.3.tar.gz'
error: binary patch does not apply to '3rdparty/libseccomp-2.3.3.tar.gz'
error: 3rdparty/libseccomp-2.3.3.tar.gz: patch does not apply
```
- Mesos Reviewbot Windows
On Aug. 6, 2018, 1:39 p.m., Andrei Budnik wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68022/
> -----------------------------------------------------------
>
> (Updated Aug. 6, 2018, 1:39 p.m.)
>
>
> Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang.
>
>
> Bugs: MESOS-9106
> https://issues.apache.org/jira/browse/MESOS-9106
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Containerizer launcher creates an instance of `SeccompFilter`, which is
> used to setup Seccomp profile using `ContainerSeccompProfile` message
> prepared by the `linux/seccomp` isolator. The Seccomp filter is loaded
> right before calling `execve()`, so that a container will be running
> with a syscall filtering enabled.
>
>
> Diffs
> -----
>
> src/slave/containerizer/mesos/launch.cpp 7193da0a094df3e441e185c62b3a0379a0bdc4a2
>
>
> Diff: https://reviews.apache.org/r/68022/diff/3/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Andrei Budnik
>
>
Re: Review Request 68022: Enabled Seccomp filter in the containerizer
launcher.
Posted by Qian Zhang <zh...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68022/#review211988
-----------------------------------------------------------
Ship it!
Ship It!
- Qian Zhang
On Aug. 6, 2018, 9:39 p.m., Andrei Budnik wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68022/
> -----------------------------------------------------------
>
> (Updated Aug. 6, 2018, 9:39 p.m.)
>
>
> Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang.
>
>
> Bugs: MESOS-9106
> https://issues.apache.org/jira/browse/MESOS-9106
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Containerizer launcher creates an instance of `SeccompFilter`, which is
> used to setup Seccomp profile using `ContainerSeccompProfile` message
> prepared by the `linux/seccomp` isolator. The Seccomp filter is loaded
> right before calling `execve()`, so that a container will be running
> with a syscall filtering enabled.
>
>
> Diffs
> -----
>
> src/slave/containerizer/mesos/launch.cpp 2f1c9e7a8748c9d7eab25bc8567ca68308e680f9
>
>
> Diff: https://reviews.apache.org/r/68022/diff/8/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Andrei Budnik
>
>
Re: Review Request 68022: Enabled Seccomp filter in the containerizer
launcher.
Posted by Mesos Reviewbot Windows <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68022/#review210549
-----------------------------------------------------------
FAIL: Failed to apply the dependent review: 67844.
Failed command: `python.exe .\support\apply-reviews.py -n -r 67844`
All the build artifacts available at: http://dcos-win.westus2.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2599/mesos-review-68022
Relevant logs:
- [apply-review-67844.log](http://dcos-win.westus2.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2599/mesos-review-68022/logs/apply-review-67844.log):
```
error: missing binary patch data for '3rdparty/libseccomp-2.3.3.tar.gz'
error: binary patch does not apply to '3rdparty/libseccomp-2.3.3.tar.gz'
error: 3rdparty/libseccomp-2.3.3.tar.gz: patch does not apply
```
- Mesos Reviewbot Windows
On Aug. 6, 2018, 1:39 p.m., Andrei Budnik wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68022/
> -----------------------------------------------------------
>
> (Updated Aug. 6, 2018, 1:39 p.m.)
>
>
> Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang.
>
>
> Bugs: MESOS-9106
> https://issues.apache.org/jira/browse/MESOS-9106
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Containerizer launcher creates an instance of `SeccompFilter`, which is
> used to setup Seccomp profile using `ContainerSeccompProfile` message
> prepared by the `linux/seccomp` isolator. The Seccomp filter is loaded
> right before calling `execve()`, so that a container will be running
> with a syscall filtering enabled.
>
>
> Diffs
> -----
>
> src/slave/containerizer/mesos/launch.cpp 882bcdf89e2b0cca3d3f62e6d017849a51ceaead
>
>
> Diff: https://reviews.apache.org/r/68022/diff/5/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Andrei Budnik
>
>