> On May 20, 2015, 7:34 p.m., Paul Brett wrote: > > src/slave/containerizer/isolators/filesystem/linux.cpp, line 69 > > <https://reviews.apache.org/r/34135/diff/1/?file=957256#file957256line69> > > > > We don't need to be root, we just need to have CAP_SYS_ADMIN, and we > > could pick that up through a helpful suid mount program.
We call mount(2) directly and Mesos is not expected to be setuid root. This is consistent with the rest of the code so if/when we change that we'll do everything. > On May 20, 2015, 7:34 p.m., Paul Brett wrote: > > src/slave/containerizer/isolators/filesystem/linux.cpp, line 178 > > <https://reviews.apache.org/r/34135/diff/1/?file=957256#file957256line178> > > > > This really tests if the container_path exists in the filesystem > > namespace, the actual location could be anywhere. True, but is it a problem if it's elsewhere? > On May 20, 2015, 7:34 p.m., Paul Brett wrote: > > src/slave/containerizer/isolators/filesystem/linux.cpp, line 203 > > <https://reviews.apache.org/r/34135/diff/1/?file=957256#file957256line203> > > > > Should thie be comparing realpath(containerPath) with realpath(rootfs) > > in case the rootfs spec you are given contains symbolic links? It's a precondition that rootfs is absolute, enforced elsewhere. > On May 20, 2015, 7:34 p.m., Paul Brett wrote: > > src/slave/containerizer/isolators/filesystem/linux.cpp, line 241 > > <https://reviews.apache.org/r/34135/diff/1/?file=957256#file957256line241> > > > > Don't we want the option of mounting read only? Nope, this is the work directory which we state is always writable. > On May 20, 2015, 7:34 p.m., Paul Brett wrote: > > src/slave/containerizer/mesos/containerizer.cpp, line 134 > > <https://reviews.apache.org/r/34135/diff/1/?file=957260#file957260line134> > > > > I'm sure there will be more than one linux filesystem isolator, should > > we call this filesystem/bind? Maybe. But I'd expect to add to the linux isolator rather than having a multitude. - Ian ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/34135/#review84644 ----------------------------------------------------------- On May 12, 2015, 5:47 p.m., Ian Downes wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/34135/ > ----------------------------------------------------------- > > (Updated May 12, 2015, 5:47 p.m.) > > > Review request for mesos, Chi Zhang, Paul Brett, Timothy Chen, and Vinod Kone. > > > Repository: mesos > > > Description > ------- > > Moved code from Mesos Containerizer to filesystem isolators > - filesystem/posix (symlinks, doesn't support container rootfs) > - filesystem/linux (bind mounts, does support container rootfs) > > The filesystem/posix isolator will be automatically included if no > filesystem/ isolator is specified. > > > Diffs > ----- > > src/Makefile.am 14bc976a7b6a656fb58085484d25c3de3cf0f693 > src/slave/containerizer/isolators/filesystem/linux.hpp PRE-CREATION > src/slave/containerizer/isolators/filesystem/linux.cpp PRE-CREATION > src/slave/containerizer/isolators/filesystem/posix.hpp PRE-CREATION > src/slave/containerizer/isolators/filesystem/posix.cpp PRE-CREATION > src/slave/containerizer/linux_launcher.cpp > b9e22e3c70bed0c29e2ca8632411789d33f779a8 > src/slave/containerizer/mesos/containerizer.cpp > b644b9c74bc23cf78c0a53284544be6cdaef2f8a > > Diff: https://reviews.apache.org/r/34135/diff/ > > > Testing > ------- > > existing persistent volumes tests. > > > Thanks, > > Ian Downes > >
