[
https://issues.apache.org/jira/browse/MESOS-6145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15497064#comment-15497064
]
Jie Yu commented on MESOS-6145:
-------------------------------
Simplified the isolator:
https://reviews.apache.org/r/51963/
The bind mounts in the pid namespace isolator turns out to be
unnecessary as the linux launcher will use freezer to kill all tasks
anyway. It makes the isolator unnecessarily complex, and has a mount
leak bug (MESOS-6145). This patch removes all the unnecessary bind
mounts, making the isolator extremely simple.
> Isolator namespaces/pid is leaking mounts
> -----------------------------------------
>
> Key: MESOS-6145
> URL: https://issues.apache.org/jira/browse/MESOS-6145
> Project: Mesos
> Issue Type: Bug
> Components: containerization, isolation, security
> Reporter: Stephan Erb
> Assignee: Jie Yu
>
> As the operator of a Mesos cluster, I would like every container/executor to
> run in a single PID namespace, so that a task cannot see what else is running
> on the same host.
> The existing {{namespaces/pid}} isolator seems to provide this feature.
> However, it seems like it is leaking files. I have exactly one task running
> currently, but there are still left overs from earlier invocations
> {code}
> vagrant@aurora:~/aurora$ ls -l /var/run/mesos/pidns/
> total 0
> -rw-r--r-- 1 root root 0 Aug 26 20:30 32b6e4c7-3d22-47ed-a350-9eb929daa241
> -rw-r--r-- 1 root root 0 Aug 26 20:30 7b812f00-4614-4016-a76c-ff78a175a1b0
> -rw-r--r-- 1 root root 0 Aug 26 20:24 d501829e-7cf8-40fb-a895-0ad3416da7dc
> -rw-r--r-- 1 root root 0 Aug 26 20:24 d56ca91f-eb72-426c-8bbb-f3239358a4ef
> -r--r--r-- 1 root root 0 Aug 26 20:35 fef9a109-de52-45f3-ae41-171de6495705
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
