mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jie Yu <yujie....@gmail.com>
Subject Re: Review Request 67097: Added `linux/devices` isolator whitelist support.
Date Mon, 21 May 2018 21:35:09 GMT


> On May 21, 2018, 7:24 p.m., Jie Yu wrote:
> > src/slave/containerizer/mesos/isolators/linux/devices.cpp
> > Lines 170-175 (patched)
> > <https://reviews.apache.org/r/67097/diff/4/?file=2024122#file2024122line171>
> >
> >     Any reason we only do that for the directory, not the actual device file?
> 
> James Peach wrote:
>     The actual device file is supposed to be accessed by the task user, so it has to
be owned by that user. This chown is ensuring that we don't also grant access to other host
users as a side-effect of the container.

What do you mean by "side-effect"?


- Jie


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67097/#review203515
-----------------------------------------------------------


On May 15, 2018, 5:53 p.m., James Peach wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/67097/
> -----------------------------------------------------------
> 
> (Updated May 15, 2018, 5:53 p.m.)
> 
> 
> Review request for mesos, Gilbert Song, Jason Lai, and Jie Yu.
> 
> 
> Bugs: MESOS-8792
>     https://issues.apache.org/jira/browse/MESOS-8792
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Added `linux/devices` isolator support for populating the container
> devices.  This introduces a general mechanism for populating devices
> into a specific container but currently only implements devices for all
> containers based on the devices specified by the `--allowed_devices`
> agent flag.
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/mesos/isolators/linux/devices.hpp PRE-CREATION 
>   src/slave/containerizer/mesos/isolators/linux/devices.cpp PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/67097/diff/4/
> 
> 
> Testing
> -------
> 
> make check (Fedora 27)
> 
> 
> Thanks,
> 
> James Peach
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message