mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Qian Zhang <zhq527...@gmail.com>
Subject Re: Review Request 70514: Made nested contaienr can access its sandbox via `MESOS_SANDBOX`.
Date Fri, 26 Apr 2019 06:44:36 GMT


> On April 24, 2019, 7:26 a.m., Gilbert Song wrote:
> > src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
> > Lines 508 (patched)
> > <https://reviews.apache.org/r/70514/diff/1/?file=2140522#file2140522line508>
> >
> >     Seems like this mount point will be on the host fs forever

Yes, but we will only do the bind mount in container's mount namespace.


- Qian


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70514/#review214832
-----------------------------------------------------------


On April 22, 2019, 9:25 p.m., Qian Zhang wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70514/
> -----------------------------------------------------------
> 
> (Updated April 22, 2019, 9:25 p.m.)
> 
> 
> Review request for mesos, Andrei Budnik, Gilbert Song, and James Peach.
> 
> 
> Bugs: MESOS-9536
>     https://issues.apache.org/jira/browse/MESOS-9536
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Previously in MESOS-8332 we narrowed task sandbox permissions from 0755
> to 0750 which will cause nested container may not has permission to
> access its sandbox via the environment variable `MESOS_SANDBOX`. Now in
> this patch, for nested container which has no its own rootfs, we bind
> mount its sandbox to the directory specified via the agent flag
> `--sandbox_directory` and set `MESOS_SANDBOX` to `--sandbox_directory`
> as well, in this way such nested container will have the permission
> to access its sandbox via `MESOS_SANDBOX`.
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/mesos/containerizer.cpp 043244841a73fa3f5f7119bc38f6d3a04be8990b

>   src/slave/containerizer/mesos/isolators/filesystem/linux.cpp 725754f26855ea54ccf8cbcb288ee3b29e8ed4e7

> 
> 
> Diff: https://reviews.apache.org/r/70514/diff/1/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Qian Zhang
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message