----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/50592/#review144270 -----------------------------------------------------------
src/slave/containerizer/mesos/isolators/gpu/volume.cpp (lines 238 - 243) <https://reviews.apache.org/r/50592/#comment210265> What if `/` is mounted with `noexec` and `/run` is mounted without `noexec`? Do you still need to do the mount? Since you're doing a reverse iteration, I think the logic should simply be find the first entry that satisfy `startsWith(realpath.get(), entry.target)`, and if that entry does not contain `noexec`, mount is not needed. Otherwise, mount is needed. You don't need the `realpath.get() == entry.target` check below i think. src/slave/containerizer/mesos/isolators/gpu/volume.cpp (line 253) <https://reviews.apache.org/r/50592/#comment210266> THis needs root permission. Make sure to check that in appropriate locations. - Jie Yu On July 29, 2016, 3:25 a.m., Kevin Klues wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/50592/ > ----------------------------------------------------------- > > (Updated July 29, 2016, 3:25 a.m.) > > > Review request for mesos, Benjamin Mahler and Jie Yu. > > > Bugs: MESOS-5923 > https://issues.apache.org/jira/browse/MESOS-5923 > > > Repository: mesos > > > Description > ------- > > This patch is in response to an issue we ran into on Ubuntu 14.04, > where '/run' is being mounted as 'noexec' (MESOS-5923). Since our > NvidiaVolume is created below this mount point, we are unable to > execute any binaries we add to this volume. This causes problems, for > example, when trying to execute 'nvidia-smi' from within a container > that has this volume mounted in. > > To work around this issue, we detect if any mount point above the path > where we create the volume is marked as 'noexec', and if so, we create > a new 'tmpfs' mount for the volume without 'noexec' set. > > > Diffs > ----- > > src/slave/containerizer/mesos/isolators/gpu/volume.cpp > 4b3651a8266b1ba193f6d207cd3be1ce55629703 > > Diff: https://reviews.apache.org/r/50592/diff/ > > > Testing > ------- > > Remount /run as 'noexec' > > `GTEST_FILTER="*NVIDIA*" make -j check` > > Ran a master/agent/execute set running 'nvidia-smi' both inside and outside a > docker container. > Both setups ran successfully. > > > Thanks, > > Kevin Klues > >
