[jira] [Updated] (MESOS-7237) Enabling cgroups_limit_swap can lead to "invalid argument" error.
[ https://issues.apache.org/jira/browse/MESOS-7237?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jie Yu updated MESOS-7237: -- Fix Version/s: 1.2.1 1.1.2 > Enabling cgroups_limit_swap can lead to "invalid argument" error. > - > > Key: MESOS-7237 > URL: https://issues.apache.org/jira/browse/MESOS-7237 > Project: Mesos > Issue Type: Bug >Affects Versions: 1.0.2, 1.1.0, 1.2.0 > Environment: CentOS 7. >Reporter: Jie Yu >Assignee: Jie Yu >Priority: Critical > Fix For: 1.1.2, 1.2.1, 1.3.0 > > > This is related to MESOS-2128. Looks like the redhat doc linked in that > ticket is not accurate. `memory.limit_in_bytes` has to be less than or equal > to `memory.memsw.limit_in_bytes`. Otherwise, the kernel is gonna throw > EINVAL. Here is the validation with a box that has swap disabled: > {noformat} > [root@ip-10-10-0-120 test]# pwd > /sys/fs/cgroup/memory/test > [root@ip-10-10-0-120 test]# sleep 100 & > [1] 23121 > [root@ip-10-10-0-120 test]# echo 23121 > tasks > [root@ip-10-10-0-120 test]# cat tasks > 23121 > [root@ip-10-10-0-120 test]# cat memory.limit_in_bytes > 9223372036854771712 > [root@ip-10-10-0-120 test]# cat memory.memsw.limit_in_bytes > 9223372036854771712 > [root@ip-10-10-0-120 test]# echo 300 > memory.limit_in_bytes > [root@ip-10-10-0-120 test]# echo 300 > memory.memsw.limit_in_bytes > [root@ip-10-10-0-120 test]# echo 1 > memory.limit_in_bytes > bash: echo: write error: Invalid argument > [root@ip-10-10-0-120 test]# cat /proc/swaps > FilenameTypeSizeUsed > Priority > {noformat} > {noformat} > [root@ip-10-10-0-120 test]# sleep 10 & > [1] 31363 > [root@ip-10-10-0-120 test]# echo 31363 > tasks > [root@ip-10-10-0-120 test]# echo 300 > memory.memsw.limit_in_bytes > bash: echo: write error: Invalid argument > [root@ip-10-10-0-120 test]# echo 300 > memory.limit_in_bytes > [root@ip-10-10-0-120 test]# echo 300 > memory.memsw.limit_in_bytes > [root@ip-10-10-0-120 test]# echo 1 > memory.memsw.limit_in_bytes > [root@ip-10-10-0-120 test]# echo 1 > memory.limit_in_bytes > [root@ip-10-10-0-120 test]# cat memory.limit_in_bytes > 9744 > [root@ip-10-10-0-120 test]# cat memory.memsw.limit_in_bytes > 9744 > {noformat} > Related Docker issue: https://github.com/docker/docker/pull/25461 -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Comment Edited] (MESOS-6998) Add authentication support to agent's '/v1/executor' endpoint
[ https://issues.apache.org/jira/browse/MESOS-6998?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15927198#comment-15927198 ] Greg Mann edited comment on MESOS-6998 at 3/18/17 2:07 AM: --- Reviews here: https://reviews.apache.org/r/57666/ https://reviews.apache.org/r/57670/ https://reviews.apache.org/r/57671/ Changes to the tests to verify this functionality can be found in the patch chain for MESOS-6999. was (Author: greggomann): Reviews here: https://reviews.apache.org/r/57666/ https://reviews.apache.org/r/57670/ https://reviews.apache.org/r/57671/ Tests still need to be added once MESOS-6999 is resolved. > Add authentication support to agent's '/v1/executor' endpoint > - > > Key: MESOS-6998 > URL: https://issues.apache.org/jira/browse/MESOS-6998 > Project: Mesos > Issue Type: Task > Components: agent, security >Reporter: Greg Mann >Assignee: Greg Mann > Labels: agent, executor, mesosphere, security > > The new agent flag {{--authenticate_http_executors}} must be added. When set, > it will require that requests received on the {{/v1/executor}} endpoint be > authenticated, and the default JWT authenticator will be loaded. Note that > this will require the addition of a new authentication realm for that > endpoint. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (MESOS-6999) Add agent support for generating and passing executor secrets
