mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jie Yu <yujie....@gmail.com>
Subject Re: Review Request 45520: Fixed the bind mount root issue in port mapping isolator.
Date Thu, 31 Mar 2016 21:18:07 GMT 


> On March 31, 2016, 5:59 p.m., Cong Wang wrote:
> > Why /var/run/netns could be in the same mount peer group with its parent? At least
on fedora21 this is not the case.
> > 
> > Also, why do you fix two bugs in one patch? I know you don't care about bisect,
but even so this is still not a good practice at all.
> 
> Jie Yu wrote:
>     I'll split the patch. Regarding the mount peer groups issue, here is the test I did
on fedora23:
>     ```
>     [vagrant@localhost build]$ cat /proc/self/mountinfo 
>     17 58 0:17 / /sys rw,nosuid,nodev,noexec,relatime shared:6 - sysfs sysfs rw,seclabel
>     18 58 0:4 / /proc rw,nosuid,nodev,noexec,relatime shared:5 - proc proc rw
>     19 58 0:6 / /dev rw,nosuid shared:2 - devtmpfs devtmpfs rw,seclabel,size=4076012k,nr_inodes=1019003,mode=755
>     20 17 0:18 / /sys/kernel/security rw,nosuid,nodev,noexec,relatime shared:7 - securityfs
securityfs rw
>     21 19 0:19 / /dev/shm rw,nosuid,nodev shared:3 - tmpfs tmpfs rw,seclabel
>     22 19 0:13 / /dev/pts rw,nosuid,noexec,relatime shared:4 - devpts devpts rw,seclabel,gid=5,mode=620,ptmxmode=000
>     23 58 0:20 / /run rw,nosuid,nodev shared:22 - tmpfs tmpfs rw,seclabel,mode=755
>     24 17 0:21 / /sys/fs/cgroup ro,nosuid,nodev,noexec shared:8 - tmpfs tmpfs ro,seclabel,mode=755
>     25 24 0:22 / /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime shared:9 - cgroup
cgroup rw,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd
>     26 17 0:23 / /sys/fs/pstore rw,nosuid,nodev,noexec,relatime shared:19 - pstore pstore
rw,seclabel
>     27 24 0:24 / /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime shared:10 - cgroup
cgroup rw,blkio
>     28 24 0:25 / /sys/fs/cgroup/net_cls,net_prio rw,nosuid,nodev,noexec,relatime shared:11
- cgroup cgroup rw,net_cls,net_prio
>     29 24 0:26 / /sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime shared:12 - cgroup
cgroup rw,freezer
>     30 24 0:27 / /sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime shared:13 - cgroup
cgroup rw,memory
>     31 24 0:28 / /sys/fs/cgroup/perf_event rw,nosuid,nodev,noexec,relatime shared:14
- cgroup cgroup rw,perf_event
>     32 24 0:29 / /sys/fs/cgroup/cpu,cpuacct rw,nosuid,nodev,noexec,relatime shared:15
- cgroup cgroup rw,cpu,cpuacct
>     33 24 0:30 / /sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime shared:16 - cgroup
cgroup rw,devices
>     34 24 0:31 / /sys/fs/cgroup/hugetlb rw,nosuid,nodev,noexec,relatime shared:17 - cgroup
cgroup rw,hugetlb
>     35 24 0:32 / /sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime shared:18 - cgroup
cgroup rw,cpuset
>     56 17 0:33 / /sys/kernel/config rw,relatime shared:20 - configfs configfs rw
>     58 0 8:1 / / rw,relatime shared:1 - ext4 /dev/sda1 rw,seclabel,data=ordered
>     36 17 0:16 / /sys/fs/selinux rw,relatime shared:21 - selinuxfs selinuxfs rw
>     37 18 0:34 / /proc/sys/fs/binfmt_misc rw,relatime shared:23 - autofs systemd-1 rw,fd=30,pgrp=1,timeout=0,minproto=5,maxproto=5,direct
>     38 19 0:35 / /dev/hugepages rw,relatime shared:24 - hugetlbfs hugetlbfs rw,seclabel
>     39 19 0:15 / /dev/mqueue rw,relatime shared:25 - mqueue mqueue rw,seclabel
>     40 17 0:7 / /sys/kernel/debug rw,relatime shared:26 - debugfs debugfs rw,seclabel
>     70 23 0:36 / /run/user/1001 rw,nosuid,nodev,relatime shared:27 - tmpfs tmpfs rw,seclabel,size=817560k,mode=700,uid=1001,gid=1001
>     [vagrant@localhost build]$ sudo mount^C
>     [vagrant@localhost build]$ sudo mkdir /run/netns
>     [vagrant@localhost build]$ sudo mount --bind /run/netns /run/netns
>     [vagrant@localhost build]$ cat /proc/self/mountinfo 
>     17 58 0:17 / /sys rw,nosuid,nodev,noexec,relatime shared:6 - sysfs sysfs rw,seclabel
>     18 58 0:4 / /proc rw,nosuid,nodev,noexec,relatime shared:5 - proc proc rw
>     19 58 0:6 / /dev rw,nosuid shared:2 - devtmpfs devtmpfs rw,seclabel,size=4076012k,nr_inodes=1019003,mode=755
>     20 17 0:18 / /sys/kernel/security rw,nosuid,nodev,noexec,relatime shared:7 - securityfs
securityfs rw
>     21 19 0:19 / /dev/shm rw,nosuid,nodev shared:3 - tmpfs tmpfs rw,seclabel
>     22 19 0:13 / /dev/pts rw,nosuid,noexec,relatime shared:4 - devpts devpts rw,seclabel,gid=5,mode=620,ptmxmode=000
>     23 58 0:20 / /run rw,nosuid,nodev shared:22 - tmpfs tmpfs rw,seclabel,mode=755
>     24 17 0:21 / /sys/fs/cgroup ro,nosuid,nodev,noexec shared:8 - tmpfs tmpfs ro,seclabel,mode=755
>     25 24 0:22 / /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime shared:9 - cgroup
cgroup rw,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd
>     26 17 0:23 / /sys/fs/pstore rw,nosuid,nodev,noexec,relatime shared:19 - pstore pstore
rw,seclabel
>     27 24 0:24 / /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime shared:10 - cgroup
cgroup rw,blkio
>     28 24 0:25 / /sys/fs/cgroup/net_cls,net_prio rw,nosuid,nodev,noexec,relatime shared:11
