[jira] [Updated] (MESOS-7237) Enabling cgroups_limit_swap can lead to "invalid argument" error.
[
https://issues.apache.org/jira/browse/MESOS-7237?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jie Yu updated MESOS-7237:
--
Fix Version/s: 1.2.1
1.1.2
> Enabling cgroups_limit_swap can lead to "invalid argument" error.
> -
>
> Key: MESOS-7237
> URL: https://issues.apache.org/jira/browse/MESOS-7237
> Project: Mesos
> Issue Type: Bug
>Affects Versions: 1.0.2, 1.1.0, 1.2.0
> Environment: CentOS 7.
>Reporter: Jie Yu
>Assignee: Jie Yu
>Priority: Critical
> Fix For: 1.1.2, 1.2.1, 1.3.0
>
>
> This is related to MESOS-2128. Looks like the redhat doc linked in that
> ticket is not accurate. `memory.limit_in_bytes` has to be less than or equal
> to `memory.memsw.limit_in_bytes`. Otherwise, the kernel is gonna throw
> EINVAL. Here is the validation with a box that has swap disabled:
> {noformat}
> [root@ip-10-10-0-120 test]# pwd
> /sys/fs/cgroup/memory/test
> [root@ip-10-10-0-120 test]# sleep 100 &
> [1] 23121
> [root@ip-10-10-0-120 test]# echo 23121 > tasks
> [root@ip-10-10-0-120 test]# cat tasks
> 23121
> [root@ip-10-10-0-120 test]# cat memory.limit_in_bytes
> 9223372036854771712
> [root@ip-10-10-0-120 test]# cat memory.memsw.limit_in_bytes
> 9223372036854771712
> [root@ip-10-10-0-120 test]# echo 300 > memory.limit_in_bytes
> [root@ip-10-10-0-120 test]# echo 300 > memory.memsw.limit_in_bytes
> [root@ip-10-10-0-120 test]# echo 1 > memory.limit_in_bytes
> bash: echo: write error: Invalid argument
> [root@ip-10-10-0-120 test]# cat /proc/swaps
> FilenameTypeSizeUsed
> Priority
> {noformat}
> {noformat}
> [root@ip-10-10-0-120 test]# sleep 10 &
> [1] 31363
> [root@ip-10-10-0-120 test]# echo 31363 > tasks
> [root@ip-10-10-0-120 test]# echo 300 > memory.memsw.limit_in_bytes
> bash: echo: write error: Invalid argument
> [root@ip-10-10-0-120 test]# echo 300 > memory.limit_in_bytes
> [root@ip-10-10-0-120 test]# echo 300 > memory.memsw.limit_in_bytes
> [root@ip-10-10-0-120 test]# echo 1 > memory.memsw.limit_in_bytes
> [root@ip-10-10-0-120 test]# echo 1 > memory.limit_in_bytes
> [root@ip-10-10-0-120 test]# cat memory.limit_in_bytes
> 9744
> [root@ip-10-10-0-120 test]# cat memory.memsw.limit_in_bytes
> 9744
> {noformat}
> Related Docker issue: https://github.com/docker/docker/pull/25461
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Comment Edited] (MESOS-6998) Add authentication support to agent's '/v1/executor' endpoint
[
https://issues.apache.org/jira/browse/MESOS-6998?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15927198#comment-15927198
]
Greg Mann edited comment on MESOS-6998 at 3/18/17 2:07 AM:
---
Reviews here:
https://reviews.apache.org/r/57666/
https://reviews.apache.org/r/57670/
https://reviews.apache.org/r/57671/
Changes to the tests to verify this functionality can be found in the patch
chain for MESOS-6999.
was (Author: greggomann):
Reviews here:
https://reviews.apache.org/r/57666/
https://reviews.apache.org/r/57670/
https://reviews.apache.org/r/57671/
Tests still need to be added once MESOS-6999 is resolved.
