mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Peach <jpe...@apache.org>
Subject Re: Review Request 59554: Rename the `--allowed_capabilities` flag to `--effective_capabilities`.
Date Sun, 11 Jun 2017 18:41:36 GMT


> On June 11, 2017, 6:23 p.m., Jie Yu wrote:
> > src/slave/flags.cpp
> > Line 608 (original), 603 (patched)
> > <https://reviews.apache.org/r/59554/diff/3/?file=1747645#file1747645line608>
> >
> >     Is that still true? I think that depends on if bounding is set or not.

I think it is still true that leaving the `effective_capabilities` clear and running as root
means you intend to allow ALL capabilities. If you also set the `bounding_capabilities` then
you are additionally expressing the intent to bound the capabilities, but that doesn't make
the original intent untrue. I'm not sure that this is the right place to discuss how the various
features interact, though I definitely agree that that topic should be discussed and explained
clearly.


- James


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59554/#review177575
-----------------------------------------------------------


On June 5, 2017, 4:57 p.m., James Peach wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/59554/
> -----------------------------------------------------------
> 
> (Updated June 5, 2017, 4:57 p.m.)
> 
> 
> Review request for mesos, Jie Yu and Jiang Yan Xu.
> 
> 
> Bugs: MESOS-7477
>     https://issues.apache.org/jira/browse/MESOS-7477
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Since the `--allowed_capabilities` flag was being used to actually
> grant capabilities, rename it to `--effective_capabilities` which better
> conveys the intention and semantics of this flag.
> 
> 
> Diffs
> -----
> 
>   docs/configuration.md ed510fa638878b71e7fcff4850152a8a8622127e 
>   docs/linux_capabilities.md b588aff6842a14bbf7ff5c35931cac61f9019805 
>   src/slave/containerizer/mesos/isolators/linux/capabilities.cpp 60d22aa877c1ab62a08222e5efe8800e337684da

>   src/slave/flags.hpp 2f9d52e94c2c31e95208cd8b0640a5de2d2a61fd 
>   src/slave/flags.cpp 93c8ffb5c822cf6c99071be7aca52a6b3d187619 
>   src/tests/containerizer/linux_capabilities_isolator_tests.cpp 40376a03fdb8f931f8d3f83b1c3fa6207e02c1d1

> 
> 
> Diff: https://reviews.apache.org/r/59554/diff/3/
> 
> 
> Testing
> -------
> 
> make check (Fedora 25)
> 
> 
> Thanks,
> 
> James Peach
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message