[ https://issues.apache.org/jira/browse/MESOS-6999?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15930998#comment-15930998 ] Greg Mann commented on MESOS-6999: -- Reviews here: https://reviews.apache.org/r/57743/ https://reviews.apache.org/r/57744/ https://reviews.apache.org/r/57745/ https://reviews.apache.org/r/57746/ https://reviews.apache.org/r/57747/ https://reviews.apache.org/r/57748/ https://reviews.apache.org/r/57749/ https://reviews.apache.org/r/57750/ > Add agent support for generating and passing executor secrets > - > > Key: MESOS-6999 > URL: https://issues.apache.org/jira/browse/MESOS-6999 > Project: Mesos > Issue Type: Task > Components: agent, security >Reporter: Greg Mann >Assignee: Greg Mann > Labels: agent, executor, flags, mesosphere, security > > The agent must generate and pass executor secrets to all executors using the > V1 API. For MVP, the agent will have this behavior by default when compiled > with SSL support. To accomplish this, the agent must: > * load the default {{SecretGenerator}} module > * call the secret generator when launching an executor > * pass the generated secret into the executor's environment -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Assigned] (MESOS-6999) Add agent support for generating and passing executor secrets
[ https://issues.apache.org/jira/browse/MESOS-6999?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Greg Mann reassigned MESOS-6999: Assignee: Greg Mann (was: Jan Schlicht) > Add agent support for generating and passing executor secrets > - > > Key: MESOS-6999 > URL: https://issues.apache.org/jira/browse/MESOS-6999 > Project: Mesos > Issue Type: Task > Components: agent, security >Reporter: Greg Mann >Assignee: Greg Mann > Labels: agent, executor, flags, mesosphere, security > > The agent must generate and pass executor secrets to all executors using the > V1 API. For MVP, the agent will have this behavior by default when compiled > with SSL support. To accomplish this, the agent must: > * load the default {{SecretGenerator}} module > * call the secret generator when launching an executor > * pass the generated secret into the executor's environment -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Updated] (MESOS-7197) Requesting tiny amount of CPU crashes master
[ https://issues.apache.org/jira/browse/MESOS-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Neil Conway updated MESOS-7197: --- Target Version/s: 1.1.2, 1.2.1, 1.3.0 > Requesting tiny amount of CPU crashes master > > > Key: MESOS-7197 > URL: https://issues.apache.org/jira/browse/MESOS-7197 > Project: Mesos > Issue Type: Bug > Components: allocation >Affects Versions: 1.1.0, 1.2.0 > Environment: Ubuntu 14.04, using Mesosphere PPA to install Mesos >Reporter: Bruce Merry >Assignee: Neil Conway >Priority: Critical > > If a task is submitted with a tiny CPU request e.g. 0.0004, then when it > completes the master crashes due to a CHECK failure: > {noformat} > F0302 10:48:26.654909 15391 sorter.cpp:291] Check failed: > allocations[name].resources[slaveId].contains(resources) > {noformat} > I can reproduce this with the following command: > {noformat} > mesos-execute --command='sleep 5' --master=$MASTER --name=crashtest > --resources='cpus:0.0004;mem:128' > {noformat} > If I replace 0.0004 with 0.001 the issue no longer occurs. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (MESOS-7197) Requesting tiny amount of CPU crashes master
[ https://issues.apache.org/jira/browse/MESOS-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15930867#comment-15930867 ] Neil Conway commented on MESOS-7197: Okay, I figured out what is going on here. When constructing a {{Resources}} object from a string, we drop empty resource values (e.g., scalar resources with a value of zero). The code that checks whether a resource value is empty [directly compares the value against 0|https://github.com/apache/mesos/blob/d0cd96b8f920b28ec27c0f6ae9cb8f2101dc1d50/src/common/resources.cpp#L841], which is wrong for minimal resource values as in this example. Will send an RR with a fix shortly. > Requesting tiny amount of CPU crashes master > > > Key: MESOS-7197 > URL: https://issues.apache.org/jira/browse/MESOS-7197 > Project: Mesos > Issue Type: Bug > Components: allocation >Affects Versions: 1.1.0, 1.2.0 > Environment: Ubuntu 14.04, using Mesosphere PPA to install Mesos >Reporter: Bruce Merry >Assignee: Neil Conway >Priority: Critical > > If a task is submitted with a tiny CPU request e.g. 0.0004, then when it > completes the master crashes due to a CHECK failure: > {noformat} > F0302 10:48:26.654909 15391 sorter.cpp:291] Check failed: > allocations[name].resources[slaveId].contains(resources) > {noformat} > I can reproduce this with the following command: > {noformat} > mesos-execute --command='sleep 5' --master=$MASTER --name=crashtest > --resources='cpus:0.0004;mem:128' > {noformat} > If I replace 0.0004 with 0.001 the issue no longer occurs. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (MESOS-7190) Update endpoint handlers to use 'ObjectApprover'
