This is an automated email from the ASF dual-hosted git repository.
jpeach pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git
The following commit(s) were added to refs/heads/master by this push:
new 91fa416 Added a flag to ignore Docker runtime configuration.
91fa416 is described below
commit 91fa416bf0d6191bb1a5e1fa3c883e23c98e892c
Author: Jacob Janco <[email protected]>
AuthorDate: Thu May 16 20:29:00 2019 -0700
Added a flag to ignore Docker runtime configuration.
The `docker/runtime` runtime isolator propagates manifest
configuration metadata from the task's Docker image. This is not
always desirable, e.g. an operator may want to ignore the WORKDIR/ENV
configuration defined in the manifest. This change decouples the
`docker/runtime` isolator from the selection of Docker as an image
provider.
Review: https://reviews.apache.org/r/70581/
---
CHANGELOG | 10 +++
docs/configuration/agent.md | 13 +++
docs/upgrades.md | 34 ++++++++
.../mesos/isolators/docker/runtime.cpp | 4 +
src/slave/flags.cpp | 7 ++
src/slave/flags.hpp | 1 +
.../containerizer/provisioner_docker_tests.cpp | 97 ++++++++++++++++++++++
7 files changed, 166 insertions(+)
diff --git a/CHANGELOG b/CHANGELOG
index ea90ef1..bfa5a26 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,13 @@
+Release Notes - Mesos - Version 1.9.0 (WIP)
+-------------------------------------------
+This release contains the following highlights:
+
+ * Containerization:
+
+ * [MESOS-9760] - A new `--docker_ignore_runtime` flag has been
+ added. This causes the agent to ignore any runtime configuration
+ present in Docker images.
+
Release Notes - Mesos - Version 1.8.1 (WIP)
-------------------------------------------
* This is a bug fix release.
diff --git a/docs/configuration/agent.md b/docs/configuration/agent.md
index 04d7114..91a5e93 100644
--- a/docs/configuration/agent.md
+++ b/docs/configuration/agent.md
@@ -637,6 +637,19 @@ Example JSON (<code>$HOME/.docker/config.json</code>):
</td>
</tr>
+<tr id="docker_ignore_runtime">
+ <td>
+ --docker_ignore_runtime=VALUE
+ </td>
+ <td>
+Ignore any runtime configuration specified in the Docker image. The
+Mesos containerizer will not propagate Docker runtime specifications
+such as <code>WORKDIR</code>, <code>ENV</code> and <code>CMD</code>
+to the container.
+(default: false)
+ </td>
+</tr>
+
<tr id="docker_kill_orphans">
<td>
--[no-]docker_kill_orphans
diff --git a/docs/upgrades.md b/docs/upgrades.md
index ece8462..4a818df 100644
--- a/docs/upgrades.md
+++ b/docs/upgrades.md
@@ -43,6 +43,35 @@ We categorize the changes as follows:
</thead>
<tr>
<td style="word-wrap: break-word; overflow-wrap: break-word;"><!--Version-->
+ 1.9.x
+ </td>
+
+ <td style="word-wrap: break-word; overflow-wrap: break-word;"><!--Mesos
Core-->
+ </td>
+
+ <td style="word-wrap: break-word; overflow-wrap: break-word;"><!--Flags-->
+ <ul style="padding-left:10px;">
+ <li>A <a
href="#1-9-x-docker-ignore-runtime">docker_ignore_runtime</a></li>
+ </ul>
+ </td>
+
+ <td style="word-wrap: break-word; overflow-wrap: break-word;"><!--Framework
API-->
+ <ul style="padding-left:10px;">
+ </ul>
+ </td>
+
+ <td style="word-wrap: break-word; overflow-wrap: break-word;"><!--Module
API-->
+ <ul style="padding-left:10px;">
+ </ul>
+ </td>
+
+ <td style="word-wrap: break-word; overflow-wrap:
break-word;"><!--Endpoints-->
+ <ul style="padding-left:10px;">
+ </ul>
+ </td>
+</tr>
+<tr>
+ <td style="word-wrap: break-word; overflow-wrap: break-word;"><!--Version-->
1.8.x
</td>
@@ -473,6 +502,11 @@ We categorize the changes as follows:
</tr>
</table>
+## Upgrading from 1.8.x to 1.9.x ##
+
+<a name="1-9-x-docker-ignore-runtime"></a>
+ * A new
[`--docker_ignore_runtime`](configuration/agent.md#docker_ignore_runtime) flag
has been added. This causes the agent to ignore any runtime configuration
present in Docker images.
