This is an automated email from the ASF dual-hosted git repository. gilbert pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/mesos.git
commit dfcb830a115cd64c6727884363f5b6562e8f0bb8 Author: Qian Zhang <[email protected]> AuthorDate: Wed Jun 19 10:54:31 2019 -0700 Added `--disallow_sharing_agent_ipc_namespace` agent flag. Review: https://reviews.apache.org/r/70773/ --- docs/configuration/agent.md | 45 ++++++++++++++++++++++++++++++--------------- src/slave/flags.cpp | 11 +++++++++++ src/slave/flags.hpp | 1 + 3 files changed, 42 insertions(+), 15 deletions(-) diff --git a/docs/configuration/agent.md b/docs/configuration/agent.md index 91a5e93..322c228 100644 --- a/docs/configuration/agent.md +++ b/docs/configuration/agent.md @@ -577,6 +577,36 @@ this role. (default: *) </td> </tr> +<tr id="disallow_sharing_agent_ipc_namespace"> + <td> + --[no-]disallow_sharing_agent_ipc_namespace + </td> + <td> +If set to <code>true</code>, each top-level container will have its own IPC +namespace and /dev/shm, and if the framework requests to share the agent IPC +namespace and /dev/shm for the top level container, the container launch will +be rejected. If set to <code>false</code>, the top-level containers will share +the IPC namespace and /dev/shm with agent if the framework requests it. This +flag will be ignored if the <code>namespaces/ipc</code> isolator is not enabled. +(default: false) + </td> +</tr> + +<tr id="disallow_sharing_agent_pid_namespace"> + <td> + --[no-]disallow_sharing_agent_pid_namespace + </td> + <td> +If set to <code>true</code>, each top-level container will have its own pid +namespace, and if the framework requests to share the agent pid namespace for +the top level container, the container launch will be rejected. If set to +<code>false</code>, the top-level containers will share the pid namespace with +agent if the framework requests it. This flag will be ignored if the <code> +namespaces/pid</code> isolator is not enabled. +(default: false) + </td> +</tr> + <tr id="disk_profile_adaptor"> <td> --disk_profile_adaptor=VALUE @@ -1453,21 +1483,6 @@ sandbox is mapped to. </td> </tr> -<tr id="disallow_sharing_agent_pid_namespace"> - <td> - --[no-]disallow_sharing_agent_pid_namespace - </td> - <td> -If set to <code>true</code>, each top-level container will have its own pid -namespace, and if the framework requests to share the agent pid namespace for -the top level container, the container launch will be rejected. If set to -<code>false</code>, the top-level containers will share the pid namespace with -agent if the framework requests it. This flag will be ignored if the -`namespaces/pid` isolator is not enabled. -(default: false) - </td> -</tr> - <tr id="strict"> <td> --[no-]strict diff --git a/src/slave/flags.cpp b/src/slave/flags.cpp index e23061a..9cc88fd 100644 --- a/src/slave/flags.cpp +++ b/src/slave/flags.cpp @@ -763,6 +763,17 @@ mesos::internal::slave::Flags::Flags() "This flag has the same syntax as `--effective_capabilities`." ); + add(&Flags::disallow_sharing_agent_ipc_namespace, + "disallow_sharing_agent_ipc_namespace", + "If set to `true`, each top-level container will have its own IPC\n" + "namespace and /dev/shm, and if the framework requests to share the\n" + "agent IPC namespace and /dev/shm for the top level container, the\n" + "container launch will be rejected. If set to `false`, the top-level\n" + "containers will share the IPC namespace and /dev/shm with agent if\n" + "the framework requests it. This flag will be ignored if the\n" + "`namespaces/ipc` isolator is not enabled.\n", + false); + add(&Flags::disallow_sharing_agent_pid_namespace, "disallow_sharing_agent_pid_namespace", "If set to `true`, each top-level container will have its own pid\n" diff --git a/src/slave/flags.hpp b/src/slave/flags.hpp index 9684a09..f15f5f9 100644 --- a/src/slave/flags.hpp +++ b/src/slave/flags.hpp @@ -124,6 +124,7 @@ public: std::string systemd_runtime_directory; Option<CapabilityInfo> effective_capabilities; Option<CapabilityInfo> bounding_capabilities; + bool disallow_sharing_agent_ipc_namespace; bool disallow_sharing_agent_pid_namespace; #endif Option<Firewall> firewall_rules;
