> On Aug. 19, 2014, 5:21 p.m., Jie Yu wrote: > > src/slave/containerizer/isolators/filesystem.cpp, lines 44-46 > > <https://reviews.apache.org/r/24178/diff/1/?file=647967#file647967line44> > > > > Check for kernel version? Check for root permission? For example, when > > bind mount is introduced?
bind mounts were introduced in 2.4.0 so safe to assume. Added test for root. > On Aug. 19, 2014, 5:21 p.m., Jie Yu wrote: > > src/slave/containerizer/isolators/filesystem.cpp, lines 87-91 > > <https://reviews.apache.org/r/24178/diff/1/?file=647967#file647967line87> > > > > Him, this reveals a more interesting problem. Say in the future, we > > want to implement a full file system isolator. The order in which we bind > > mount those volumns needs to be carefully calculated. For example, say we > > have two volumns: / and /lib. Can we actually support that? Added checks to ensure masking doesn't occur. Added a TODO to improve this to support reordering mounts if possible. > On Aug. 19, 2014, 5:21 p.m., Jie Yu wrote: > > src/slave/containerizer/isolators/filesystem.cpp, lines 102-126 > > <https://reviews.apache.org/r/24178/diff/1/?file=647967#file647967line102> > > > > Can you explain why we need to create those directories? Is is > > necessary? > > > > My feeling is that it's not necessary. If you want those dir > > structures, you should specify more Volumns, right? > > > > Well, again, if we have multiple volumns, the question is how do we > > ensure the correct mount order. I've kept the isolator simple by not supporting mounting to ancestors. The directory creation code is necessary for something like a private mount of /var/tmp which is present under the container work directory as something like .private/var/tmp > On Aug. 19, 2014, 5:21 p.m., Jie Yu wrote: > > src/slave/flags.hpp, lines 245-252 > > <https://reviews.apache.org/r/24178/diff/1/?file=647970#file647970line245> > > > > This needs some discussion. I am in favor of using ContainerInfo to > > specify private dirs so that we can be more flexible in the future when we > > have full file system isolation. > > > > For the first step (for /tmp), you can introduce a default > > ContainerInfo (through slave flags) for mesos containerizer (if not > > specified) which contains information about default private mounts. Sine > > it's a protobuf, it's very straightforward to pass it in as a json object. > > > > Also, have you considered using Volumn to specify private dirs? We need > > some discussion here. For example, one way is to introduce a new Mode. Changed to using a MESOS ContainerInfo and using Volumes to specify the mounts. - Ian ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/24178/#review51046 ----------------------------------------------------------- On July 31, 2014, 11:08 p.m., Ian Downes wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/24178/ > ----------------------------------------------------------- > > (Updated July 31, 2014, 11:08 p.m.) > > > Review request for mesos, Ben Mahler and Jie Yu. > > > Bugs: MESOS-1586 > https://issues.apache.org/jira/browse/MESOS-1586 > > > Repository: mesos-git > > > Description > ------- > > Does not report usage or enforce quota but can create 'private' directories > for each container which mask parts of the root filesystem. > > > Diffs > ----- > > src/Makefile.am b660d912c92594ef679b71caf508134f20511dae > src/slave/containerizer/isolators/filesystem.hpp PRE-CREATION > src/slave/containerizer/isolators/filesystem.cpp PRE-CREATION > src/slave/containerizer/linux_launcher.cpp > f3cc813c64e9298f43c9691de9d51ba29c3a8e91 > src/slave/containerizer/mesos/containerizer.cpp > 2c394e2c8702166266f5d20ff005abb218da8a6c > src/slave/flags.hpp 146c4011eb6a64dbb03555cece1c5303338ae240 > src/tests/isolator_tests.cpp c38f87632cb6984543cb3767dbd656cde7459610 > > Diff: https://reviews.apache.org/r/24178/diff/ > > > Testing > ------- > > # added two tests for the FilesystemIsolator > make check > > > Thanks, > > Ian Downes > >
