[
https://issues.apache.org/jira/browse/MESOS-7858?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16117516#comment-16117516
]
Jie Yu commented on MESOS-7858:
-------------------------------
commit d9c90bf1d9c8b3a7dcc47be0cb773efff57cfb9d
Author: Jie Yu <[email protected]>
Date: Mon Aug 7 11:59:59 2017 -0700
Used async signal safe assert in ns::clone.
Review: https://reviews.apache.org/r/61477
commit 7ad8d38725e0dc917f0fa3f9afc5263ec4981d3e
Author: Jie Yu <[email protected]>
Date: Mon Aug 7 11:59:37 2017 -0700
Used clone instead of fork in ns::clone.
This patch is a workaround known to a glibc bug:
https://sourceware.org/bugzilla/show_bug.cgi?id=15392
Glibc version < 2.25 has an assertion in 'fork()' which checks if the
child process's pid is not the same as the parent. This invariant is
no longer true with pid namespaces being introduced. See more details
in MESOS-7858.
This patch uses 'clone()' instead 'fork()' to bypass this assertion
failure. Since we always uses async signal safe functions after the
clone and we don't leverage any 'at_fork' handlers, it's OK to use
'clone()' here to replace 'fork()'.
Review: https://reviews.apache.org/r/61476
commit eb06f4db61ae09adbd12cd24a6a8a31a80fdc6f2
Author: Jie Yu <[email protected]>
Date: Mon Aug 7 11:44:09 2017 -0700
Added an async signal safe ASSERT to stout.
Review: https://reviews.apache.org/r/61475
commit 2c1b42047c062994f874b23ad62b87cc441f0e1e
Author: Jie Yu <[email protected]>
Date: Mon Aug 7 10:32:52 2017 -0700
Removed an unused function in src/linux/ns.hpp.
The last reference to this function was removed as part of this
cleanup: https://reviews.apache.org/r/51963/.
Review: https://reviews.apache.org/r/61474
> Launching a nested container with namespace/pid isolation, with glibc < 2.25,
> may deadlock the LinuxLauncher and MesosContainerizer
> -----------------------------------------------------------------------------------------------------------------------------------
>
> Key: MESOS-7858
> URL: https://issues.apache.org/jira/browse/MESOS-7858
> Project: Mesos
> Issue Type: Bug
> Components: containerization
> Affects Versions: 1.2.1, 1.3.0
> Reporter: Joseph Wu
> Assignee: Jie Yu
> Labels: health-check, mesosphere
>
> This bug in glibc (fixed in glibc 2.25) will sometimes cause a child process
> of a {{fork}} to {{assert}} incorrectly, if the parent enters a new pid
> namespace before forking:
> https://sourceware.org/bugzilla/show_bug.cgi?id=15392
> https://sourceware.org/bugzilla/show_bug.cgi?id=21386
> The LinuxLauncher code happens to do this when launching nested containers:
> * The MesosContainerizer process launches a subprocess, with a customized
> {{ns::clone}} function as an argument. The thread then basically waits for
> the launch to succeed and return a child PID:
> https://github.com/apache/mesos/blob/1.3.x/src/slave/containerizer/mesos/linux_launcher.cpp#L495
> * A separate thread in the Mesos agent forks and then waits for the
> grandchild to report a PID:
> https://github.com/apache/mesos/blob/1.3.x/src/linux/ns.hpp#L453
> * The child of the fork first enters the namespaces (including a pid
> namespace) and then forks a grandchild. The child then calls {{waitpid}} on
> the grandchild:
> https://github.com/apache/mesos/blob/1.3.x/src/linux/ns.hpp#L555
> * Due to the glibc bug, the grandchild sometimes never returns from the
> {{fork}} here:
> https://github.com/apache/mesos/blob/1.3.x/src/linux/ns.hpp#L540
> According to the glibc bug, we can work around this by:
> {quote}
> The obvious solution is just to use clone() after setns() and never use
> fork() - and one can certainly patch both programs to do so. Nevertheless it
> would be nice to see if fork() also worked after setns(), especially since
> there is no inherent reason for it not to.
> {quote}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