[ https://issues.apache.org/jira/browse/MESOS-7190?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15930736#comment-15930736 ] Greg Mann commented on MESOS-7190: -- I'm actually not so sure about this. Callsites which don't do authorization-based filtering, but which simply need a boolean authorization result, are much cleaner when using {{authorized()}}. I think that instead of eliminating the {{authorized()}} method entirely, we could provide an implementation as a member-function of the {{Authorizer}} base class. It could make use of the local authorizer's [current implementation|https://github.com/apache/mesos/blob/62161ac4416323b7373cc5e2a63b285f6f510d11/src/authorizer/local/authorizer.cpp#L628-L643] to accomplish this functionality using {{getObjectApprover}}. In this way, modules would only need to implement {{getObjectApprover}}, and the base class could provide an {{authorized()}} helper to keep the callsites clean. cc [~arojas] [~adam-mesos] [~tillt] > Update endpoint handlers to use 'ObjectApprover' > > > Key: MESOS-7190 > URL: https://issues.apache.org/jira/browse/MESOS-7190 > Project: Mesos > Issue Type: Improvement > Components: security >Reporter: Greg Mann > Labels: authorization, mesosphere, security > > The {{ObjectApprover}}-based interface for the authorizer has been > introduced, but not all handlers make use of this new functionality (i.e., > {{Slave::Http::flags()}}. We should consider migrating all authorization code > to use {{getObjectApprover}}, and deprecating the older {{authorized()}} > interface. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (MESOS-7247) HTTP Authenticator modules should be able to redirect users
[ https://issues.apache.org/jira/browse/MESOS-7247?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15930521#comment-15930521 ] Silas Snider commented on MESOS-7247: - https://reviews.apache.org/r/57651/ https://reviews.apache.org/r/57652/ > HTTP Authenticator modules should be able to redirect users > --- > > Key: MESOS-7247 > URL: https://issues.apache.org/jira/browse/MESOS-7247 > Project: Mesos > Issue Type: Improvement > Components: agent, libprocess, master >Reporter: Silas Snider >Assignee: Silas Snider > > RIght now, Autheticator modules can only respond with an Unauthorized HTTP > status code if they need to get auth information from the client. This works > for Basic auth, but not for authentication types like oauth, which expect the > server to redirect the client to the right authorization provider URL. > We should change AuthenticationResult to allow arbitrary http responses to > allow for more flexibility here. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Comment Edited] (MESOS-6443) Display maintenance information in the webui.
[ https://issues.apache.org/jira/browse/MESOS-6443?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15930506#comment-15930506 ] pawan edited comment on MESOS-6443 at 3/17/17 7:03 PM: --- Thanks [~haosd...@gmail.com] . Glad that it's being cherry picked. Would appreciate it if you can leave the new ticket id in the comment section here :) was (Author: pawan.ufl): Thanks [~haosdent huang]. Glad that it's being cherry picked. Would appreciate it if you can leave the new ticket id in the comment section here :) > Display maintenance information in the webui. > - > > Key: MESOS-6443 > URL: https://issues.apache.org/jira/browse/MESOS-6443 > Project: Mesos > Issue Type: Improvement > Components: webui >Reporter: Tomasz Janiszewski >Assignee: Tomasz Janiszewski >Priority: Minor > Fix For: 1.2.0 > > Attachments: mesos_webui_maintenance_schedule.png > > > Add new tab with Maintenance schedule. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (MESOS-6443) Display maintenance information in the webui.