> Add authentication support to agent's '/v1/executor' endpoint
> -
>
> Key: MESOS-6998
> URL: https://issues.apache.org/jira/browse/MESOS-6998
> Project: Mesos
> Issue Type: Task
> Components: agent, security
>Reporter: Greg Mann
>Assignee: Greg Mann
> Labels: agent, executor, mesosphere, security
>
> The new agent flag {{--authenticate_http_executors}} must be added. When set,
> it will require that requests received on the {{/v1/executor}} endpoint be
> authenticated, and the default JWT authenticator will be loaded. Note that
> this will require the addition of a new authentication realm for that
> endpoint.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Commented] (MESOS-6999) Add agent support for generating and passing executor secrets
[
https://issues.apache.org/jira/browse/MESOS-6999?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15930998#comment-15930998
]
Greg Mann commented on MESOS-6999:
--
Reviews here:
https://reviews.apache.org/r/57743/
https://reviews.apache.org/r/57744/
https://reviews.apache.org/r/57745/
https://reviews.apache.org/r/57746/
https://reviews.apache.org/r/57747/
https://reviews.apache.org/r/57748/
https://reviews.apache.org/r/57749/
https://reviews.apache.org/r/57750/
> Add agent support for generating and passing executor secrets
> -
>
> Key: MESOS-6999
> URL: https://issues.apache.org/jira/browse/MESOS-6999
> Project: Mesos
> Issue Type: Task
> Components: agent, security
>Reporter: Greg Mann
>Assignee: Greg Mann
> Labels: agent, executor, flags, mesosphere, security
>
> The agent must generate and pass executor secrets to all executors using the
> V1 API. For MVP, the agent will have this behavior by default when compiled
> with SSL support. To accomplish this, the agent must:
> * load the default {{SecretGenerator}} module
> * call the secret generator when launching an executor
> * pass the generated secret into the executor's environment
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Assigned] (MESOS-6999) Add agent support for generating and passing executor secrets
[
https://issues.apache.org/jira/browse/MESOS-6999?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Greg Mann reassigned MESOS-6999:
Assignee: Greg Mann (was: Jan Schlicht)
> Add agent support for generating and passing executor secrets
> -
>
> Key: MESOS-6999
> URL: https://issues.apache.org/jira/browse/MESOS-6999
> Project: Mesos
> Issue Type: Task
> Components: agent, security
>Reporter: Greg Mann
>Assignee: Greg Mann
> Labels: agent, executor, flags, mesosphere, security
>
> The agent must generate and pass executor secrets to all executors using the
> V1 API. For MVP, the agent will have this behavior by default when compiled
> with SSL support. To accomplish this, the agent must:
> * load the default {{SecretGenerator}} module
> * call the secret generator when launching an executor
> * pass the generated secret into the executor's environment
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Updated] (MESOS-7197) Requesting tiny amount of CPU crashes master
[
https://issues.apache.org/jira/browse/MESOS-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Neil Conway updated MESOS-7197:
---
Target Version/s: 1.1.2, 1.2.1, 1.3.0
> Requesting tiny amount of CPU crashes master
>
>
> Key: MESOS-7197
> URL: https://issues.apache.org/jira/browse/MESOS-7197
> Project: Mesos
> Issue Type: Bug
> Components: allocation
>Affects Versions: 1.1.0, 1.2.0
> Environment: Ubuntu 14.04, using Mesosphere PPA to install Mesos
>Reporter: Bruce Merry
>Assignee: Neil Conway
>Priority: Critical
>
> If a task is submitted with a tiny CPU request e.g. 0.0004, then when it
> completes the master crashes due to a CHECK failure:
> {noformat}
> F0302 10:48:26.654909 15391 sorter.cpp:291] Check failed:
> allocations[name].resources[slaveId].contains(resources)
> {noformat}
> I can reproduce this with the following command:
> {noformat}
> mesos-execute --command='sleep 5' --master=$MASTER --name=crashtest
> --resources='cpus:0.0004;mem:128'
> {noformat}
> If I replace 0.0004 with 0.001 the issue no longer occurs.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Commented] (MESOS-7197) Requesting tiny amount of CPU crashes master
[
https://issues.apache.org/jira/browse/MESOS-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15930867#comment-15930867
]
Neil Conway commented on MESOS-7197:
Okay, I figured out what is going on here. When constructing a {{Resources}}
object from a string, we drop empty resource values (e.g., scalar resources
with a value of zero). The code that checks whether a resource value is empty
[directly compares the value against
0|https://github.com/apache/mesos/blob/d0cd96b8f920b28ec27c0f6ae9cb8f2101dc1d50/src/common/resources.cpp#L841],
which is wrong for minimal resource values as in this example.
Will send an RR with a fix shortly.
