> On May 21, 2018, 7:24 p.m., Jie Yu wrote: > > src/slave/containerizer/mesos/isolators/linux/devices.cpp > > Lines 170-175 (patched) > > <https://reviews.apache.org/r/67097/diff/4/?file=2024122#file2024122line171> > > > > Any reason we only do that for the directory, not the actual device > > file?
The actual device file is supposed to be accessed by the task user, so it has to be owned by that user. This chown is ensuring that we don't also grant access to other host users as a side-effect of the container. - James ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/67097/#review203515 ----------------------------------------------------------- On May 15, 2018, 5:53 p.m., James Peach wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/67097/ > ----------------------------------------------------------- > > (Updated May 15, 2018, 5:53 p.m.) > > > Review request for mesos, Gilbert Song, Jason Lai, and Jie Yu. > > > Bugs: MESOS-8792 > https://issues.apache.org/jira/browse/MESOS-8792 > > > Repository: mesos > > > Description > ------- > > Added `linux/devices` isolator support for populating the container > devices. This introduces a general mechanism for populating devices > into a specific container but currently only implements devices for all > containers based on the devices specified by the `--allowed_devices` > agent flag. > > > Diffs > ----- > > src/slave/containerizer/mesos/isolators/linux/devices.hpp PRE-CREATION > src/slave/containerizer/mesos/isolators/linux/devices.cpp PRE-CREATION > > > Diff: https://reviews.apache.org/r/67097/diff/4/ > > > Testing > ------- > > make check (Fedora 27) > > > Thanks, > > James Peach > >
