----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/75080/ -----------------------------------------------------------
(Updated July 11, 2024, 3:51 p.m.) Review request for mesos and Benjamin Mahler. Repository: mesos Description (updated) ------- Currently, if we try to attach device ebpf files to the same cgroup multiple times, they will all be attached, and they will all be run when a device requests access. This conflicts with our design to have one ebpf file per cgroup that represents all the files they want to allow or deny, where that file is updated when the cgroup adds or removes a device. So we add a patch to atomically replace any existing ebpf file already attached to our target cgroup using our new ebpf file. Diffs (updated) ----- src/linux/cgroups2.cpp d1fc2638cdf9a07199f90952e04998072021011c src/linux/ebpf.cpp 3f7f74df25dbf35720cd5f6c19644173552d5b82 src/tests/containerizer/cgroups2_tests.cpp cb1e229f7f40aa71f57417c33fccb2cfb313a1f5 Diff: https://reviews.apache.org/r/75080/diff/2/ Changes: https://reviews.apache.org/r/75080/diff/1-2/ Testing ------- Added a test to verify that when a we attach a ebpf file to a cgroup that already has a file attached, the old file is replaced and the new file now controls device access. Cgroups2 tests passed. Thanks, Jason Zhou
