This is an automated email from the ASF dual-hosted git repository. gilbert pushed a commit to branch 1.7.x in repository https://gitbox.apache.org/repos/asf/mesos.git
commit e390e576dc3568031f41ca442b774ac419398813 Author: Andrei Budnik <[email protected]> AuthorDate: Mon Feb 11 12:51:27 2019 -0800 Added `--enable-launcher-sealing` compiler flag. This flag enables sealing of launcher binary during initialization of Mesos containerizer. It's disabled by default because sealing requires Linux kernel 3.17+. Review: https://reviews.apache.org/r/69949/ (cherry picked from commit c97d50e2b0b3bdbcb6dde58395a21c819d56194a) --- cmake/CompilationConfigure.cmake | 4 ++++ configure.ac | 31 +++++++++++++++++++++++++++++++ src/CMakeLists.txt | 7 ++++++- src/Makefile.am | 14 +++++++++++--- src/tests/CMakeLists.txt | 6 +++++- 5 files changed, 57 insertions(+), 5 deletions(-) diff --git a/cmake/CompilationConfigure.cmake b/cmake/CompilationConfigure.cmake index 10cacfb..33bd6b0 100644 --- a/cmake/CompilationConfigure.cmake +++ b/cmake/CompilationConfigure.cmake @@ -418,6 +418,10 @@ if (LINUX) "The XFS disk isolator is not yet supported, see MESOS-9117.") endif () + option(ENABLE_LAUNCHER_SEALING + "Whether to enable containerizer launcher sealing via memfd." + FALSE) + option(ENABLE_PORT_MAPPING_ISOLATOR "Whether to enable the port mapping isolator." FALSE) diff --git a/configure.ac b/configure.ac index 1e37677..36850da 100644 --- a/configure.ac +++ b/configure.ac @@ -281,6 +281,17 @@ AC_ARG_ENABLE([last_in_first_out_fixed_size_semaphore], [enables the optimized LIFO fixed-size semaphore in libprocess]), [], [enable_last_in_first_out_fixed_size_semaphore=no]) +AC_ARG_ENABLE([launcher_sealing], + AS_HELP_STRING([--enable-launcher-sealing], + [Enables sealing of launcher binary during + initialization of Mesos containerizer. + A copy of launcher's binary is cloned into + memory and sealed to prevent overwriting of + launcher's executable by containers. + This is a Linux-specific feature and requires + the support of memfd by the kernel.]), + [], [enable_launcher_sealing=no]) + AC_ARG_ENABLE([libevent], AS_HELP_STRING([--enable-libevent], [use libevent instead of libev]), @@ -1469,6 +1480,26 @@ AM_CONDITIONAL([WITH_BUNDLED_LEVELDB], [test "x$with_bundled_leveldb" = "xyes"]) +# Check if we should use containerizer launcher sealing. +AC_MSG_CHECKING([whether to enable launcher sealing]) +AC_MSG_RESULT([$enable_launcher_sealing]) + +AS_IF([test "x$enable_launcher_sealing" = "xyes"], [ + # We only support launcher sealing on Linux. + AS_IF([test "$OS_NAME" = "linux"], + [], + [AC_MSG_ERROR([no launcher sealing support on $OS_NAME +------------------------------------------------------------------- +Launcher sealing is only supported on Linux. +------------------------------------------------------------------- + ])]) + + AC_DEFINE([ENABLE_LAUNCHER_SEALING]) +]) + +AM_CONDITIONAL([ENABLE_LAUNCHER_SEALING], [test "x$enable_launcher_sealing" = "xyes"]) + + # Check if libevent prefix path was provided, and if