mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Zhongbo Tian <windrea...@gmail.com>
Subject Re: Review Request 58337: Add allowed devices whitelist for cgroups/devices isolator.
Date Wed, 12 Apr 2017 04:17:28 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58337/
-----------------------------------------------------------

(Updated April 12, 2017, 4:17 a.m.)


Review request for mesos and haosdent huang.


Bugs: MESOS-6791
    https://issues.apache.org/jira/browse/MESOS-6791


Repository: mesos


Description
-------

Add allowed devices whitelist for cgroups/devices isolator.


Diffs (updated)
-----

  src/slave/containerizer/mesos/isolators/cgroups/subsystems/devices.hpp ca2727142a9f257168f3cae0958f7b4665b63cf6

  src/slave/containerizer/mesos/isolators/cgroups/subsystems/devices.cpp 9b5cf83093796b0c0cc5057b612f80bc8b8ba72f

  src/slave/flags.hpp 171f67e44518e858049d002fcf037715021da265 
  src/slave/flags.cpp 9365da2c8462a4375a99a86210b9d6ec628510fe 


Diff: https://reviews.apache.org/r/58337/diff/3/

Changes: https://reviews.apache.org/r/58337/diff/2-3/


Testing (updated)
-------

For simple test:

- Launch without additional devices:
  1. Start agent with `sudo mesos-agent --master=127.0.0.1:5050 --work_dir=/tmp/mesos --isolation=cgroups/devices`
  2. try open `/dev/rtc0` and failed with permission denied. `sudo mesos-execute --master=127.0.0.1:5050
--name=test --command="head -c 0 /dev/rtc0"`


- Launch with additional devices:
  1. Start agent with `sudo mesos-agent --master=127.0.0.1:5050 --work_dir=/tmp/mesos --isolation=cgroups/devices
--cgroups_allowed_devices='{"devices":[{"path":"/dev/rtc0", "mknod_access":true, "read_access":true,
"write_access":true}]}'`
  2. open `/dev/rtc0` successfully. `sudo mesos-execute --master=127.0.0.1:5050 --name=test
--command="head -c 0 /dev/rtc0"`


Thanks,

Zhongbo Tian


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message