Re: Review Request 50271: Created an isolator for Linux capabilities.

Sat, 10 Sep 2016 11:23:31 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/50271/#review148399
-----------------------------------------------------------




src/slave/containerizer/mesos/isolators/linux/capabilities.cpp (lines 47 - 49)
<https://reviews.apache.org/r/50271/#comment215860>

    We need to have special case for command tasks (i.e., 
containerConfig.has_task_info()).
    
    For command tasks, we need to make sure the executor is running under root, 
having all capabilities. I.e., `launchInfo.capability` should not be set.
    
    Instead, we need to add a new flag to command executor (`--capabilities`) 
and command executor will pass that to `mesos-containerizer launch` helper.



src/slave/containerizer/mesos/isolators/linux/capabilities.cpp (lines 57 - 68)
<https://reviews.apache.org/r/50271/#comment215861>

    Do you know that `Set` supports union and intersection. I think here we can 
just leverage Set intersection.


- Jie Yu


On Sept. 9, 2016, 3:26 p.m., Benjamin Bannier wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/50271/
> -----------------------------------------------------------
> 
> (Updated Sept. 9, 2016, 3:26 p.m.)
> 
> 
> Review request for mesos, Jay Guo and Jie Yu.
> 
> 
> Bugs: MESOS-5275
>     https://issues.apache.org/jira/browse/MESOS-5275
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> This isolator evaluates agent allowed capabilities and passes net
> capabilities on to `mesos-containerizer` which enforces the
> capabilities.
> 
> Capability information is passed via a new field in
> `ContainerLaunchInfo`.
> 
> 
> Diffs
> -----
> 
>   include/mesos/slave/containerizer.proto 
> 16dd3a19145b9764273cdb9a8899e353c98730e5 
>   src/CMakeLists.txt 01ef494f7120156de3b826d7def76fb30bcc61b5 
>   src/Makefile.am 15b9a63822eca8d0b428191940026756fba7821e 
>   src/slave/containerizer/mesos/containerizer.cpp 
> 89b7e8db38916d69d9b2d4fe305d4397b0859a10 
>   src/slave/containerizer/mesos/isolators/linux/capabilities.hpp PRE-CREATION 
>   src/slave/containerizer/mesos/isolators/linux/capabilities.cpp PRE-CREATION 
>   src/tests/containerizer/isolator_tests.cpp 
> f8056ca08029feed5f164d4f94e24d521183bdfc 
> 
> Diff: https://reviews.apache.org/r/50271/diff/
> 
> 
> Testing
> -------
> 
> `make check` and `sudo make check` (Debian jessie, gcc-4.9.2, w/o 
> optimizations)
> 
> 
> Thanks,
> 
> Benjamin Bannier
> 
>

Reply via email to