This is an automated email from the ASF dual-hosted git repository. gilbert pushed a commit to branch 1.6.x in repository https://gitbox.apache.org/repos/asf/mesos.git
commit da73d0754c3de7f0df17d08228876bd07f852ebf Author: Andrei Budnik <[email protected]> AuthorDate: Mon Feb 11 12:51:27 2019 -0800 Added `--enable-launcher-sealing` compiler flag. This flag enables sealing of launcher binary during initialization of Mesos containerizer. It's disabled by default because sealing requires Linux kernel 3.17+. Review: https://reviews.apache.org/r/69949/ (cherry picked from commit c97d50e2b0b3bdbcb6dde58395a21c819d56194a) --- configure.ac | 31 +++++++++++++++++++++++++++++++ src/CMakeLists.txt | 1 - src/Makefile.am | 13 +++++++++++-- src/tests/CMakeLists.txt | 1 - 4 files changed, 42 insertions(+), 4 deletions(-) diff --git a/configure.ac b/configure.ac index fe1bf94..f33b4be 100644 --- a/configure.ac +++ b/configure.ac @@ -227,6 +227,17 @@ AC_ARG_ENABLE([last_in_first_out_fixed_size_semaphore], [enables the optimized LIFO fixed-size semaphore in libprocess]), [], [enable_last_in_first_out_fixed_size_semaphore=no]) +AC_ARG_ENABLE([launcher_sealing], + AS_HELP_STRING([--enable-launcher-sealing], + [Enables sealing of launcher binary during + initialization of Mesos containerizer. + A copy of launcher's binary is cloned into + memory and sealed to prevent overwriting of + launcher's executable by containers. + This is a Linux-specific feature and requires + the support of memfd by the kernel.]), + [], [enable_launcher_sealing=no]) + AC_ARG_ENABLE([libevent], AS_HELP_STRING([--enable-libevent], [use libevent instead of libev]), @@ -1413,6 +1424,26 @@ AM_CONDITIONAL([WITH_BUNDLED_LEVELDB], [test "x$with_bundled_leveldb" = "xyes"]) +# Check if we should use containerizer launcher sealing. +AC_MSG_CHECKING([whether to enable launcher sealing]) +AC_MSG_RESULT([$enable_launcher_sealing]) + +AS_IF([test "x$enable_launcher_sealing" = "xyes"], [ + # We only support launcher sealing on Linux. + AS_IF([test "$OS_NAME" = "linux"], + [], + [AC_MSG_ERROR([no launcher sealing support on $OS_NAME +------------------------------------------------------------------- +Launcher sealing is only supported on Linux. +------------------------------------------------------------------- + ])]) + + AC_DEFINE([ENABLE_LAUNCHER_SEALING]) +]) + +AM_CONDITIONAL([ENABLE_LAUNCHER_SEALING], [test "x$enable_launcher_sealing" = "xyes"]) + + # Check if libevent prefix path was provided, and if so, add it to # the CPPFLAGS and LDFLAGS with respective /include and /lib path # suffixes. diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index bb7b535..de9b5b8 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -276,7 +276,6 @@ set(LINUX_SRC linux/fs.cpp linux/ldcache.cpp linux/ldd.cpp - linux/memfd.cpp linux/ns.cpp linux/perf.cpp linux/systemd.cpp diff --git a/src/Makefile.am b/src/Makefile.am index 26d874a..400e51f 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -1310,7 +1310,6 @@ MESOS_LINUX_FILES = \ linux/fs.cpp \ linux/ldcache.cpp \ linux/ldd.cpp \ - linux/memfd.cpp \ linux/ns.cpp \ linux/perf.cpp \ linux/systemd.cpp \ @@ -1405,6 +1404,12 @@ MESOS_LINUX_FILES += \ slave/containerizer/mesos/isolators/xfs/disk.hpp endif +if ENABLE_LAUNCHER_SEALING +MESOS_LINUX_FILES += \ + linux/memfd.cpp \ + linux/memfd.hpp +endif + MESOS_LINUX_ROUTING_FILES = \ linux/routing/handle.cpp \ linux/routing/handle.hpp \ @@ -2638,7 +2643,6 @@ mesos_tests_SOURCES += \ tests/containerizer/cni_isolator_tests.cpp \ tests/containerizer/docker_volume_isolator_tests.cpp \ tests/containerizer/linux_filesystem_isolator_tests.cpp \ - tests/containerizer/linux_memfd_tests.cpp \ tests/containerizer/fs_tests.cpp \ tests/containerizer/memory_pressure_tests.cpp \ tests/containerizer/nested_mesos_containerizer_tests.cpp \ @@ -2660,6 +2664,11 @@ mesos_tests_SOURCES += \ endif endif +if ENABLE_LAUNCHER_SEALING +mesos_tests_SOURCES += \ + tests/containerizer/linux_memfd_tests.cpp +endif + if ENABLE_LINUX_ROUTING mesos_tests_SOURCES += \ tests/containerizer/routing_tests.cpp diff --git a/src/tests/CMakeLists.txt b/src/tests/CMakeLists.txt index 7a1cba5..758bb94 100644 --- a/src/tests/CMakeLists.txt +++ b/src/tests/CMakeLists.txt @@ -226,7 +226,6 @@ if (LINUX) containerizer/fs_tests.cpp containerizer/linux_capabilities_isolator_tests.cpp containerizer/linux_filesystem_isolator_tests.cpp - containerizer/linux_memfd_tests.cpp containerizer/memory_pressure_tests.cpp containerizer/nested_mesos_containerizer_tests.cpp containerizer/ns_tests.cpp
