mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Peach <jpe...@apache.org>
Subject Re: Review Request 69086: Move the container `/dev` construction to the isolators.
Date Mon, 29 Oct 2018 16:20:04 GMT


> On Oct. 29, 2018, 4:42 a.m., Jie Yu wrote:
> > src/linux/fs.hpp
> > Lines 397-401 (patched)
> > <https://reviews.apache.org/r/69086/diff/3/?file=2100940#file2100940line397>
> >
> >     Any reason need this option? I was thinking just doing dev mounts always from
linux fileystem isolator.

Since `fs::chroot` was originally designed as a stand-alone API, I wanted to preserve the
ability to use it without the isolator layer. I'm not strongly attached to this approach,
though, so we could just make all the mounts from the linux filesystem isolator.


- James


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69086/#review210131
-----------------------------------------------------------


On Oct. 19, 2018, 5:38 p.m., James Peach wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69086/
> -----------------------------------------------------------
> 
> (Updated Oct. 19, 2018, 5:38 p.m.)
> 
> 
> Review request for mesos, Gilbert Song, Jason Lai, Jie Yu, and Jiang Yan Xu.
> 
> 
> Bugs: MESOS-9319
>     https://issues.apache.org/jira/browse/MESOS-9319
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Previously, if the container was configured with a root filesystem,
> the container `/dev` was populated by the chroot API and this API
> had a special case for adding GPU devices. This change extends
> the approach that was introduced in the `linux/devices` isolator
> to construct the whole of the Linux container `/dev` hierarchy
> before launching the container. The `linux/filesystem` isolator is
> now responsible for mounting the container `/dev`, and any other
> isolators that enable access to devices can simply populate device
> nodes in the container devices directory. After this change, the
> container `/dev` is mounted read-only so that this cannot be used
> to escape any disk quota.
> 
> 
> Diffs
> -----
> 
>   src/linux/fs.hpp 502f85c4a32d8658bdd701975dd5ac3d802d308e 
>   src/linux/fs.cpp 9055ef42edd1fb90e1026d1d603a9ba902cfc1fd 
>   src/slave/containerizer/mesos/isolators/filesystem/linux.cpp a47899cb528eef103f299def3bd3466905ac5b51

>   src/slave/containerizer/mesos/isolators/gpu/isolator.hpp 4645c625877d9451516133b24bd3959e0f49c0a9

>   src/slave/containerizer/mesos/isolators/gpu/isolator.cpp dbbf92ffbe4a46cedca5b53f6ba172bfb308100e

>   src/slave/containerizer/mesos/isolators/linux/devices.cpp 8f8ff95ec3856ba06647637a80315365d0e66e23

>   src/slave/containerizer/mesos/launch.cpp 7193da0a094df3e441e185c62b3a0379a0bdc4a2 
> 
> 
> Diff: https://reviews.apache.org/r/69086/diff/3/
> 
> 
> Testing
> -------
> 
> sudo make check (Fedora 28)
> 
> 
> Thanks,
> 
> James Peach
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message