> Requesting tiny amount of CPU crashes master
>
>
> Key: MESOS-7197
> URL: https://issues.apache.org/jira/browse/MESOS-7197
> Project: Mesos
> Issue Type: Bug
> Components: allocation
>Affects Versions: 1.1.0, 1.2.0
> Environment: Ubuntu 14.04, using Mesosphere PPA to install Mesos
>Reporter: Bruce Merry
>Assignee: Neil Conway
>Priority: Critical
>
> If a task is submitted with a tiny CPU request e.g. 0.0004, then when it
> completes the master crashes due to a CHECK failure:
> {noformat}
> F0302 10:48:26.654909 15391 sorter.cpp:291] Check failed:
> allocations[name].resources[slaveId].contains(resources)
> {noformat}
> I can reproduce this with the following command:
> {noformat}
> mesos-execute --command='sleep 5' --master=$MASTER --name=crashtest
> --resources='cpus:0.0004;mem:128'
> {noformat}
> If I replace 0.0004 with 0.001 the issue no longer occurs.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Commented] (MESOS-7190) Update endpoint handlers to use 'ObjectApprover'
[
https://issues.apache.org/jira/browse/MESOS-7190?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15930736#comment-15930736
]
Greg Mann commented on MESOS-7190:
--
I'm actually not so sure about this. Callsites which don't do
authorization-based filtering, but which simply need a boolean authorization
result, are much cleaner when using {{authorized()}}.
I think that instead of eliminating the {{authorized()}} method entirely, we
could provide an implementation as a member-function of the {{Authorizer}} base
class. It could make use of the local authorizer's [current
implementation|https://github.com/apache/mesos/blob/62161ac4416323b7373cc5e2a63b285f6f510d11/src/authorizer/local/authorizer.cpp#L628-L643]
to accomplish this functionality using {{getObjectApprover}}. In this way,
modules would only need to implement {{getObjectApprover}}, and the base class
could provide an {{authorized()}} helper to keep the callsites clean.
cc [~arojas] [~adam-mesos] [~tillt]
> Update endpoint handlers to use 'ObjectApprover'
>
>
> Key: MESOS-7190
> URL: https://issues.apache.org/jira/browse/MESOS-7190
> Project: Mesos
> Issue Type: Improvement
> Components: security
>Reporter: Greg Mann
> Labels: authorization, mesosphere, security
>
> The {{ObjectApprover}}-based interface for the authorizer has been
> introduced, but not all handlers make use of this new functionality (i.e.,
> {{Slave::Http::flags()}}. We should consider migrating all authorization code
> to use {{getObjectApprover}}, and deprecating the older {{authorized()}}
> interface.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Commented] (MESOS-7247) HTTP Authenticator modules should be able to redirect users
[ https://issues.apache.org/jira/browse/MESOS-7247?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15930521#comment-15930521 ] Silas Snider commented on MESOS-7247: - https://reviews.apache.org/r/57651/ https://reviews.apache.org/r/57652/ > HTTP Authenticator modules should be able to redirect users > --- > > Key: MESOS-7247 > URL: https://issues.apache.org/jira/browse/MESOS-7247 > Project: Mesos > Issue Type: Improvement > Components: agent, libprocess, master >Reporter: Silas Snider >Assignee: Silas Snider > > RIght now, Autheticator modules can only respond with an Unauthorized HTTP > status code if they need to get auth information from the client. This works > for Basic auth, but not for authentication types like oauth, which expect the > server to redirect the client to the right authorization provider URL. > We should change AuthenticationResult to allow arbitrary http responses to > allow for more flexibility here. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Comment Edited] (MESOS-6443) Display maintenance information in the webui.
[ https://issues.apache.org/jira/browse/MESOS-6443?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15930506#comment-15930506 ] pawan edited comment on MESOS-6443 at 3/17/17 7:03 PM: --- Thanks [~haosd...@gmail.com] . Glad that it's being cherry picked. Would appreciate it if you can leave the new ticket id in the comment section here :) was (Author: pawan.ufl): Thanks [~haosdent huang]. Glad that it's being cherry picked. Would appreciate it if you can leave the new ticket id in the comment section here :) > Display maintenance information in the webui. > - > > Key: MESOS-6443 > URL: https://issues.apache.org/jira/browse/MESOS-6443 > Project: Mesos > Issue Type: Improvement > Components: webui >Reporter: Tomasz Janiszewski >Assignee: Tomasz Janiszewski >Priority: Minor > Fix For: 1.2.0 > > Attachments: mesos_webui_maintenance_schedule.png > > > Add new tab with Maintenance schedule. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (MESOS-6443) Display maintenance information in the webui.
