mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Lai <ja...@jasonlai.net>
Subject Re: Review Request 70678: Add containerizer support for masking paths.
Date Tue, 21 May 2019 22:16:36 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70678/#review215433
-----------------------------------------------------------


Fix it, then Ship it!




Good stuff! LGTM overall with some nits.


src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
Lines 500 (patched)
<https://reviews.apache.org/r/70678/#comment302131>

    Nit: `return false` first, so we won't need to nest the logic inside the previous `if`
statement.



src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
Lines 816 (patched)
<https://reviews.apache.org/r/70678/#comment302130>

    Nit: I feel we should consider making the masked paths an instance variable of the isolator
class and initializing it with `ROOTFS_MASKED_PATHS` instead, in the purpose of avoid hard
coding.


- Jason Lai


On May 20, 2019, 1:41 a.m., James Peach wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70678/
> -----------------------------------------------------------
> 
> (Updated May 20, 2019, 1:41 a.m.)
> 
> 
> Review request for mesos, Gilbert Song, Jason Lai, and Jie Yu.
> 
> 
> Bugs: MESOS-9771
>     https://issues.apache.org/jira/browse/MESOS-9771
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Add support to the `filesystem/linux` isolator for masking container
> paths. Add a set of standard default paths to be masked, as derived
> from commonly used container runtimes. These paths either expose
> information about other system processes, or capabilities that
> should not be exposed to untrusted containers.
> 
> We don't mask if the container is privileged, which is defined
> as sharing the host's PID namespace. For nested containers, we
> verify that the PID namespace is shared from the host all the way
> up the tree.
> 
> 
> Diffs
> -----
> 
>   include/mesos/slave/containerizer.proto 48ffa2e6bd1a03f3dc68a3a78d883855f14bf10c 
>   src/slave/containerizer/mesos/isolators/filesystem/linux.cpp 7b50258ef5480c1ea3f0016aace3b838395becfd

>   src/slave/containerizer/mesos/launch.cpp 88b97a572916defbe65692036be77395053eb8e8 
>   src/tests/containerizer/linux_filesystem_isolator_tests.cpp 60e9ae5970a0a45314d0b3569556bef36d350d2b

>   src/tests/containerizer/rootfs.cpp 48eb0108cf26729a0528528a1102247410cf80fe 
> 
> 
> Diff: https://reviews.apache.org/r/70678/diff/3/
> 
> 
> Testing
> -------
> 
> sudo make check (Fedora 30)
> 
> 
> Thanks,
> 
> James Peach
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message