Added test `NamespacesIsolatorTest.ROOT_SharePidNamespaceWhenDisallow`. Added test `NamespacesIsolatorTest.ROOT_SharePidNamespaceWhenDisallow`.
Review: https://reviews.apache.org/r/61465/ Project: http://git-wip-us.apache.org/repos/asf/mesos/repo Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/e2f3804f Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/e2f3804f Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/e2f3804f Branch: refs/heads/1.4.x Commit: e2f3804fa849811917d0894a18ad02c056d166b6 Parents: 8ff09b2 Author: Qian Zhang <zhq527...@gmail.com> Authored: Sun Aug 13 19:52:00 2017 -0700 Committer: Gilbert Song <songzihao1...@gmail.com> Committed: Mon Aug 14 21:30:45 2017 -0700 ---------------------------------------------------------------------- src/tests/containerizer/isolator_tests.cpp | 40 ++++++++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/mesos/blob/e2f3804f/src/tests/containerizer/isolator_tests.cpp ---------------------------------------------------------------------- diff --git a/src/tests/containerizer/isolator_tests.cpp b/src/tests/containerizer/isolator_tests.cpp index f8860ae..5072baf 100644 --- a/src/tests/containerizer/isolator_tests.cpp +++ b/src/tests/containerizer/isolator_tests.cpp @@ -68,11 +68,18 @@ public: containerId.set_value(UUID::random().toString()); } - Try<Owned<MesosContainerizer>> createContainerizer(const string& isolation) + Try<Owned<MesosContainerizer>> createContainerizer( + const string& isolation, + const Option<bool>& disallowSharingAgentPidNamespace = None()) { slave::Flags flags = CreateSlaveFlags(); flags.isolation = isolation; + if (disallowSharingAgentPidNamespace.isSome()) { + flags.disallow_sharing_agent_pid_namespace = + disallowSharingAgentPidNamespace.get(); + } + fetcher.reset(new Fetcher(flags)); Try<MesosContainerizer*> _containerizer = @@ -214,6 +221,37 @@ TEST_F(NamespacesIsolatorTest, ROOT_SharePidNamespace) } +// This test verifies launching a top-level container to share +// pid namespace with agent will fail when the agent flag +// `--disallow_sharing_agent_pid_namespace` is set to true. +TEST_F(NamespacesIsolatorTest, ROOT_SharePidNamespaceWhenDisallow) +{ + Try<Owned<MesosContainerizer>> containerizer = + createContainerizer("filesystem/linux,namespaces/pid", true); + + ASSERT_SOME(containerizer); + + const string command = "sleep 1000"; + + mesos::slave::ContainerConfig containerConfig = createContainerConfig( + None(), + createExecutorInfo("executor", command), + directory); + + ContainerInfo* container = containerConfig.mutable_container_info(); + container->set_type(ContainerInfo::MESOS); + container->mutable_linux_info()->set_share_pid_namespace(true); + + process::Future<bool> launch = containerizer.get()->launch( + containerId, + containerConfig, + std::map<string, string>(), + None()); + + AWAIT_FAILED(launch); +} + + // The IPC namespace has its own copy of the svipc(7) tunables. We verify // that we are correctly entering the IPC namespace by verifying that we // can set shmmax some different value than that of the host namespace.
