Re: Review Request 23246: Used shared bind mount to fix MESOS-1558.

Wed, 02 Jul 2014 17:19:30 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/23246/#review47256
-----------------------------------------------------------


Throwing this out here: an even better goal is that within the container, we 
shouldn't see anything under BIND_MOUNT_ROOT, because it reveals other network 
namespaces in the system - a breach of visibility isolation. This requires we 
don't see any _files_ under BIND_MOUNT_ROOT. 

I played around a little bit on my terminal using unshare and this seems to 
work:

- make host/BIND_MOUNT_ROOT a private mount point recursively. 
- when we clone Container C, mount objects host/BIND_MOUNT_ROOT and 
host/BIND_MOUNT_ROOT/{A,B,C} are copied into Container C (say A and B are from 
earlier containers A and B)
- in child isolation script, we unmount BIND_MOUNT_ROOT/{A,B,C}. at this point 
{A,B,C} are present as files but not as mounts anymore. and then we bind mount 
a random empty dir onto BIND_MOUNT_ROOT to cover up the dir. as this point any 
files created/mounted under HOST/BIND_MOUNT_ROOT will not show up in container 
C. 
- now in host, we do whatever we need to A and B (umount, rm) and it won't get 
into C and other later containers.



src/slave/containerizer/isolators/network/port_mapping.cpp
<https://reviews.apache.org/r/23246/#comment82908>

    is this sufficient to check BIND_MOUNT_ROOT is _self_ mounted?


- Chi Zhang


On July 2, 2014, 9:59 p.m., Jie Yu wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/23246/
> -----------------------------------------------------------
> 
> (Updated July 2, 2014, 9:59 p.m.)
> 
> 
> Review request for mesos, Chi Zhang, Ian Downes, and Vinod Kone.
> 
> 
> Bugs: MESOS-1558
>     https://issues.apache.org/jira/browse/MESOS-1558
> 
> 
> Repository: mesos-git
> 
> 
> Description
> -------
> 
> See summary. The idea is to use --make-rshared for /var/run/netns on host and 
> --make-rslave for /var/run/netns in each container.
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/isolators/network/port_mapping.cpp a326653 
> 
> Diff: https://reviews.apache.org/r/23246/diff/
> 
> 
> Testing
> -------
> 
> make check
> sudo make check
> 
> The regression tests is in another review by Chi Zhang:
> https://reviews.apache.org/r/23221/
> 
> 
> Thanks,
> 
> Jie Yu
> 
>

Reply via email to