From reviews-return-82881-apmail-mesos-reviews-archive=mesos.apache.org@mesos.apache.org Fri Oct 19 17:38:13 2018 Return-Path: X-Original-To: apmail-mesos-reviews-archive@minotaur.apache.org Delivered-To: apmail-mesos-reviews-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B41F118E7F for ; Fri, 19 Oct 2018 17:38:13 +0000 (UTC) Received: (qmail 77492 invoked by uid 500); 19 Oct 2018 17:38:13 -0000 Delivered-To: apmail-mesos-reviews-archive@mesos.apache.org Received: (qmail 77459 invoked by uid 500); 19 Oct 2018 17:38:13 -0000 Mailing-List: contact reviews-help@mesos.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: reviews@mesos.apache.org Delivered-To: mailing list reviews@mesos.apache.org Received: (qmail 77447 invoked by uid 99); 19 Oct 2018 17:38:12 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 19 Oct 2018 17:38:12 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 8863F1A0295; Fri, 19 Oct 2018 17:38:12 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.95 X-Spam-Level: X-Spam-Status: No, score=0.95 tagged_above=-999 required=6.31 tests=[HTML_MESSAGE=2, KAM_LAZY_DOMAIN_SECURITY=1, KAM_LOTSOFHASH=0.25, RCVD_IN_DNSWL_MED=-2.3] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id Y2uPI_WI8VpD; Fri, 19 Oct 2018 17:38:11 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 86F035F16F; Fri, 19 Oct 2018 17:38:10 +0000 (UTC) Received: from reviews.apache.org (unknown [10.41.0.12]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id D14E3E00D4; Fri, 19 Oct 2018 17:38:09 +0000 (UTC) Received: from reviews-vm2.apache.org (localhost [IPv6:::1]) by reviews.apache.org (ASF Mail Server at reviews-vm2.apache.org) with ESMTP id A33A6C40278; Fri, 19 Oct 2018 17:38:09 +0000 (UTC) Content-Type: multipart/alternative; boundary="===============5791638940947917945==" MIME-Version: 1.0 Subject: Review Request 69086: Move the container `/dev` construction to the isolators. From: James Peach To: Jie Yu , Jiang Yan Xu , Jason Lai Cc: James Peach , mesos Date: Fri, 19 Oct 2018 17:38:09 -0000 Message-ID: <20181019173809.12843.51746@reviews-vm2.apache.org> X-ReviewBoard-URL: https://reviews.apache.org/ Auto-Submitted: auto-generated Sender: James Peach X-ReviewGroup: mesos X-Auto-Response-Suppress: DR, RN, OOF, AutoReply X-ReviewRequest-URL: https://reviews.apache.org/r/69086/ X-Sender: James Peach Reply-To: James Peach X-ReviewRequest-Repository: mesos --===============5791638940947917945== MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/69086/ ----------------------------------------------------------- Review request for mesos, Gilbert Song, Jason Lai, Jie Yu, and Jiang Yan Xu. Bugs: MESOS-9319 https://issues.apache.org/jira/browse/MESOS-9319 Repository: mesos Description ------- Previously, if the container was configured with a root filesystem, the container `/dev` was populated by the chroot API and this API had a special case for adding GPU devices. This change extends the approach that was introduced in the `linux/devices` isolator to construct the whole of the Linux container `/dev` hierarchy before launching the container. The `linux/filesystem` isolator is now responsible for mounting the container `/dev`, and any other isolators that enable access to devices can simply populate device nodes in the container devices directory. After this change, the container '/dev' is mounted read-only so that this cannot be used to escape any disk quota. Diffs ----- src/linux/fs.hpp 502f85c4a32d8658bdd701975dd5ac3d802d308e src/linux/fs.cpp 9055ef42edd1fb90e1026d1d603a9ba902cfc1fd src/slave/containerizer/mesos/isolators/filesystem/linux.cpp a47899cb528eef103f299def3bd3466905ac5b51 src/slave/containerizer/mesos/isolators/gpu/isolator.hpp 4645c625877d9451516133b24bd3959e0f49c0a9 src/slave/containerizer/mesos/isolators/gpu/isolator.cpp dbbf92ffbe4a46cedca5b53f6ba172bfb308100e src/slave/containerizer/mesos/isolators/linux/devices.cpp 8f8ff95ec3856ba06647637a80315365d0e66e23 src/slave/containerizer/mesos/launch.cpp 7193da0a094df3e441e185c62b3a0379a0bdc4a2 Diff: https://reviews.apache.org/r/69086/diff/1/ Testing ------- sudo make check (Fedora 28) Thanks, James Peach --===============5791638940947917945==--