> On May 20, 2015, 7:34 p.m., Paul Brett wrote:
> > src/slave/containerizer/isolators/filesystem/linux.cpp, line 69
> > <https://reviews.apache.org/r/34135/diff/1/?file=957256#file957256line69>
> >
> >     We don't need to be root, we just need to have CAP_SYS_ADMIN, and we 
> > could pick that up through a helpful suid mount program.

We call mount(2) directly and Mesos is not expected to be setuid root. This is 
consistent with the rest of the code so if/when we change that we'll do 
everything.


> On May 20, 2015, 7:34 p.m., Paul Brett wrote:
> > src/slave/containerizer/isolators/filesystem/linux.cpp, line 178
> > <https://reviews.apache.org/r/34135/diff/1/?file=957256#file957256line178>
> >
> >     This really tests if the container_path exists in the filesystem 
> > namespace, the actual location could be anywhere.

True, but is it a problem if it's elsewhere?


> On May 20, 2015, 7:34 p.m., Paul Brett wrote:
> > src/slave/containerizer/isolators/filesystem/linux.cpp, line 203
> > <https://reviews.apache.org/r/34135/diff/1/?file=957256#file957256line203>
> >
> >     Should thie be comparing realpath(containerPath) with realpath(rootfs) 
> > in case the rootfs spec you are given contains symbolic links?

It's a precondition that rootfs is absolute, enforced elsewhere.


> On May 20, 2015, 7:34 p.m., Paul Brett wrote:
> > src/slave/containerizer/isolators/filesystem/linux.cpp, line 241
> > <https://reviews.apache.org/r/34135/diff/1/?file=957256#file957256line241>
> >
> >     Don't we want the option of mounting read only?

Nope, this is the work directory which we state is always writable.


> On May 20, 2015, 7:34 p.m., Paul Brett wrote:
> > src/slave/containerizer/mesos/containerizer.cpp, line 134
> > <https://reviews.apache.org/r/34135/diff/1/?file=957260#file957260line134>
> >
> >     I'm sure there will be more than one linux filesystem isolator, should 
> > we call this filesystem/bind?

Maybe. But I'd expect to add to the linux isolator rather than having a 
multitude.


- Ian


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/34135/#review84644
-----------------------------------------------------------


On May 12, 2015, 5:47 p.m., Ian Downes wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/34135/
> -----------------------------------------------------------
> 
> (Updated May 12, 2015, 5:47 p.m.)
> 
> 
> Review request for mesos, Chi Zhang, Paul Brett, Timothy Chen, and Vinod Kone.
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Moved code from Mesos Containerizer to filesystem isolators
>  - filesystem/posix (symlinks, doesn't support container rootfs)
>  - filesystem/linux (bind mounts, does support container rootfs)
> 
> The filesystem/posix isolator will be automatically included if no 
> filesystem/ isolator is specified.
> 
> 
> Diffs
> -----
> 
>   src/Makefile.am 14bc976a7b6a656fb58085484d25c3de3cf0f693 
>   src/slave/containerizer/isolators/filesystem/linux.hpp PRE-CREATION 
>   src/slave/containerizer/isolators/filesystem/linux.cpp PRE-CREATION 
>   src/slave/containerizer/isolators/filesystem/posix.hpp PRE-CREATION 
>   src/slave/containerizer/isolators/filesystem/posix.cpp PRE-CREATION 
>   src/slave/containerizer/linux_launcher.cpp 
> b9e22e3c70bed0c29e2ca8632411789d33f779a8 
>   src/slave/containerizer/mesos/containerizer.cpp 
> b644b9c74bc23cf78c0a53284544be6cdaef2f8a 
> 
> Diff: https://reviews.apache.org/r/34135/diff/
> 
> 
> Testing
> -------
> 
> existing persistent volumes tests.
> 
> 
> Thanks,
> 
> Ian Downes
> 
>

Reply via email to