mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrei Budnik <abud...@mesosphere.com>
Subject Re: Review Request 69345: Made non-root containers can access SANDBOX_PATH volume of PARENT type.
Date Thu, 06 Dec 2018 13:14:40 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69345/#review211092
-----------------------------------------------------------




src/slave/containerizer/mesos/containerizer.cpp
Lines 418 (patched)
<https://reviews.apache.org/r/69345/#comment295993>

    it should be fine to copy `volumeGidManager` by value in this capture list.



src/slave/containerizer/mesos/containerizer.cpp
Lines 1631 (patched)
<https://reviews.apache.org/r/69345/#comment295994>

    Probably, we should add `CHECK(!launchInfo.has_supplementary_groups()) << "<error
message>"` instead of `launchInfo.clear_supplementary_groups();`.



src/slave/containerizer/mesos/isolators/volume/sandbox_path.cpp
Lines 437 (patched)
<https://reviews.apache.org/r/69345/#comment295995>

    Consider adding log messages like "Starting allocation of gids", "Finished allocation
of gids" in order to simplify debugging of containers stuck in `PREPARING` state due to a
slow/unresponsive disks.



src/slave/main.cpp
Lines 639 (patched)
<https://reviews.apache.org/r/69345/#comment295991>

    I think we can safely omit `if` check here.



src/slave/main.cpp
Lines 639 (patched)
<https://reviews.apache.org/r/69345/#comment295992>

    I think we can safely omit `if` check here since calling `delete` on `nullprt` has no
effect.


- Andrei Budnik


On Dec. 4, 2018, 2:42 a.m., Qian Zhang wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69345/
> -----------------------------------------------------------
> 
> (Updated Dec. 4, 2018, 2:42 a.m.)
> 
> 
> Review request for mesos, Andrei Budnik, Gilbert Song, Greg Mann, Ilya Pronin, and Jie
Yu.
> 
> 
> Bugs: MESOS-8810
>     https://issues.apache.org/jira/browse/MESOS-8810
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> If a nested container running as a non-root user tries to use a
> SANDBOX_PATH volume of PARENT type, we will make sure the volume owned
> by a unique gid allocated by the volume gid manager and the container
> process launched with that gid as its supplementary group.
> 
> 
> Diffs
> -----
> 
>   include/mesos/slave/containerizer.proto 5b4dcdda0f55ea3355c78d1447c7be9ca54d9dc9 
>   src/local/local.cpp 608706811486e59b9472c026876d1d84cbccc279 
>   src/slave/containerizer/containerizer.hpp 66f73a306deffc51503479420531ea1948c574e1

>   src/slave/containerizer/containerizer.cpp c6b5e64a72d16b871dcbfc17c05566affea6bd44

>   src/slave/containerizer/mesos/containerizer.hpp 3102b8755c1fa3b205081d0198c6021c02d15ec6

>   src/slave/containerizer/mesos/containerizer.cpp a5cf2da55c046c5c45e0c2ca3400f64de12de62b

>   src/slave/containerizer/mesos/isolators/volume/sandbox_path.hpp 1631160236379f84c6e1ed1be1370b5f2f2fd563

>   src/slave/containerizer/mesos/isolators/volume/sandbox_path.cpp 300b3d95d74b73fbe0221096f3f3f172be745081

>   src/slave/containerizer/mesos/launch.cpp 882bcdf89e2b0cca3d3f62e6d017849a51ceaead 
>   src/slave/main.cpp e774092ff2c3941f17cdebfb26d80c05a26497c6 
>   src/slave/slave.hpp 0bd340176e2a8cefdfa7ef71e059441fb171aff6 
>   src/slave/slave.cpp 74f6fb9036a9ac4f587f53ec2df04eeb4c167bfb 
>   src/tests/cluster.cpp 2b351ca70d8e80008e49722aa7d46918b5ecd9b0 
>   src/tests/mock_slave.hpp 3c0d602a981d76dcf10f9e413851e606d835e113 
>   src/tests/mock_slave.cpp a78ca9c7911bb7928a93be6867abe62e8cd20712 
> 
> 
> Diff: https://reviews.apache.org/r/69345/diff/4/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Qian Zhang
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message