Re: Review Request 43083: Supported working dir in docker runtime isolator.

Wed, 03 Feb 2016 16:53:47 -0800 


> On Feb. 2, 2016, 4:16 p.m., Jie Yu wrote:
> > src/slave/containerizer/mesos/containerizer.cpp, lines 1029-1034
> > <https://reviews.apache.org/r/43083/diff/1/?file=1228986#file1228986line1029>
> >
> >     We shouldn't allow executor to cd into an arbitrary directory if 
> > filesystem isolation is not used (because that'll create security issue).
> >     
> >     I would do the following:
> >     ```
> >     if (rootfs.isSome()) {
> >       launchFlags.directory = workingDir.isSome()
> >         ? workingDir.get()
> >         : flags.sandbox_directory;
> >     } else {
> >       // NOTE: If the executor shares the host filesystem, we
> >       // should not allow them to 'cd' into an arbitrary directory
> >       // because that'll create security issues.
> >       if (workingDir.isSome()) {
> >         LOG(WARNING) << "Ignore working directory '" << workingDir.get()
> >                      << "' specified in container launch info for container 
> > "
> >                      << containerId << " since the executor is using the "
> >                      << "host filesystem";
> >       }
> >       launchFlags.directory = directory;
> >     }
> >     ```

Note that this issue is fixed in /mesos/launch.cpp


- Gilbert


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43083/#review117522
-----------------------------------------------------------


On Feb. 3, 2016, 4:49 p.m., Gilbert Song wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/43083/
> -----------------------------------------------------------
> 
> (Updated Feb. 3, 2016, 4:49 p.m.)
> 
> 
> Review request for mesos, Artem Harutyunyan, Jie Yu, and Timothy Chen.
> 
> 
> Bugs: MESOS-4005
>     https://issues.apache.org/jira/browse/MESOS-4005
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Supported working dir in docker runtime isolator.
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/mesos/containerizer.cpp 
> 4b504dbb58823ce7675f1d2048dcc7a27c05663d 
>   src/slave/containerizer/mesos/isolators/docker/runtime.hpp PRE-CREATION 
>   src/slave/containerizer/mesos/isolators/docker/runtime.cpp PRE-CREATION 
> 
> Diff: https://reviews.apache.org/r/43083/diff/
> 
> 
> Testing
> -------
> 
> make check (ubuntu14.04 + clang-3.6)
> 
> 
> Thanks,
> 
> Gilbert Song
> 
>

Reply via email to