Introduced `--disallow_sharing_agent_pid_namespace` agent flag. Introduced `--disallow_sharing_agent_pid_namespace` agent flag.
Review: https://reviews.apache.org/r/61406/ Project: http://git-wip-us.apache.org/repos/asf/mesos/repo Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/03e093f5 Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/03e093f5 Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/03e093f5 Branch: refs/heads/master Commit: 03e093f5d09e35a54e4373692d47a46d58fae4d0 Parents: dc1908a Author: Qian Zhang <zhq527...@gmail.com> Authored: Sun Aug 13 19:51:56 2017 -0700 Committer: Gilbert Song <songzihao1...@gmail.com> Committed: Mon Aug 14 15:40:31 2017 -0700 ---------------------------------------------------------------------- docs/configuration.md | 14 ++++++++++++++ src/slave/flags.cpp | 10 ++++++++++ src/slave/flags.hpp | 1 + 3 files changed, 25 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/mesos/blob/03e093f5/docs/configuration.md ---------------------------------------------------------------------- diff --git a/docs/configuration.md b/docs/configuration.md index 6ab2d1a..e43f9ea 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -2046,6 +2046,20 @@ sandbox is mapped to. </tr> <tr> <td> + --[no-]disallow_sharing_agent_pid_namespace + </td> + <td> +If set to <code>true</code>, each top-level container will have its own pid +namespace, and if the framework requests to share the agent pid namespace for +the top level container, the container launch will be rejected. If set to +<code>false</code>, the top-level containers will share the pid namespace with +agent if the framework requests it. This flag will be ignored if the +`namespaces/pid` isolator is not enabled. +(default: false) + </td> +</tr> +<tr> + <td> --[no-]strict </td> <td> http://git-wip-us.apache.org/repos/asf/mesos/blob/03e093f5/src/slave/flags.cpp ---------------------------------------------------------------------- diff --git a/src/slave/flags.cpp b/src/slave/flags.cpp index 4171604..3b02f3e 100644 --- a/src/slave/flags.cpp +++ b/src/slave/flags.cpp @@ -639,6 +639,16 @@ mesos::internal::slave::Flags::Flags() "\n" "This flag has the same syntax as `--effective_capabilities`." ); + + add(&Flags::disallow_sharing_agent_pid_namespace, + "disallow_sharing_agent_pid_namespace", + "If set to `true`, each top-level container will have its own pid\n" + "namespace, and if the framework requests to share the agent pid\n" + "namespace for the top level container, the container launch will be\n" + "rejected. If set to `false`, the top-level containers will share the\n" + "pid namespace with agent if the framework requests it. This flag will\n" + "be ignored if the `namespaces/pid` isolator is not enabled.\n", + false); #endif add(&Flags::firewall_rules, http://git-wip-us.apache.org/repos/asf/mesos/blob/03e093f5/src/slave/flags.hpp ---------------------------------------------------------------------- diff --git a/src/slave/flags.hpp b/src/slave/flags.hpp index 032880d..2970fea 100644 --- a/src/slave/flags.hpp +++ b/src/slave/flags.hpp @@ -113,6 +113,7 @@ public: std::string systemd_runtime_directory; Option<CapabilityInfo> effective_capabilities; Option<CapabilityInfo> bounding_capabilities; + bool disallow_sharing_agent_pid_namespace; #endif Option<Firewall> firewall_rules; Option<Path> credential;