> On March 20, 2016, 7:08 p.m., Jie Yu wrote:
> > src/slave/containerizer/mesos/isolators/network/cni/cni.cpp, lines 206-212
> > <https://reviews.apache.org/r/44706/diff/2/?file=1307515#file1307515line206>
> >
> >     I suggest we save a rootDir in the isolator process. We can easily 
> > switch to use a flag later. Also, we need to call 'realpath' here to make 
> > sure it's a realpath.
> >     
> >     We also need to make sure ROOT_DIR is a self bind mounted directory 
> > (slave+shared) so that namespace bind mount does not leak into containers.
> 
> Qian Zhang wrote:
>     Do you mean we call `realpath()` to get the real path of the const string 
> `ROOT_DIR` first and then call `mkdir` with the real path as its parameter to 
> create the directory?
>     
>     And can you please elaborate why the namespace bind mount can be leaked 
> into containers if we do not make `ROOT_DIR` as a self bind mounted 
> directory? I just want to know the rationale behind it :-)

I had the same question (about slave+shared bind mount). So read this 
https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt . Very 
interesting, and a valid comment.


- Avinash


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/44706/#review124460
-----------------------------------------------------------


On March 20, 2016, 4:27 p.m., Qian Zhang wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/44706/
> -----------------------------------------------------------
> 
> (Updated March 20, 2016, 4:27 p.m.)
> 
> 
> Review request for mesos, Avinash sridharan, Gilbert Song, and Jie Yu.
> 
> 
> Bugs: MESOS-4759
>     https://issues.apache.org/jira/browse/MESOS-4759
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Implemented isolate() method of "network/cni" isolator.
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/mesos/isolators/network/cni/cni.hpp PRE-CREATION 
>   src/slave/containerizer/mesos/isolators/network/cni/cni.cpp PRE-CREATION 
> 
> Diff: https://reviews.apache.org/r/44706/diff/
> 
> 
> Testing
> -------
> 
> make check
> 
> 
> Thanks,
> 
> Qian Zhang
> 
>

Reply via email to