mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From haosdent huang <haosd...@apache.org>
Subject Re: Review Request 58603: Allowed whitelist additional devices in cgroups devices subsystem.
Date Sun, 30 Apr 2017 15:28:40 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58603/#review173450
-----------------------------------------------------------




docs/configuration.md
Lines 1154-1155 (original), 1154-1180 (patched)
<https://reviews.apache.org/r/58603/#comment246432>

    I modified to 
    
    ```
    <tr>
      <td>
        --allowed_devices
      </td>
      <td>
    JSON object representing the devices that will be additionally
    whitelisted by cgroups devices subsystem. Noted that the following
    devices always be whitelisted by default:
    <pre><code>  * /dev/console
      * /dev/tty0
      * /dev/tty1
      * /dev/pts/*
      * /dev/ptmx
      * /dev/net/tun
      * /dev/null
      * /dev/zero
      * /dev/full
      * /dev/tty
      * /dev/urandom
      * /dev/random
    </code></pre>
    This flag will take effect only when <code>cgroups/devices</code> is set in
    <code>--isolation</code> flag.
    <p/>
    Example:
    <pre><code>{
      "allowed_devices": [
        {
          "device": {
            "path": "/path/to/device"
          },
          "access": {
            "read": true,
            "write": false,
            "mknod": false
          }
        }
      ]
    }
    </code></pre>
      </td>
    </tr>
    ```



src/slave/flags.cpp
Lines 457-476 (patched)
<https://reviews.apache.org/r/58603/#comment246433>

    I modified to 
    ```
      add(&Flags::allowed_devices,
          "allowed_devices",
          "JSON array representing the devices that will be additionally\n"
          "whitelisted by cgroups devices subsystem. Noted that the following\n"
          "devices always be whitelisted by default:\n"
          "  * /dev/console\n"
          "  * /dev/tty0\n"
          "  * /dev/tty1\n"
          "  * /dev/pts/*\n"
          "  * /dev/ptmx\n"
          "  * /dev/net/tun\n"
          "  * /dev/null\n"
          "  * /dev/zero\n"
          "  * /dev/full\n"
          "  * /dev/tty\n"
          "  * /dev/urandom\n"
          "  * /dev/random\n"
          "This flag will take effect only when `cgroups/devices` is set in\n"
          "`--isolation` flag.\n"
          "Example:\n"
          "{\n"
          "  \"allowed_devices\": [\n"
          "    {\n"
          "      \"device\": {\n"
          "        \"path\": \"/path/to/device\"\n"
          "      },\n"
          "      \"access\": {\n"
          "        \"read\": true,\n"
          "        \"write\": false,\n"
          "        \"mknod\": false\n"
          "      }\n"
          "    }\n"
          "  ]\n"
          "}\n");
    ```


- haosdent huang


On April 27, 2017, 7:01 a.m., Zhongbo Tian wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58603/
> -----------------------------------------------------------
> 
> (Updated April 27, 2017, 7:01 a.m.)
> 
> 
> Review request for mesos, haosdent huang and Jie Yu.
> 
> 
> Bugs: MESOS-6791
>     https://issues.apache.org/jira/browse/MESOS-6791
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Allowed whitelist additional devices in cgroups devices subsystem.
> 
> 
> Diffs
> -----
> 
>   docs/configuration.md 159f946216299fc52171e0a58c7eb7c888c1eec8 
>   include/mesos/mesos.proto 46bb7813cc402f2a71879d26d4bbc62abd852d52 
>   include/mesos/type_utils.hpp 5f771aaf2f4e76ac06bfd8f77b0b744ed2854b27 
>   include/mesos/v1/mesos.proto f7c05a82f8265aedc0bd8fd20dd30e21af46e775 
>   src/common/parse.hpp e90738a91161e26a48a6e381765e631492294641 
>   src/common/type_utils.cpp 9bc32af7df3242906633ac75d479223333be8e5f 
>   src/slave/containerizer/mesos/isolators/cgroups/subsystems/devices.hpp ca2727142a9f257168f3cae0958f7b4665b63cf6

>   src/slave/containerizer/mesos/isolators/cgroups/subsystems/devices.cpp 9b5cf83093796b0c0cc5057b612f80bc8b8ba72f

>   src/slave/flags.hpp c7a4604ed994e15c1db6accfaded2e882f1aec94 
>   src/slave/flags.cpp c50e43c0e0ba633f6b905b0d78668c0a0eebb173 
> 
> 
> Diff: https://reviews.apache.org/r/58603/diff/4/
> 
> 
> Testing
> -------
> 
> For test:
> 
> - Launch without additional devices:
>   1. Start agent with `sudo mesos-agent --master=127.0.0.1:5050 --work_dir=/tmp/mesos
--isolation=cgroups/devices`
>   2. try open `/dev/rtc0` and failed with permission denied. `sudo mesos-execute --master=127.0.0.1:5050
--name=test --command="head -c 0 /dev/rtc0"`
>     
> - Launch with additional devices:
>   1. Start agent with `sudo mesos-agent --master=127.0.0.1:5050 --work_dir=/tmp/mesos
--isolation=cgroups/devices  --allowed_devices='{"allowed_devices":[{"device":{"path":"/dev/rtc0"},
"access":{"mknod":true, "read":true, "write":true}}]}'`
>   2. open `/dev/rtc0` successfully. `sudo mesos-execute --master=127.0.0.1:5050 --name=test
--command="head -c 0 /dev/rtc0"`
> 
> 
> Thanks,
> 
> Zhongbo Tian
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message