- cgroup cgroup rw,net_cls,net_prio
>     29 24 0:26 / /sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime shared:12 - cgroup
cgroup rw,freezer
>     30 24 0:27 / /sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime shared:13 - cgroup
cgroup rw,memory
>     31 24 0:28 / /sys/fs/cgroup/perf_event rw,nosuid,nodev,noexec,relatime shared:14
- cgroup cgroup rw,perf_event
>     32 24 0:29 / /sys/fs/cgroup/cpu,cpuacct rw,nosuid,nodev,noexec,relatime shared:15
- cgroup cgroup rw,cpu,cpuacct
>     33 24 0:30 / /sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime shared:16 - cgroup
cgroup rw,devices
>     34 24 0:31 / /sys/fs/cgroup/hugetlb rw,nosuid,nodev,noexec,relatime shared:17 - cgroup
cgroup rw,hugetlb
>     35 24 0:32 / /sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime shared:18 - cgroup
cgroup rw,cpuset
>     56 17 0:33 / /sys/kernel/config rw,relatime shared:20 - configfs configfs rw
>     58 0 8:1 / / rw,relatime shared:1 - ext4 /dev/sda1 rw,seclabel,data=ordered
>     36 17 0:16 / /sys/fs/selinux rw,relatime shared:21 - selinuxfs selinuxfs rw
>     37 18 0:34 / /proc/sys/fs/binfmt_misc rw,relatime shared:23 - autofs systemd-1 rw,fd=30,pgrp=1,timeout=0,minproto=5,maxproto=5,direct
>     38 19 0:35 / /dev/hugepages rw,relatime shared:24 - hugetlbfs hugetlbfs rw,seclabel
>     39 19 0:15 / /dev/mqueue rw,relatime shared:25 - mqueue mqueue rw,seclabel
>     40 17 0:7 / /sys/kernel/debug rw,relatime shared:26 - debugfs debugfs rw,seclabel
>     70 23 0:36 / /run/user/1001 rw,nosuid,nodev,relatime shared:27 - tmpfs tmpfs rw,seclabel,size=817560k,mode=700,uid=1001,gid=1001
>     72 23 0:20 /netns /run/netns rw,nosuid,nodev shared:22 - tmpfs tmpfs rw,seclabel,mode=755
>     [vagrant@localhost build]$ sudo mount --make-shared /run/netns
>     [vagrant@localhost build]$ cat /proc/self/mountinfo 
>     17 58 0:17 / /sys rw,nosuid,nodev,noexec,relatime shared:6 - sysfs sysfs rw,seclabel
>     18 58 0:4 / /proc rw,nosuid,nodev,noexec,relatime shared:5 - proc proc rw
>     19 58 0:6 / /dev rw,nosuid shared:2 - devtmpfs devtmpfs rw,seclabel,size=4076012k,nr_inodes=1019003,mode=755
>     20 17 0:18 / /sys/kernel/security rw,nosuid,nodev,noexec,relatime shared:7 - securityfs
securityfs rw
>     21 19 0:19 / /dev/shm rw,nosuid,nodev shared:3 - tmpfs tmpfs rw,seclabel
>     22 19 0:13 / /dev/pts rw,nosuid,noexec,relatime shared:4 - devpts devpts rw,seclabel,gid=5,mode=620,ptmxmode=000
>     23 58 0:20 / /run rw,nosuid,nodev shared:22 - tmpfs tmpfs rw,seclabel,mode=755
>     24 17 0:21 / /sys/fs/cgroup ro,nosuid,nodev,noexec shared:8 - tmpfs tmpfs ro,seclabel,mode=755
>     25 24 0:22 / /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime shared:9 - cgroup
cgroup rw,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd
>     26 17 0:23 / /sys/fs/pstore rw,nosuid,nodev,noexec,relatime shared:19 - pstore pstore
rw,seclabel
>     27 24 0:24 / /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime shared:10 - cgroup
cgroup rw,blkio
>     28 24 0:25 / /sys/fs/cgroup/net_cls,net_prio rw,nosuid,nodev,noexec,relatime shared:11
- cgroup cgroup rw,net_cls,net_prio
>     29 24 0:26 / /sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime shared:12 - cgroup
cgroup rw,freezer
>     30 24 0:27 / /sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime shared:13 - cgroup
cgroup rw,memory
>     31 24 0:28 / /sys/fs/cgroup/perf_event rw,nosuid,nodev,noexec,relatime shared:14
- cgroup cgroup rw,perf_event
>     32 24 0:29 / /sys/fs/cgroup/cpu,cpuacct rw,nosuid,nodev,noexec,relatime shared:15
- cgroup cgroup rw,cpu,cpuacct
>     33 24 0:30 / /sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime shared:16 - cgroup
cgroup rw,devices
>     34 24 0:31 / /sys/fs/cgroup/hugetlb rw,nosuid,nodev,noexec,relatime shared:17 - cgroup
cgroup rw,hugetlb
>     35 24 0:32 / /sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime shared:18 - cgroup
cgroup rw,cpuset
>     56 17 0:33 / /sys/kernel/config rw,relatime shared:20 - configfs configfs rw
>     58 0 8:1 / / rw,relatime shared:1 - ext4 /dev/sda1 rw,seclabel,data=ordered
>     36 17 0:16 / /sys/fs/selinux rw,relatime shared:21 - selinuxfs selinuxfs rw
>     37 18 0:34 / /proc/sys/fs/binfmt_misc rw,relatime shared:23 - autofs systemd-1 rw,fd=30,pgrp=1,timeout=0,minproto=5,maxproto=5,direct
>     38 19 0:35 / /dev/hugepages rw,relatime shared:24 - hugetlbfs hugetlbfs rw,seclabel
>     39 19 0:15 / /dev/mqueue rw,relatime shared:25 - mqueue mqueue rw,seclabel
>     40 17 0:7 / /sys/kernel/debug rw,relatime shared:26 - debugfs debugfs rw,seclabel
>     70 23 0:36 / /run/user/1001 rw,nosuid,nodev,relatime shared:27 - tmpfs tmpfs rw,seclabel,size=817560k,mode=700,uid=1001,gid=1001
>     72 23 0:20 /netns /run/netns rw,nosuid,nodev shared:22 - tmpfs tmpfs rw,seclabel,mode=755
>     ```
> 
> Cong Wang wrote:
>     My point is who makes the peer group change? Is that the distro? If not, admin/user
can always do whatever they want, it doesn't make much sense to fix a user-spefic case. If
it is distro, we have to fix it, like the symlink case.