[ https://issues.apache.org/jira/browse/MESOS-6443?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15930506#comment-15930506 ] pawan commented on MESOS-6443: -- Thanks [~haosdent huang]. Glad that it's being cherry picked. Would appreciate it if you can leave the new ticket id in the comment section here :) > Display maintenance information in the webui. > - > > Key: MESOS-6443 > URL: https://issues.apache.org/jira/browse/MESOS-6443 > Project: Mesos > Issue Type: Improvement > Components: webui >Reporter: Tomasz Janiszewski >Assignee: Tomasz Janiszewski >Priority: Minor > Fix For: 1.2.0 > > Attachments: mesos_webui_maintenance_schedule.png > > > Add new tab with Maintenance schedule. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (MESOS-6443) Display maintenance information in the webui.
[ https://issues.apache.org/jira/browse/MESOS-6443?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15930450#comment-15930450 ] haosdent commented on MESOS-6443: - Hi, [~pawan.ufl] There is a bug that missing maintenance.html when packaging. Would create a separate ticket to cherry pick it to 1.2.1, sorry for the inconvenient. > Display maintenance information in the webui. > - > > Key: MESOS-6443 > URL: https://issues.apache.org/jira/browse/MESOS-6443 > Project: Mesos > Issue Type: Improvement > Components: webui >Reporter: Tomasz Janiszewski >Assignee: Tomasz Janiszewski >Priority: Minor > Fix For: 1.2.0 > > Attachments: mesos_webui_maintenance_schedule.png > > > Add new tab with Maintenance schedule. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Created] (MESOS-7260) Authorization for {{/role}} endpoint should take both {{view_roles}} and {{view_frameworks}} into account.
Jay Guo created MESOS-7260: -- Summary: Authorization for {{/role}} endpoint should take both {{view_roles}} and {{view_frameworks}} into account. Key: MESOS-7260 URL: https://issues.apache.org/jira/browse/MESOS-7260 Project: Mesos Issue Type: Bug Components: HTTP API, master Reporter: Jay Guo Consider following case: both {{framework1}} and {{framework2}} subscribe to {{roleX}}, {{principal}} is allowed to view {{roleX}} and {{ framework1}}, but *NOT* {{framework2}}, therefore, {{/role}} endpoint should only contain {{framework1}}, but not both frameworks. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Updated] (MESOS-7260) Authorization for `/role` endpoint should take both VIEW_ROLES and VIEW_FRAMEWORKS into account.
[ https://issues.apache.org/jira/browse/MESOS-7260?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jay Guo updated MESOS-7260: --- Description: Consider following case: both {{framework1}} and {{framework2}} subscribe to {{roleX}}, {{principal}} is allowed to view {{roleX}} and {{framework1}}, but *NOT* {{framework2}}, therefore, {{/role}} endpoint should only contain {{framework1}}, but not both frameworks. (was: Consider following case: both {{framework1}} and {{framework2}} subscribe to {{roleX}}, {{principal}} is allowed to view {{roleX}} and {{ framework1}}, but *NOT* {{framework2}}, therefore, {{/role}} endpoint should only contain {{framework1}}, but not both frameworks.) > Authorization for `/role` endpoint should take both VIEW_ROLES and > VIEW_FRAMEWORKS into account. > > > Key: MESOS-7260 > URL: https://issues.apache.org/jira/browse/MESOS-7260 > Project: Mesos > Issue Type: Bug > Components: HTTP API, master >Reporter: Jay Guo > > Consider following case: both {{framework1}} and {{framework2}} subscribe to > {{roleX}}, {{principal}} is allowed to view {{roleX}} and {{framework1}}, but > *NOT* {{framework2}}, therefore, {{/role}} endpoint should only contain > {{framework1}}, but not both frameworks. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Updated] (MESOS-7260) Authorization for `/role` endpoint should take both VIEW_ROLES and VIEW_FRAMEWORKS into account.
