----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/57884/#review177833 -----------------------------------------------------------
src/slave/containerizer/mesos/isolators/network/cni/cni.cpp Lines 1918-1928 (patched) <https://reviews.apache.org/r/57884/#comment251555> Thought about it more. I don't think we should do read-only bind mount if the 'source' is not from host `/etc/*`. We should allow container to modify it because the file is private to each container. src/slave/containerizer/mesos/isolators/network/cni/cni.cpp Lines 1980-1990 (patched) <https://reviews.apache.org/r/57884/#comment251556> Ditto here. - Jie Yu On June 13, 2017, 10:02 p.m., Silas Snider wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/57884/ > ----------------------------------------------------------- > > (Updated June 13, 2017, 10:02 p.m.) > > > Review request for mesos and Jie Yu. > > > Bugs: MESOS-7268 > https://issues.apache.org/jira/browse/MESOS-7268 > > > Repository: mesos > > > Description > ------- > > Ensure that host /etc/* files are mounted RDONLY by the CNI Isolator. > > > Diffs > ----- > > src/slave/containerizer/mesos/isolators/network/cni/cni.cpp > 6e95315b70a5d9d3b4b21c4cf235b0a483760190 > > > Diff: https://reviews.apache.org/r/57884/diff/3/ > > > Testing > ------- > > > Thanks, > > Silas Snider > >
