----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/13040/#review24275 -----------------------------------------------------------
src/slave/cgroups_isolator.cpp <https://reviews.apache.org/r/13040/#comment48100> Are these mount flags new? I couldn't find them on man mount(2) on CentOS 5 box with 2.6.44 kernel, though I did find them by searching online. src/slave/cgroups_isolator.cpp <https://reviews.apache.org/r/13040/#comment48129> I'm new to clone(), so just want to make sure the semantics are backwards compatible. We currently have executors that write outside the sandbox. Would this stop them from doing that? - Vinod Kone On July 29, 2013, 10:22 p.m., Eric Biederman wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/13040/ > ----------------------------------------------------------- > > (Updated July 29, 2013, 10:22 p.m.) > > > Review request for mesos, Benjamin Hindman, Ben Mahler, Ian Downes, and Vinod > Kone. > > > Repository: mesos-git > > > Description > ------- > > cgroup_isolator: Isolate the executors in their own mount namespace. > > When starting an executor create a mount namespace and make the mounts > private in the new namespace to prevent any changes in the mount > namespace from propagating back to the original mount namespace. > > This results in no change in visibility or accessibilty of files > for the executor so this should not result in any regressions. > > In addition to the initial small isolation effect this also prepares > for using the mount namespace to remove the possibility of filesystem > accesses that executors and tasks should not be able to perform. > > > Diffs > ----- > > src/slave/cgroups_isolator.cpp 0faf7d5 > > Diff: https://reviews.apache.org/r/13040/diff/ > > > Testing > ------- > > make -j8 check > > And watched the tests pass. > > > Thanks, > > Eric Biederman > >