[ https://issues.apache.org/jira/browse/MESOS-7260?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jay Guo updated MESOS-7260: --- Summary: Authorization for `/role` endpoint should take both VIEW_ROLES and VIEW_FRAMEWORKS into account. (was: Authorization for {{/role}} endpoint should take both {{view_roles}} and {{view_frameworks}} into account.) > Authorization for `/role` endpoint should take both VIEW_ROLES and > VIEW_FRAMEWORKS into account. > > > Key: MESOS-7260 > URL: https://issues.apache.org/jira/browse/MESOS-7260 > Project: Mesos > Issue Type: Bug > Components: HTTP API, master >Reporter: Jay Guo > > Consider following case: both {{framework1}} and {{framework2}} subscribe to > {{roleX}}, {{principal}} is allowed to view {{roleX}} and {{ framework1}}, > but *NOT* {{framework2}}, therefore, {{/role}} endpoint should only contain > {{framework1}}, but not both frameworks. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Comment Edited] (MESOS-7097) Framework credentials can be used to register as an agent.
[ https://issues.apache.org/jira/browse/MESOS-7097?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15924752#comment-15924752 ] Yan Xu edited comment on MESOS-7097 at 3/17/17 5:22 PM: https://reviews.apache.org/r/57520/ https://reviews.apache.org/r/57534/ https://reviews.apache.org/r/57535/ https://reviews.apache.org/r/57710 https://reviews.apache.org/r/57730/ https://reviews.apache.org/r/57731/ was (Author: xujyan): https://reviews.apache.org/r/57520/ https://reviews.apache.org/r/57534/ https://reviews.apache.org/r/57535/ https://reviews.apache.org/r/57710 > Framework credentials can be used to register as an agent. > -- > > Key: MESOS-7097 > URL: https://issues.apache.org/jira/browse/MESOS-7097 > Project: Mesos > Issue Type: Bug >Reporter: Yan Xu >Assignee: Yan Xu > > Mesos uses the same credentials for all default http authenticators and the > crammd5 authenticator, across clients that include frameworks, agents and > operators. All authenticated clients are treated the same until the > authorizer kicks in when handling specific actions. > There's currently not an ACL that limits who can/cannot register as agents so > whoever obtains the framework credentials can freely do so. The ability to > register as agents should be limited to the entities with the agent > credentials/principles. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (MESOS-6443) Display maintenance information in the webui.
[ https://issues.apache.org/jira/browse/MESOS-6443?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15930059#comment-15930059 ] pawan commented on MESOS-6443: -- Has the maintenance.html made it into the mesos-1.2.0 tar ball ? I cant see it in the package, also it throws a 404 on the ui. Could someone please check and comment ? > Display maintenance information in the webui. > - > > Key: MESOS-6443 > URL: https://issues.apache.org/jira/browse/MESOS-6443 > Project: Mesos > Issue Type: Improvement > Components: webui >Reporter: Tomasz Janiszewski >Assignee: Tomasz Janiszewski >Priority: Minor > Fix For: 1.2.0 > > Attachments: mesos_webui_maintenance_schedule.png > > > Add new tab with Maintenance schedule. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Assigned] (MESOS-7259) Remove deprecated ACLs `SetQuota` and `RemoveQuota`
[ https://issues.apache.org/jira/browse/MESOS-7259?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alexander Rojas reassigned MESOS-7259: -- Assignee: Alexander Rojas > Remove deprecated ACLs `SetQuota` and `RemoveQuota` > --- > > Key: MESOS-7259 > URL: https://issues.apache.org/jira/browse/MESOS-7259 > Project: Mesos > Issue Type: Bug >Reporter: Alexander Rojas >Assignee: Alexander Rojas > > The ACLs {{SetQuota}} and {{RemoveQuota}} where marked for deprecation more > than six months ago, where they were replaced for the more convenient > {{UpdateQuota}} ACL. The deprecation cycle for these actions is finally due > while at the same time removing will make easier to implement the > hierarchical role feature in a generic way. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Created] (MESOS-7259) Remove deprecated ACLs `SetQuota` and `RemoveQuota`
Alexander Rojas created MESOS-7259: -- Summary: Remove deprecated ACLs `SetQuota` and `RemoveQuota` Key: MESOS-7259 URL: https://issues.apache.org/jira/browse/MESOS-7259 Project: Mesos Issue Type: Bug Reporter: Alexander Rojas The ACLs {{SetQuota}} and {{RemoveQuota}} where marked for deprecation more than six months ago, where they were replaced for the more convenient {{UpdateQuota}} ACL. The deprecation cycle for these actions is finally due while at the same time removing will make easier to implement the hierarchical role feature in a generic way. -- This message was sent by Atlassian JIRA (v6.3.15#6346)