[jira] [Commented] (MESOS-8507) SLRP discards reservations when the agent is discarded, which could lead to leaked volumes.

Wed, 23 Jan 2019 00:52:55 -0800 


    [ 
https://issues.apache.org/jira/browse/MESOS-8507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16749679#comment-16749679
 ] 

Chun-Hung Hsiao commented on MESOS-8507:
----------------------------------------

The current proposal I have in mind is:
First, the recovered CSI volumes will be default-reserved through the 
{{default_reservations}} field in the SLRP config, so only a special framework 
will receive these resources. Then we can do one of the followings:
 # Introduce a special "reservation transfer" offer operation so this special 
framework could re-reserve the CSI volume to the consumer framework atomically, 
then the consumer framework can re-reserve the volume again atomically if it 
wants to add reservation labels, then "re-create" the persistent volume on the 
CSI volume without wiping out the data. As an initial attempt, the required 
information about the reservation transfer (e.g., the target role) can be 
provided manually by the operator, but ultimately we should automatize the 
efforts.
 # Use a special authorization module to learn about the reservations when the 
persistent volume has been created, then only allows the same reservations on 
recovered CSI volumes.

> SLRP discards reservations when the agent is discarded, which could lead to 
> leaked volumes.
> -------------------------------------------------------------------------------------------
>
>                 Key: MESOS-8507
>                 URL: https://issues.apache.org/jira/browse/MESOS-8507
>             Project: Mesos
>          Issue Type: Bug
>            Reporter: Yan Xu
>            Priority: Major
>              Labels: storage
>
> In the current SLRP implementation the reservations for new SLRP/CSI backed 
> volumes are checkpointed under {{<meta>/slaves/latest/resource_providers}} so 
> when the agent runs into incompatible configuration changes (the kinds that 
> cannot be addressed by MESOS-1739), the operator has to remove the symlink 
> and then the reservations are gone. 
> Then the agent recovers with a new {{SlaveInfo}} and new SLRPs are created to 
> recover the CSI volumes. These CSI volumes will not have reservations and 
> thus will be offered to frameworks of any role, potentially with the data 
> already written by the previous owner. 
>  
> The framework doesn't have any control over this and any chance to clean up 
> before the volumes are re-offered, which is undesired for security reasons.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to