mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jie Yu <yujie....@gmail.com>
Subject Re: Review Request 53062: Add rlimit support to Mesos containerizer.
Date Fri, 21 Oct 2016 19:50:07 GMT


> On Oct. 20, 2016, 7:24 p.m., Jie Yu wrote:
> > src/slave/containerizer/mesos/launch.cpp, lines 592-603
> > <https://reviews.apache.org/r/53062/diff/1/?file=1542360#file1542360line592>
> >
> >     This won't work because data services explicitly want to get limit above what's
configured.
> 
> Benjamin Bannier wrote:
>     Wouldn't we poke a giant hole into the system if we allowed unpriviledged tasks to
set arbitrary rlimits from potentially `root` the agent might be running as without any checks
on the agent side? AFAICT above code allows non-priviledged tasks to only lower limits, while
priviledged tasks can still set any limits, which should be safe and enables rlimits for a
large class of frameworks.
>     
>     Note that we set rlimits before we potentially drop capabilities like `CAP_SYS_RESOURCE`.
I now mention this fact explicitly in the comment.
>     
>     Once we implement agent functionality to check against limiting rlimits we might
be able to open up above restriction.

Well, agent will also allow a framework to launch a container under root. I think we delibretaly
wants to allow that. The authn/authnz problem should be handled in authn/anthz module.

I want to allow a task running under non-privileged user to be able to increase the hard rlimit.
This is required by many data services. Also, this is what runc does (and OCI specifies).


- Jie


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53062/#review153441
-----------------------------------------------------------


On Oct. 20, 2016, 10:38 p.m., Benjamin Bannier wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/53062/
> -----------------------------------------------------------
> 
> (Updated Oct. 20, 2016, 10:38 p.m.)
> 
> 
> Review request for mesos and Jie Yu.
> 
> 
> Bugs: MESOS-6426
>     https://issues.apache.org/jira/browse/MESOS-6426
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> This commit adds a new launch flag `--rlimits` which can be used to
> specify POSIX resource limits for the container. The resource limits
> are set as the user, so to increase resource limits beyond configured
> system limits additional priviledges might be needed.
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/mesos/launch.hpp f8bac0650965a49562b9910bf6140ded8dbb69ac 
>   src/slave/containerizer/mesos/launch.cpp 4a41aaf103f5a9bc6f7a798f63f491fc7cf11f7e 
> 
> Diff: https://reviews.apache.org/r/53062/diff/
> 
> 
> Testing
> -------
> 
> Tested as part of https://reviews.apache.org/r/53078/.
> 
> 
> Thanks,
> 
> Benjamin Bannier
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message