+
## Upgrading from 1.7.x to 1.8.x ##
<a name="1-8-x-linux-seccomp-isolator"></a>
diff --git a/src/slave/containerizer/mesos/isolators/docker/runtime.cpp
b/src/slave/containerizer/mesos/isolators/docker/runtime.cpp
index 53d0008..990c138 100644
--- a/src/slave/containerizer/mesos/isolators/docker/runtime.cpp
+++ b/src/slave/containerizer/mesos/isolators/docker/runtime.cpp
@@ -84,6 +84,10 @@ Future<Option<ContainerLaunchInfo>>
DockerRuntimeIsolatorProcess::prepare(
const ContainerID& containerId,
const ContainerConfig& containerConfig)
{
+ if (flags.docker_ignore_runtime) {
+ return None();
+ }
+
if (!containerConfig.has_container_info()) {
return None();
}
diff --git a/src/slave/flags.cpp b/src/slave/flags.cpp
index 49a350f..e23061a 100644
--- a/src/slave/flags.cpp
+++ b/src/slave/flags.cpp
@@ -224,6 +224,13 @@ mesos::internal::slave::Flags::Flags()
"volumes that each container uses.",
"/var/run/mesos/isolators/docker/volume");
+ add(&Flags::docker_ignore_runtime,
+ "docker_ignore_runtime",
+ "Ignore any runtime configuration specified in the Docker image. The\n"
+ "Mesos containerizer will not propagate Docker runtime specifications\n"
+ "such as `WORKDIR`, `ENV` and `CMD` to the container.\n",
+ false);
+
add(&Flags::default_role,
"default_role",
"Any resources in the `--resources` flag that\n"
diff --git a/src/slave/flags.hpp b/src/slave/flags.hpp
index 09921cb..9684a09 100644
--- a/src/slave/flags.hpp
+++ b/src/slave/flags.hpp
@@ -60,6 +60,7 @@ public:
std::string docker_registry;
std::string docker_store_dir;
std::string docker_volume_checkpoint_dir;
+ bool docker_ignore_runtime;
std::string default_role;
Option<std::string> attributes;
diff --git a/src/tests/containerizer/provisioner_docker_tests.cpp
b/src/tests/containerizer/provisioner_docker_tests.cpp
index 1c5d720..5d5a355 100644
--- a/src/tests/containerizer/provisioner_docker_tests.cpp
+++ b/src/tests/containerizer/provisioner_docker_tests.cpp
@@ -1382,6 +1382,103 @@ TEST_F(ProvisionerDockerTest,
ROOT_INTERNET_CURL_ImageDigest)
}
+// This test verifies that Docker manifest configuration is not carried over
+// into the container if the `--docker_ignore_runtime` flag is set. Due to the
+// complexity of the `CommandInfo` mapping, simply check to see if the
+// environment was merged by the isolator into the task container.
+TEST_F(ProvisionerDockerTest, ROOT_DockerIgnoreRuntime)
+{
+ Try<Owned<cluster::Master>> master = StartMaster();
+ ASSERT_SOME(master);
+
+ const string directory = path::join(os::getcwd(), "registry");
+
+ const std::vector<std::string>& environment = {
+ {"DOCKER_RUNTIME_ENV=true"},
+ };
+
+ // Setting the entrypoint and command that will be reflected in the
+ // manifest.
+ Future<Nothing> testImage = DockerArchive::create(
+ directory, "alpine", "null", "null", environment);
+ AWAIT_READY(testImage);
+
+ ASSERT_TRUE(os::exists(path::join(directory, "alpine.tar")));
+
+ slave::Flags flags = CreateSlaveFlags();
+ flags.isolation = "docker/runtime,filesystem/linux";
+ flags.image_providers = "docker";
+ flags.docker_registry = directory;
+ flags.docker_store_dir = path::join(os::getcwd(), "store");
+ flags.docker_ignore_runtime = true;
+
+ Owned<MasterDetector> detector = master.get()->createDetector();
+
+ Try<Owned<cluster::Slave>> slave = StartSlave(detector.get(), flags);
+ ASSERT_SOME(slave);
+
+ MockScheduler sched;
+ MesosSchedulerDriver driver(
+ &sched, DEFAULT_FRAMEWORK_INFO, master.get()->pid, DEFAULT_CREDENTIAL);
+
+ EXPECT_CALL(sched, registered(&driver, _, _));
+
+ Future<vector<Offer>> offers;
+ EXPECT_CALL(sched, resourceOffers(&driver, _))
+ .WillOnce(FutureArg<1>(&offers))
+ .WillRepeatedly(Return()); // Ignore subsequent offers.
+
+ driver.start();
+
+ AWAIT_READY(offers);
+ ASSERT_EQ(1u, offers->size());
+
+ const Offer& offer = offers.get()[0];
+
+ // This task will fail if Docker manifest metadata is propagated
+ // to the container i.e. the `DOCKER_RUNTIME_ENV` variable should
+ // not be present in the container since we are setting the
+ // `--docker_ignore_runtime` flag.
+ TaskInfo task = createTask(
+ offer.slave_id(),
+ offer.resources(),
+ "test -z $DOCKER_RUNTIME_ENV");
+
+ Image image;
+ image.set_type(Image::DOCKER);
+ image.mutable_docker()->set_name("alpine");
+
+ ContainerInfo* container = task.mutable_container();
+ container->set_type(ContainerInfo::MESOS);
+ container->mutable_mesos()->mutable_image()->CopyFrom(image);
+
+ Future<TaskStatus> statusStarting;
+ Future<TaskStatus> statusRunning;
+ Future<TaskStatus> statusFinished;
+ EXPECT_CALL(sched, statusUpdate(&driver, _))
+ .WillOnce(FutureArg<1>(&statusStarting))
+ .WillOnce(FutureArg<1>(&statusRunning))
+ .WillOnce(FutureArg<1>(&statusFinished));
+
+ driver.launchTasks(offer.id(), {task});
+
+ AWAIT_READY(statusStarting);
+ EXPECT_EQ(task.task_id(), statusStarting->task_id());
+ EXPECT_EQ(TASK_STARTING, statusStarting->state());
+
+ AWAIT_READY(statusRunning);
+ EXPECT_EQ(task.task_id(), statusRunning->task_id());
+ EXPECT_EQ(TASK_RUNNING, statusRunning->state());
+
+ AWAIT_READY(statusFinished);
+ EXPECT_EQ(task.task_id(), statusFinished->task_id());
+ EXPECT_EQ(TASK_FINISHED, statusFinished->state());
+
+ driver.stop();
+ driver.join();
+}
+
+
// This test verifies that if a container image is specified, the
// command runs as the specified user "$SUDO_USER" and the sandbox of
// the command task is writeable by the specified user. It also
