Added a `linux/devices` isolator skeleton. Added the skeleton of a `linux/devices` isolator and wired it into the build and the Mesos containerizer.
Review: https://reviews.apache.org/r/67096/ Project: http://git-wip-us.apache.org/repos/asf/mesos/repo Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/377478d5 Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/377478d5 Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/377478d5 Branch: refs/heads/master Commit: 377478d5967535a4f71abc6ae3351fabd422452b Parents: 0e9a414 Author: James Peach <[email protected]> Authored: Fri May 25 13:38:00 2018 -0700 Committer: James Peach <[email protected]> Committed: Fri May 25 13:38:00 2018 -0700 ---------------------------------------------------------------------- src/CMakeLists.txt | 1 + src/Makefile.am | 2 + src/slave/containerizer/mesos/containerizer.cpp | 2 + .../mesos/isolators/linux/devices.cpp | 64 ++++++++++++++++++++ .../mesos/isolators/linux/devices.hpp | 50 +++++++++++++++ 5 files changed, 119 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/mesos/blob/377478d5/src/CMakeLists.txt ---------------------------------------------------------------------- diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index d488131..f86884d 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -302,6 +302,7 @@ set(LINUX_SRC slave/containerizer/mesos/isolators/gpu/nvml.cpp slave/containerizer/mesos/isolators/gpu/volume.cpp slave/containerizer/mesos/isolators/linux/capabilities.cpp + slave/containerizer/mesos/isolators/linux/devices.cpp slave/containerizer/mesos/isolators/namespaces/ipc.cpp slave/containerizer/mesos/isolators/namespaces/pid.cpp slave/containerizer/mesos/isolators/network/cni/cni.cpp http://git-wip-us.apache.org/repos/asf/mesos/blob/377478d5/src/Makefile.am ---------------------------------------------------------------------- diff --git a/src/Makefile.am b/src/Makefile.am index c08ac6e..da0d683 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -1335,6 +1335,7 @@ MESOS_LINUX_FILES = \ slave/containerizer/mesos/isolators/gpu/nvml.cpp \ slave/containerizer/mesos/isolators/gpu/volume.cpp \ slave/containerizer/mesos/isolators/linux/capabilities.cpp \ + slave/containerizer/mesos/isolators/linux/devices.cpp \ slave/containerizer/mesos/isolators/namespaces/ipc.cpp \ slave/containerizer/mesos/isolators/namespaces/pid.cpp \ slave/containerizer/mesos/isolators/network/cni/cni.cpp \ @@ -1383,6 +1384,7 @@ MESOS_LINUX_FILES += \ slave/containerizer/mesos/isolators/gpu/nvml.hpp \ slave/containerizer/mesos/isolators/gpu/volume.hpp \ slave/containerizer/mesos/isolators/linux/capabilities.hpp \ + slave/containerizer/mesos/isolators/linux/devices.hpp \ slave/containerizer/mesos/isolators/namespaces/ipc.hpp \ slave/containerizer/mesos/isolators/namespaces/pid.hpp \ slave/containerizer/mesos/isolators/network/cni/cni.hpp \ http://git-wip-us.apache.org/repos/asf/mesos/blob/377478d5/src/slave/containerizer/mesos/containerizer.cpp ---------------------------------------------------------------------- diff --git a/src/slave/containerizer/mesos/containerizer.cpp b/src/slave/containerizer/mesos/containerizer.cpp index 6620e94..93197b0 100644 --- a/src/slave/containerizer/mesos/containerizer.cpp +++ b/src/slave/containerizer/mesos/containerizer.cpp @@ -98,6 +98,7 @@ #include "slave/containerizer/mesos/isolators/filesystem/shared.hpp" #include "slave/containerizer/mesos/isolators/gpu/nvidia.hpp" #include "slave/containerizer/mesos/isolators/linux/capabilities.hpp" +#include "slave/containerizer/mesos/isolators/linux/devices.hpp" #include "slave/containerizer/mesos/isolators/namespaces/ipc.hpp" #include "slave/containerizer/mesos/isolators/namespaces/pid.hpp" #include "slave/containerizer/mesos/isolators/network/cni/cni.hpp" @@ -396,6 +397,7 @@ Try<MesosContainerizer*> MesosContainerizer::create( {"appc/runtime", &AppcRuntimeIsolatorProcess::create}, {"docker/runtime", &DockerRuntimeIsolatorProcess::create}, + {"linux/devices", &LinuxDevicesIsolatorProcess::create}, {"linux/capabilities", &LinuxCapabilitiesIsolatorProcess::create}, {"namespaces/ipc", &NamespacesIPCIsolatorProcess::create}, http://git-wip-us.apache.org/repos/asf/mesos/blob/377478d5/src/slave/containerizer/mesos/isolators/linux/devices.cpp ---------------------------------------------------------------------- diff --git a/src/slave/containerizer/mesos/isolators/linux/devices.cpp b/src/slave/containerizer/mesos/isolators/linux/devices.cpp new file mode 100644 index 0000000..35ed008 --- /dev/null +++ b/src/slave/containerizer/mesos/isolators/linux/devices.cpp @@ -0,0 +1,64 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + + +#include "slave/containerizer/mesos/isolators/linux/devices.hpp" + +using process::Failure; +using process::Future; +using process::Owned; + +using mesos::slave::ContainerConfig; +using mesos::slave::ContainerLaunchInfo; +using mesos::slave::Isolator; + +namespace mesos { +namespace internal { +namespace slave { + +Try<Isolator*> LinuxDevicesIsolatorProcess::create(const Flags& flags) +{ + if (geteuid() != 0) { + return Error("Linux devices isolator requires root permissions"); + } + + return new MesosIsolator( + Owned<MesosIsolatorProcess>(new LinuxDevicesIsolatorProcess(flags))); +} + + +bool LinuxDevicesIsolatorProcess::supportsNesting() +{ + return true; +} + + +bool LinuxDevicesIsolatorProcess::supportsStandalone() +{ + return true; +} + + +Future<Option<ContainerLaunchInfo>> LinuxDevicesIsolatorProcess::prepare( + const ContainerID& containerId, + const ContainerConfig& containerConfig) +{ + return None(); +} + +} // namespace slave { +} // namespace internal { +} // namespace mesos { http://git-wip-us.apache.org/repos/asf/mesos/blob/377478d5/src/slave/containerizer/mesos/isolators/linux/devices.hpp ---------------------------------------------------------------------- diff --git a/src/slave/containerizer/mesos/isolators/linux/devices.hpp b/src/slave/containerizer/mesos/isolators/linux/devices.hpp new file mode 100644 index 0000000..e731ef3 --- /dev/null +++ b/src/slave/containerizer/mesos/isolators/linux/devices.hpp @@ -0,0 +1,50 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#ifndef __LINUX_DEVICES_ISOLATOR_HPP__ +#define __LINUX_DEVICES_ISOLATOR_HPP__ + +#include <stout/try.hpp> + +#include "slave/flags.hpp" + +#include "slave/containerizer/mesos/isolator.hpp" + +namespace mesos { +namespace internal { +namespace slave { + +class LinuxDevicesIsolatorProcess : public MesosIsolatorProcess +{ +public: + static Try<mesos::slave::Isolator*> create(const Flags& flags); + + virtual bool supportsNesting(); + virtual bool supportsStandalone(); + + virtual process::Future<Option<mesos::slave::ContainerLaunchInfo>> prepare( + const ContainerID& containerId, + const mesos::slave::ContainerConfig& containerConfig); + +private: + LinuxDevicesIsolatorProcess(const Flags& _flags); +}; + +} // namespace slave { +} // namespace internal { +} // namespace mesos { + +#endif // __LINUX_DEVICES_ISOLATOR_HPP__
