> On July 31, 2016, 12:25 a.m., Jie Yu wrote: > > src/slave/containerizer/mesos/isolators/gpu/volume.cpp, lines 238-243 > > <https://reviews.apache.org/r/50592/diff/1/?file=1457192#file1457192line238> > > > > What if `/` is mounted with `noexec` and `/run` is mounted without > > `noexec`? Do you still need to do the mount? > > > > Since you're doing a reverse iteration, I think the logic should simply > > be find the first entry that satisfy `startsWith(realpath.get(), > > entry.target)`, and if that entry does not contain `noexec`, mount is not > > needed. Otherwise, mount is needed. > > > > You don't need the `realpath.get() == entry.target` check below i think.
I agree. This is a much better way of doing this. > On July 31, 2016, 12:25 a.m., Jie Yu wrote: > > src/slave/containerizer/mesos/isolators/gpu/volume.cpp, line 253 > > <https://reviews.apache.org/r/50592/diff/1/?file=1457192#file1457192line253> > > > > THis needs root permission. Make sure to check that in appropriate > > locations. Added in a separate review: https://reviews.apache.org/r/50644/ - Kevin ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/50592/#review144270 ----------------------------------------------------------- On July 29, 2016, 3:25 a.m., Kevin Klues wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/50592/ > ----------------------------------------------------------- > > (Updated July 29, 2016, 3:25 a.m.) > > > Review request for mesos, Benjamin Mahler and Jie Yu. > > > Bugs: MESOS-5923 > https://issues.apache.org/jira/browse/MESOS-5923 > > > Repository: mesos > > > Description > ------- > > This patch is in response to an issue we ran into on Ubuntu 14.04, > where '/run' is being mounted as 'noexec' (MESOS-5923). Since our > NvidiaVolume is created below this mount point, we are unable to > execute any binaries we add to this volume. This causes problems, for > example, when trying to execute 'nvidia-smi' from within a container > that has this volume mounted in. > > To work around this issue, we detect if any mount point above the path > where we create the volume is marked as 'noexec', and if so, we create > a new 'tmpfs' mount for the volume without 'noexec' set. > > > Diffs > ----- > > src/slave/containerizer/mesos/isolators/gpu/volume.cpp > 4b3651a8266b1ba193f6d207cd3be1ce55629703 > > Diff: https://reviews.apache.org/r/50592/diff/ > > > Testing > ------- > > Remount /run as 'noexec' > > `GTEST_FILTER="*NVIDIA*" make -j check` > > Ran a master/agent/execute set running 'nvidia-smi' both inside and outside a > docker container. > Both setups ran successfully. > > > Thanks, > > Kevin Klues > >