yeah, different linux distro has different default.

On centos7/fedora23, '/' (and all other default mounts) are shared mounts
on Ubuntu14.04, '/' (and all other default mounts) are private mounts


- Jie


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/45520/#review126372
-----------------------------------------------------------


On March 31, 2016, 1:47 a.m., Jie Yu wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/45520/
> -----------------------------------------------------------
> 
> (Updated March 31, 2016, 1:47 a.m.)
> 
> 
> Review request for mesos, Ian Downes and Cong Wang.
> 
> 
> Bugs: MESOS-4662
>     https://issues.apache.org/jira/browse/MESOS-4662
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Fixed the bind mount root issue in port mapping isolator. This patch fixed two issues:
> 1) no long assume /var/run/netns is a realpath
> 2) made sure /var/run/netns is a shared mount in its own mount peer group
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/mesos/isolators/network/port_mapping.hpp 0fe2f486eb733acf738c1c61fc44f820d7401afc

>   src/slave/containerizer/mesos/isolators/network/port_mapping.cpp 323c84a3d960a196d8ba87f753814e9d43a07957

>   src/tests/containerizer/port_mapping_tests.cpp e062daa9fcfc776144b48325daa1f1284c5e59a4

> 
> Diff: https://reviews.apache.org/r/45520/diff/
> 
> 
> Testing
> -------
> 
> sudo make check on Fedora23
> 
> 
> Thanks,
> 
> Jie Yu
> 
>
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message