----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/58603/#review173450 -----------------------------------------------------------
docs/configuration.md Lines 1154-1155 (original), 1154-1180 (patched) <https://reviews.apache.org/r/58603/#comment246432> I modified to ``` <tr> <td> --allowed_devices </td> <td> JSON object representing the devices that will be additionally whitelisted by cgroups devices subsystem. Noted that the following devices always be whitelisted by default: <pre><code> * /dev/console * /dev/tty0 * /dev/tty1 * /dev/pts/* * /dev/ptmx * /dev/net/tun * /dev/null * /dev/zero * /dev/full * /dev/tty * /dev/urandom * /dev/random </code></pre> This flag will take effect only when <code>cgroups/devices</code> is set in <code>--isolation</code> flag. <p/> Example: <pre><code>{ "allowed_devices": [ { "device": { "path": "/path/to/device" }, "access": { "read": true, "write": false, "mknod": false } } ] } </code></pre> </td> </tr> ``` src/slave/flags.cpp Lines 457-476 (patched) <https://reviews.apache.org/r/58603/#comment246433> I modified to ``` add(&Flags::allowed_devices, "allowed_devices", "JSON array representing the devices that will be additionally\n" "whitelisted by cgroups devices subsystem. Noted that the following\n" "devices always be whitelisted by default:\n" " * /dev/console\n" " * /dev/tty0\n" " * /dev/tty1\n" " * /dev/pts/*\n" " * /dev/ptmx\n" " * /dev/net/tun\n" " * /dev/null\n" " * /dev/zero\n" " * /dev/full\n" " * /dev/tty\n" " * /dev/urandom\n" " * /dev/random\n" "This flag will take effect only when `cgroups/devices` is set in\n" "`--isolation` flag.\n" "Example:\n" "{\n" " \"allowed_devices\": [\n" " {\n" " \"device\": {\n" " \"path\": \"/path/to/device\"\n" " },\n" " \"access\": {\n" " \"read\": true,\n" " \"write\": false,\n" " \"mknod\": false\n" " }\n" " }\n" " ]\n" "}\n"); ``` - haosdent huang On April 27, 2017, 7:01 a.m., Zhongbo Tian wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/58603/ > ----------------------------------------------------------- > > (Updated April 27, 2017, 7:01 a.m.) > > > Review request for mesos, haosdent huang and Jie Yu. > > > Bugs: MESOS-6791 > https://issues.apache.org/jira/browse/MESOS-6791 > > > Repository: mesos > > > Description > ------- > > Allowed whitelist additional devices in cgroups devices subsystem. > > > Diffs > ----- > > docs/configuration.md 159f946216299fc52171e0a58c7eb7c888c1eec8 > include/mesos/mesos.proto 46bb7813cc402f2a71879d26d4bbc62abd852d52 > include/mesos/type_utils.hpp 5f771aaf2f4e76ac06bfd8f77b0b744ed2854b27 > include/mesos/v1/mesos.proto f7c05a82f8265aedc0bd8fd20dd30e21af46e775 > src/common/parse.hpp e90738a91161e26a48a6e381765e631492294641 > src/common/type_utils.cpp 9bc32af7df3242906633ac75d479223333be8e5f > src/slave/containerizer/mesos/isolators/cgroups/subsystems/devices.hpp > ca2727142a9f257168f3cae0958f7b4665b63cf6 > src/slave/containerizer/mesos/isolators/cgroups/subsystems/devices.cpp > 9b5cf83093796b0c0cc5057b612f80bc8b8ba72f > src/slave/flags.hpp c7a4604ed994e15c1db6accfaded2e882f1aec94 > src/slave/flags.cpp c50e43c0e0ba633f6b905b0d78668c0a0eebb173 > > > Diff: https://reviews.apache.org/r/58603/diff/4/ > > > Testing > ------- > > For test: > > - Launch without additional devices: > 1. Start agent with `sudo mesos-agent --master=127.0.0.1:5050 > --work_dir=/tmp/mesos --isolation=cgroups/devices` > 2. try open `/dev/rtc0` and failed with permission denied. `sudo > mesos-execute --master=127.0.0.1:5050 --name=test --command="head -c 0 > /dev/rtc0"` > > - Launch with additional devices: > 1. Start agent with `sudo mesos-agent --master=127.0.0.1:5050 > --work_dir=/tmp/mesos --isolation=cgroups/devices > --allowed_devices='{"allowed_devices":[{"device":{"path":"/dev/rtc0"}, > "access":{"mknod":true, "read":true, "write":true}}]}'` > 2. open `/dev/rtc0` successfully. `sudo mesos-execute > --master=127.0.0.1:5050 --name=test --command="head -c 0 /dev/rtc0"` > > > Thanks, > > Zhongbo Tian > >