so, add it to # the CPPFLAGS and LDFLAGS with respective /include and /lib path # suffixes. diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 6449e48..936e782 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -273,7 +273,6 @@ set(LINUX_SRC linux/fs.cpp linux/ldcache.cpp linux/ldd.cpp - linux/memfd.cpp linux/ns.cpp linux/perf.cpp linux/systemd.cpp @@ -318,6 +317,11 @@ if (ENABLE_XFS_DISK_ISOLATOR) slave/containerizer/mesos/isolators/xfs/utils.cpp) endif () +if (ENABLE_LAUNCHER_SEALING) + list(APPEND LINUX_SRC + linux/memfd.cpp) +endif () + if (ENABLE_LINUX_ROUTING) list(APPEND LINUX_SRC linux/routing/handle.cpp @@ -562,6 +566,7 @@ target_compile_definitions( mesos PUBLIC USE_CMAKE_BUILD_CONFIG $<$<BOOL:${ENABLE_XFS_DISK_ISOLATOR}>:ENABLE_XFS_DISK_ISOLATOR> + $<$<BOOL:${ENABLE_LAUNCHER_SEALING}>:ENABLE_LAUNCHER_SEALING> $<$<BOOL:${ENABLE_PORT_MAPPING_ISOLATOR}>:ENABLE_PORT_MAPPING_ISOLATOR> $<$<BOOL:${ENABLE_NETWORK_PORTS_ISOLATOR}>:ENABLE_NETWORK_PORTS_ISOLATOR>) diff --git a/src/Makefile.am b/src/Makefile.am index 0a71db9..aa343ab 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -1300,8 +1300,6 @@ MESOS_LINUX_FILES = \ linux/ldcache.hpp \ linux/ldd.cpp \ linux/ldd.hpp \ - linux/memfd.cpp \ - linux/memfd.hpp \ linux/ns.cpp \ linux/ns.hpp \ linux/perf.cpp \ @@ -1391,6 +1389,12 @@ MESOS_LINUX_FILES += \ slave/containerizer/mesos/isolators/xfs/disk.hpp endif +if ENABLE_LAUNCHER_SEALING +MESOS_LINUX_FILES += \ + linux/memfd.cpp \ + linux/memfd.hpp +endif + MESOS_LINUX_ROUTING_FILES = \ linux/routing/handle.cpp \ linux/routing/handle.hpp \ @@ -2654,7 +2658,6 @@ mesos_tests_SOURCES += \ tests/containerizer/docker_volume_isolator_tests.cpp \ tests/containerizer/linux_devices_isolator_tests.cpp \ tests/containerizer/linux_filesystem_isolator_tests.cpp \ - tests/containerizer/linux_memfd_tests.cpp \ tests/containerizer/fs_tests.cpp \ tests/containerizer/memory_pressure_tests.cpp \ tests/containerizer/nested_mesos_containerizer_tests.cpp \ @@ -2670,6 +2673,11 @@ mesos_tests_SOURCES += \ tests/containerizer/volume_secret_isolator_tests.cpp endif +if ENABLE_LAUNCHER_SEALING +mesos_tests_SOURCES += \ + tests/containerizer/linux_memfd_tests.cpp +endif + if ENABLE_LINUX_ROUTING mesos_tests_SOURCES += \ tests/containerizer/routing_tests.cpp diff --git a/src/tests/CMakeLists.txt b/src/tests/CMakeLists.txt index ad30b94..ae0ed58 100644 --- a/src/tests/CMakeLists.txt +++ b/src/tests/CMakeLists.txt @@ -229,7 +229,6 @@ if (LINUX) containerizer/linux_capabilities_isolator_tests.cpp containerizer/linux_devices_isolator_tests.cpp containerizer/linux_filesystem_isolator_tests.cpp - containerizer/linux_memfd_tests.cpp containerizer/memory_pressure_tests.cpp containerizer/nested_mesos_containerizer_tests.cpp containerizer/ns_tests.cpp @@ -247,6 +246,11 @@ if (LINUX) containerizer/xfs_quota_tests.cpp) endif() + if (ENABLE_LAUNCHER_SEALING) + list(APPEND MESOS_TESTS_SRC + containerizer/linux_memfd_tests.cpp) + endif() + if (ENABLE_LINUX_ROUTING) list(APPEND MESOS_TESTS_SRC containerizer/routing_tests.cpp)
