[jira] [Commented] (MESOS-9529) `/proc` should be remounted even if a nested container set `share_pid_namespace` to true

Fri, 29 Mar 2019 21:52:45 -0700 


    [ 
https://issues.apache.org/jira/browse/MESOS-9529?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16805615#comment-16805615
 ] 

Jie Yu commented on MESOS-9529:
-------------------------------

I tried to send a patch for this ticket, but realized that the problem is a 
little tricky to resolve. The problem is that we cannot just blindly `mount -t 
proc proc /proc` irrespective if the container shares the same pid namespace of 
its parent. Because if the parent container indeed shares the same pid 
namespace as the agent, this mount will result in EBUSY. We also cannot blindly 
umount /proc and mount again. This is because typically there are bind mounts 
under `/proc/sys/fs/binfmt_misc`. An unmount will typically result in EBUSY too.

> `/proc` should be remounted even if a nested container set 
> `share_pid_namespace` to true
> ----------------------------------------------------------------------------------------
>
>                 Key: MESOS-9529
>                 URL: https://issues.apache.org/jira/browse/MESOS-9529
>             Project: Mesos
>          Issue Type: Bug
>          Components: containerization
>    Affects Versions: 1.4.2, 1.5.2, 1.6.2, 1.7.1
>            Reporter: Jie Yu
>            Priority: Critical
>
> Currently, if a nested container wants to share the pid namespace of its 
> parent container, we allow the framework to set 
> `LinuxInfo.share_pid_namespace`.
> If the nested container does not have its own rootfs (i.e., using the host 
> rootfs), the `/proc` is not re-mounted:
> https://github.com/apache/mesos/blob/1.7.x/src/slave/containerizer/mesos/isolators/namespaces/pid.cpp#L120-L126
> This is problematic because the nested container will fork host's mount 
> namespace, thus inherit the `/proc` there. As a result, `/proc/<pid>` are 
> still for the host pid namespace. The pid namespace of the parent container 
> might be different than that of the host pid namspace.
> As a result, `ps aux` in the nested container will show all process 
> information on the host pid namespace. Although, the pid namespace of the 
> nested container is different than that of the host.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to