mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrei Budnik <abud...@mesosphere.com>
Subject Re: Review Request 68022: Enabled Seccomp filter in the containerizer launcher.
Date Fri, 04 Jan 2019 12:45:26 GMT


> On Dec. 27, 2018, 9:16 a.m., Qian Zhang wrote:
> > src/slave/containerizer/mesos/launch.cpp
> > Lines 1196-1197 (patched)
> > <https://reviews.apache.org/r/68022/diff/7/?file=2110527#file2110527line1198>
> >
> >     Hmm, this seems unfortunate, will it cause container cannot be launched?

Since containerizer launcher is not multithreaded, there is no chance that the malloc's global
mutex is acquired by another thread at the moment when the main thread calls `fork()`. So,
it's safe to call `malloc` after forking a child process.

Currently, the only way to load a Seccomp filter via `libseccomp` is to call `seccomp_load`.
When libseccomp developers add a new API call, we should use the new one instead of `seccomp_load`.


- Andrei


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68022/#review211543
-----------------------------------------------------------


On Aug. 6, 2018, 1:39 p.m., Andrei Budnik wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68022/
> -----------------------------------------------------------
> 
> (Updated Aug. 6, 2018, 1:39 p.m.)
> 
> 
> Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang.
> 
> 
> Bugs: MESOS-9106
>     https://issues.apache.org/jira/browse/MESOS-9106
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Containerizer launcher creates an instance of `SeccompFilter`, which is
> used to setup Seccomp profile using `ContainerSeccompProfile` message
> prepared by the `linux/seccomp` isolator. The Seccomp filter is loaded
> right before calling `execve()`, so that a container will be running
> with a syscall filtering enabled.
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/mesos/launch.cpp 2f1c9e7a8748c9d7eab25bc8567ca68308e680f9 
> 
> 
> Diff: https://reviews.apache.org/r/68022/diff/8/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Andrei Budnik
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message