mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jacob Janco <jjanco....@gmail.com>
Subject Re: Review Request 70757: Added docs for the NNP isolator.
Date Wed, 17 Jul 2019 19:24:45 GMT


> On July 12, 2019, 5:46 p.m., Andrei Budnik wrote:
> > src/slave/containerizer/mesos/isolators/linux/nnp.cpp
> > Lines 71 (patched)
> > <https://reviews.apache.org/r/70757/diff/7/?file=2154555#file2154555line71>
> >
> >     What happens if a framework explicitly set `no_new_privileges` flag to `false`
in the `ContainerLaunchInfo`? Does the isolator handle such case?
> 
> James Peach wrote:
>     In that case, the containerizer would do nothing (i.e. default NNP status). This
would have the same end result, but I agree that it's worth being explicit here.
> 
> Andrei Budnik wrote:
>     At this point, the NNP isolator does not support overriding of a NNP bit by a framework?
>     
>     Here is an example of how `linux/seccomp` isolator handles `seccomp` flag provided
by a framework: https://github.com/apache/mesos/blob/master/src/slave/containerizer/mesos/isolators/linux/seccomp.cpp#L98-L103

Dropping this issue from chat on slack: 
jpeach: 
We need the operator to take some action to enable  NNP, we can't just turn it on since that
might break things. The way  I had been thinking about this was that the action would be enabling
the NNP isolator. However, when we make it configurable  by frameworks, that action is no
longer definitive (i.e. there's no way to be explicit about what you want the default to be
for frameworks that don't set the field). This is why I was suggesting that the seccomp isolator
deal with  the configurable  part, since NNP is usually associated with seccomp as well.


jpeach  [19 hours ago]
However, if we follow this reasoning, it takes us back to our original aim for the NNP isolator,
which was to unconditionally set the NNP flag. Taking this approach, we can add the configurable
parts later.


- Jacob


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70757/#review216562
-----------------------------------------------------------


On July 17, 2019, 7:19 p.m., Jacob Janco wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70757/
> -----------------------------------------------------------
> 
> (Updated July 17, 2019, 7:19 p.m.)
> 
> 
> Review request for mesos, Andrei Budnik, Gilbert Song, Jie Yu, and James Peach.
> 
> 
> Bugs: MESOS-9770
>     https://issues.apache.org/jira/browse/MESOS-9770
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Added docs for the NNP isolator.
> 
> 
> Diffs
> -----
> 
>   CHANGELOG 164465a71c660ab9f01fb18d43076afc4b892ad5 
>   docs/isolators/linux-nnp.md PRE-CREATION 
>   docs/mesos-containerizer.md e79976111ec8e9cc8e8d44b5f1b8d6e2c7e072d6 
> 
> 
> Diff: https://reviews.apache.org/r/70757/diff/9/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Jacob Janco
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message