[
https://issues.apache.org/jira/browse/AURORA-1768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15477671#comment-15477671
]
Joshua Cohen commented on AURORA-1768:
--------------------------------------
This would likely involve {{aurora task ssh}} invoking some helper binary to
enter the container's namespace upon connection (similar to how it currently
just
[cd's|https://github.com/apache/aurora/blob/master/src/main/python/apache/aurora/client/api/command_runner.py#L63-L72]
into the task's sandbox).
Ideally this helper would just be {{nsenter}}, but I don't think nsenter is
guaranteed to be available on all distro's (e.g. it needs to be built from
source for Ubuntu 14.04 for use in our vagrant image). We could instead create
our own thin pex that relies on
[python-nsenter|https://github.com/zalando/python-nsenter] to enter the
necessary namespaces and then
[embed|https://github.com/apache/aurora/blob/master/build-support/embed_runner_in_executor.py]
that in the executor (and later
[extract|https://github.com/apache/aurora/blob/master/src/main/python/apache/aurora/executor/bin/thermos_executor_main.py#L192-L204)
it].
This raises the second question: how do we determine which namespace to
actually enter? I'm unsure of this exactly, but I believe it's available via
procfs at {{/proc/<pid>/ns/mnt}} (or net, etc.).
> Command `aurora task ssh` is not namespace and taskfs aware
> ------------------------------------------------------------
>
> Key: AURORA-1768
> URL: https://issues.apache.org/jira/browse/AURORA-1768
> Project: Aurora
> Issue Type: Story
> Components: Thermos
> Reporter: Stephan Erb
>
> In order to guarantee isolation among tasks and to simplify debugging in
> production environments, we should make sure commands executed via `aurora
> ssh` have been isolated in the same way as the tasks itself. This implies
> that we have to use the same container filesystem and enter the same
> namespaces.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
