Forced the network isolator to use the mount namespace. Review: https://reviews.apache.org/r/36930
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/351a40e8 Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/351a40e8 Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/351a40e8 Branch: refs/heads/master Commit: 351a40e8c7945f55743f31412a1a70ac9e4464e0 Parents: 3620efc Author: Jie Yu <[email protected]> Authored: Wed Jul 29 17:14:04 2015 -0700 Committer: Jie Yu <[email protected]> Committed: Mon Aug 3 10:15:24 2015 -0700 ---------------------------------------------------------------------- src/slave/containerizer/isolators/network/port_mapping.cpp | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/mesos/blob/351a40e8/src/slave/containerizer/isolators/network/port_mapping.cpp ---------------------------------------------------------------------- diff --git a/src/slave/containerizer/isolators/network/port_mapping.cpp b/src/slave/containerizer/isolators/network/port_mapping.cpp index 3f6e9df..8244c34 100644 --- a/src/slave/containerizer/isolators/network/port_mapping.cpp +++ b/src/slave/containerizer/isolators/network/port_mapping.cpp @@ -1628,7 +1628,12 @@ Try<Isolator*> PortMappingIsolatorProcess::create(const Flags& flags) process::Future<Option<int>> PortMappingIsolatorProcess::namespaces() { - return CLONE_NEWNET; + // NOTE: the port mapping isolator itself doesn't require mount + // namespace. However, if mount namespace is enabled because of + // other isolators, we need to set mount sharing accordingly for + // PORT_MAPPING_BIND_MOUNT_ROOT to avoid races described in + // MESOS-1558. So we turn on mount namespace here for consistency. + return CLONE_NEWNET | CLONE_NEWNS; }
