This is an automated email from the ASF dual-hosted git repository.
bmahler pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git
The following commit(s) were added to refs/heads/master by this push:
new c575673d6 [cgroups2] Perform chown of cgroup if necessary.
c575673d6 is described below
commit c575673d64979bd4483bb9c589a875dba00e2caa
Author: Jason Zhou <[email protected]>
AuthorDate: Fri Aug 16 13:57:58 2024 -0400
[cgroups2] Perform chown of cgroup if necessary.
In cgroups1, we chown for nested cgroups so that they can create deeper
layers of cgroups. We want to replicate this behavior in cgroups2.
Review: https://reviews.apache.org/r/75178/
---
.../mesos/isolators/cgroups2/cgroups2.cpp | 48 ++++++++++++++++++++++
1 file changed, 48 insertions(+)
diff --git a/src/slave/containerizer/mesos/isolators/cgroups2/cgroups2.cpp
b/src/slave/containerizer/mesos/isolators/cgroups2/cgroups2.cpp
index 1f054626d..e476d1592 100644
--- a/src/slave/containerizer/mesos/isolators/cgroups2/cgroups2.cpp
+++ b/src/slave/containerizer/mesos/isolators/cgroups2/cgroups2.cpp
@@ -38,6 +38,7 @@
#include <process/pid.hpp>
#include <stout/foreach.hpp>
+#include <stout/os.hpp>
#include <stout/strings.hpp>
#include "linux/cgroups2.hpp"
@@ -283,6 +284,53 @@ Future<Option<ContainerLaunchInfo>>
Cgroups2IsolatorProcess::prepare(
controller->prepare(containerId, nonLeafCgroup, containerConfig));
}
+ // Copied from cgroups v1 isolator logic:
+ //
+ // Chown the leaf cgroup so the executor or a nested container whose
+ // `share_cgroups` is false can create nested cgroups. Do
+ // not recurse so the control files are still owned by the slave
+ // user and thus cannot be changed by the executor.
+ //
+ // TODO(haosdent): Multiple tasks under the same user can change
+ // cgroups settings for each other. A better solution is using
+ // cgroups namespaces and user namespaces to achieve the goal.
+ //
+ // NOTE: We only need to handle the case where 'flags.switch_user'
+ // is true (i.e., 'containerConfig.has_user() == true'). If
+ // 'flags.switch_user' is false, the cgroup will be owned by root
+ // anyway since cgroups isolator requires root permission.
+ if (containerConfig.has_user()) {
+ Option<string> user;
+ if (containerConfig.has_task_info() && containerConfig.has_rootfs()) {
+ // Command task that has a rootfs. In this case, the executor
+ // will be running under root, and the command task itself
+ // might be running under a different user.
+ //
+ // TODO(jieyu): The caveat here is that if the 'user' in
+ // task's command is not set, we don't know exactly what user
+ // the task will be running as because we don't know the
+ // framework user. We do not support this case right now.
+ if (containerConfig.task_info().command().has_user()) {
+ user = containerConfig.task_info().command().user();
+ }
+ } else {
+ user = containerConfig.user();
+ }
+
+ if (user.isSome()) {
+ string path = cgroups2::path(leafCgroup);
+ VLOG(1) << "Chown the cgroup at '" << path << "'"
+ << " to user '" << *user << "' for container " << containerId;
+
+ Try<Nothing> chown = os::chown(*user, path, false);
+
+ if (chown.isError()) {
+ return Failure("Failed to chown the cgroup at '" + path + "'"
+ " to user '" + *user + "': " + chown.error());
+ }
+ }
+ }
+
return await(prepares)
.then(defer(
PID<Cgroups2IsolatorProcess>(this),
