mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Avinash sridharan <avin...@mesosphere.io>
Subject Re: Review Request 44706: Implemented isolate() method of "network/cni" isolator.
Date Tue, 22 Mar 2016 15:06:17 GMT


> On March 20, 2016, 7:08 p.m., Jie Yu wrote:
> > src/slave/containerizer/mesos/isolators/network/cni/cni.cpp, lines 206-212
> > <https://reviews.apache.org/r/44706/diff/2/?file=1307515#file1307515line206>
> >
> >     I suggest we save a rootDir in the isolator process. We can easily switch to
use a flag later. Also, we need to call 'realpath' here to make sure it's a realpath.
> >     
> >     We also need to make sure ROOT_DIR is a self bind mounted directory (slave+shared)
so that namespace bind mount does not leak into containers.
> 
> Qian Zhang wrote:
>     Do you mean we call `realpath()` to get the real path of the const string `ROOT_DIR`
first and then call `mkdir` with the real path as its parameter to create the directory?
>     
>     And can you please elaborate why the namespace bind mount can be leaked into containers
if we do not make `ROOT_DIR` as a self bind mounted directory? I just want to know the rationale
behind it :-)

I had the same question (about slave+shared bind mount). So read this https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt
. Very interesting, and a valid comment.


- Avinash


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/44706/#review124460
-----------------------------------------------------------


On March 20, 2016, 4:27 p.m., Qian Zhang wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/44706/
> -----------------------------------------------------------
> 
> (Updated March 20, 2016, 4:27 p.m.)
> 
> 
> Review request for mesos, Avinash sridharan, Gilbert Song, and Jie Yu.
> 
> 
> Bugs: MESOS-4759
>     https://issues.apache.org/jira/browse/MESOS-4759
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Implemented isolate() method of "network/cni" isolator.
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/mesos/isolators/network/cni/cni.hpp PRE-CREATION 
>   src/slave/containerizer/mesos/isolators/network/cni/cni.cpp PRE-CREATION 
> 
> Diff: https://reviews.apache.org/r/44706/diff/
> 
> 
> Testing
> -------
> 
> make check
> 
> 
> Thanks,
> 
> Qian Zhang
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message