Re: Review Request 58337: Add allowed devices whitelist for cgroups/devices isolator.

Tue, 11 Apr 2017 04:14:14 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58337/
-----------------------------------------------------------

(Updated April 11, 2017, 11:13 a.m.)


Review request for mesos and haosdent huang.


Bugs: MESOS-6791
    https://issues.apache.org/jira/browse/MESOS-6791


Repository: mesos


Description
-------

Add allowed devices whitelist for cgroups/devices isolator.


Diffs (updated)
-----

  src/slave/containerizer/mesos/isolators/cgroups/subsystems/devices.hpp 
ca2727142a9f257168f3cae0958f7b4665b63cf6 
  src/slave/containerizer/mesos/isolators/cgroups/subsystems/devices.cpp 
9b5cf83093796b0c0cc5057b612f80bc8b8ba72f 
  src/slave/flags.hpp 171f67e44518e858049d002fcf037715021da265 
  src/slave/flags.cpp 9365da2c8462a4375a99a86210b9d6ec628510fe 


Diff: https://reviews.apache.org/r/58337/diff/2/

Changes: https://reviews.apache.org/r/58337/diff/1-2/


Testing
-------

For simple test:

1. Launch without additional devices:
  1. Start agent with `sudo mesos-agent --master=127.0.0.1:5050 
--work_dir=/tmp/mesos --isolation=cgroups/devices`
  2. try open `/dev/rtc0` and failed with permission denied. `sudo 
mesos-execute --master=127.0.0.1:5050 --name=test --command="head -c 0 
/dev/rtc0"`
2. Launch with additional devices:
  1. Start agent with `sudo mesos-agent --master=127.0.0.1:5050 
--work_dir=/tmp/mesos --isolation=cgroups/devices 
--cgroups_allowed_devices=/dev/rtc0`
  2. open `/dev/rtc0` successfully. `sudo mesos-execute --master=127.0.0.1:5050 
--name=test --command="head -c 0 /dev/rtc0"`


Thanks,

Zhongbo Tian

Reply via email to