> On Dec. 27, 2018, 9:16 a.m., Qian Zhang wrote: > > src/slave/containerizer/mesos/launch.cpp > > Lines 1196-1197 (patched) > > <https://reviews.apache.org/r/68022/diff/7/?file=2110527#file2110527line1198> > > > > Hmm, this seems unfortunate, will it cause container cannot be launched?
Since containerizer launcher is not multithreaded, there is no chance that the malloc's global mutex is acquired by another thread at the moment when the main thread calls `fork()`. So, it's safe to call `malloc` after forking a child process. Currently, the only way to load a Seccomp filter via `libseccomp` is to call `seccomp_load`. When libseccomp developers add a new API call, we should use the new one instead of `seccomp_load`. - Andrei ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/68022/#review211543 ----------------------------------------------------------- On Aug. 6, 2018, 1:39 p.m., Andrei Budnik wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/68022/ > ----------------------------------------------------------- > > (Updated Aug. 6, 2018, 1:39 p.m.) > > > Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang. > > > Bugs: MESOS-9106 > https://issues.apache.org/jira/browse/MESOS-9106 > > > Repository: mesos > > > Description > ------- > > Containerizer launcher creates an instance of `SeccompFilter`, which is > used to setup Seccomp profile using `ContainerSeccompProfile` message > prepared by the `linux/seccomp` isolator. The Seccomp filter is loaded > right before calling `execve()`, so that a container will be running > with a syscall filtering enabled. > > > Diffs > ----- > > src/slave/containerizer/mesos/launch.cpp > 2f1c9e7a8748c9d7eab25bc8567ca68308e680f9 > > > Diff: https://reviews.apache.org/r/68022/diff/8/ > > > Testing > ------- > > > Thanks, > > Andrei Budnik > >
