mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevin Klues <klue...@gmail.com>
Subject Re: Review Request 50592: Updated NvidiaVolume to mount as 'tmpfs' if parent fs is 'noexec'.
Date Sun, 31 Jul 2016 18:55:34 GMT


> On July 31, 2016, 12:25 a.m., Jie Yu wrote:
> > src/slave/containerizer/mesos/isolators/gpu/volume.cpp, lines 238-243
> > <https://reviews.apache.org/r/50592/diff/1/?file=1457192#file1457192line238>
> >
> >     What if `/` is mounted with `noexec` and `/run` is mounted without `noexec`?
Do you still need to do the mount?
> >     
> >     Since you're doing a reverse iteration, I think the logic should simply be find
the first entry that satisfy `startsWith(realpath.get(), entry.target)`, and if that entry
does not contain `noexec`, mount is not needed. Otherwise, mount is needed.
> >     
> >     You don't need the `realpath.get() == entry.target` check below i think.

I agree. This is a much better way of doing this.


> On July 31, 2016, 12:25 a.m., Jie Yu wrote:
> > src/slave/containerizer/mesos/isolators/gpu/volume.cpp, line 253
> > <https://reviews.apache.org/r/50592/diff/1/?file=1457192#file1457192line253>
> >
> >     THis needs root permission. Make sure to check that in appropriate locations.

Added in a separate review: https://reviews.apache.org/r/50644/


- Kevin


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/50592/#review144270
-----------------------------------------------------------


On July 29, 2016, 3:25 a.m., Kevin Klues wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/50592/
> -----------------------------------------------------------
> 
> (Updated July 29, 2016, 3:25 a.m.)
> 
> 
> Review request for mesos, Benjamin Mahler and Jie Yu.
> 
> 
> Bugs: MESOS-5923
>     https://issues.apache.org/jira/browse/MESOS-5923
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> This patch is in response to an issue we ran into on Ubuntu 14.04,
> where '/run' is being mounted as 'noexec' (MESOS-5923). Since our
> NvidiaVolume is created below this mount point, we are unable to
> execute any binaries we add to this volume. This causes problems, for
> example, when trying to execute 'nvidia-smi' from within a container
> that has this volume mounted in.
> 
> To work around this issue, we detect if any mount point above the path
> where we create the volume is marked as 'noexec', and if so, we create
> a new 'tmpfs' mount for the volume without 'noexec' set.
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/mesos/isolators/gpu/volume.cpp 4b3651a8266b1ba193f6d207cd3be1ce55629703

> 
> Diff: https://reviews.apache.org/r/50592/diff/
> 
> 
> Testing
> -------
> 
> Remount /run as 'noexec'
> 
> `GTEST_FILTER="*NVIDIA*" make -j check`
> 
> Ran a master/agent/execute set running 'nvidia-smi' both inside and outside a docker
container.
> Both setups ran successfully.
> 
> 
> Thanks,
> 
> Kevin Klues
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message