[ https://issues.apache.org/jira/browse/MESOS-6443?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15930506#comment-15930506 ] pawan commented on MESOS-6443: -- Thanks [~haosdent huang]. Glad that it's being cherry picked. Would appreciate it if you can leave the new ticket id in the comment section here :) > Display maintenance information in the webui. > - > > Key: MESOS-6443 > URL: https://issues.apache.org/jira/browse/MESOS-6443 > Project: Mesos > Issue Type: Improvement > Components: webui >Reporter: Tomasz Janiszewski >Assignee: Tomasz Janiszewski >Priority: Minor > Fix For: 1.2.0 > > Attachments: mesos_webui_maintenance_schedule.png > > > Add new tab with Maintenance schedule. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (MESOS-6443) Display maintenance information in the webui.
[ https://issues.apache.org/jira/browse/MESOS-6443?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15930450#comment-15930450 ] haosdent commented on MESOS-6443: - Hi, [~pawan.ufl] There is a bug that missing maintenance.html when packaging. Would create a separate ticket to cherry pick it to 1.2.1, sorry for the inconvenient. > Display maintenance information in the webui. > - > > Key: MESOS-6443 > URL: https://issues.apache.org/jira/browse/MESOS-6443 > Project: Mesos > Issue Type: Improvement > Components: webui >Reporter: Tomasz Janiszewski >Assignee: Tomasz Janiszewski >Priority: Minor > Fix For: 1.2.0 > > Attachments: mesos_webui_maintenance_schedule.png > > > Add new tab with Maintenance schedule. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Created] (MESOS-7260) Authorization for {{/role}} endpoint should take both {{view_roles}} and {{view_frameworks}} into account.
Jay Guo created MESOS-7260:
--
Summary: Authorization for {{/role}} endpoint should take both
{{view_roles}} and {{view_frameworks}} into account.
Key: MESOS-7260
URL: https://issues.apache.org/jira/browse/MESOS-7260
Project: Mesos
Issue Type: Bug
Components: HTTP API, master
Reporter: Jay Guo
Consider following case: both {{framework1}} and {{framework2}} subscribe to
{{roleX}}, {{principal}} is allowed to view {{roleX}} and {{ framework1}}, but
*NOT* {{framework2}}, therefore, {{/role}} endpoint should only contain
{{framework1}}, but not both frameworks.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Updated] (MESOS-7260) Authorization for `/role` endpoint should take both VIEW_ROLES and VIEW_FRAMEWORKS into account.
[
https://issues.apache.org/jira/browse/MESOS-7260?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jay Guo updated MESOS-7260:
---
Description: Consider following case: both {{framework1}} and
{{framework2}} subscribe to {{roleX}}, {{principal}} is allowed to view
{{roleX}} and {{framework1}}, but *NOT* {{framework2}}, therefore, {{/role}}
endpoint should only contain {{framework1}}, but not both frameworks. (was:
Consider following case: both {{framework1}} and {{framework2}} subscribe to
{{roleX}}, {{principal}} is allowed to view {{roleX}} and {{ framework1}}, but
*NOT* {{framework2}}, therefore, {{/role}} endpoint should only contain
{{framework1}}, but not both frameworks.)
> Authorization for `/role` endpoint should take both VIEW_ROLES and
> VIEW_FRAMEWORKS into account.
>
>
> Key: MESOS-7260
> URL: https://issues.apache.org/jira/browse/MESOS-7260
> Project: Mesos
> Issue Type: Bug
> Components: HTTP API, master
>Reporter: Jay Guo
>
> Consider following case: both {{framework1}} and {{framework2}} subscribe to
> {{roleX}}, {{principal}} is allowed to view {{roleX}} and {{framework1}}, but
> *NOT* {{framework2}}, therefore, {{/role}} endpoint should only contain
> {{framework1}}, but not both frameworks.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Updated] (MESOS-7260) Authorization for `/role` endpoint should take both VIEW_ROLES and VIEW_FRAMEWORKS into account.
[
https://issues.apache.org/jira/browse/MESOS-7260?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jay Guo updated MESOS-7260:
---
Summary: Authorization for `/role` endpoint should take both VIEW_ROLES and
VIEW_FRAMEWORKS into account. (was: Authorization for {{/role}} endpoint
should take both {{view_roles}} and {{view_frameworks}} into account.)
> Authorization for `/role` endpoint should take both VIEW_ROLES and
> VIEW_FRAMEWORKS into account.
>
>
> Key: MESOS-7260
> URL: https://issues.apache.org/jira/browse/MESOS-7260
> Project: Mesos
> Issue Type: Bug
> Components: HTTP API, master
>Reporter: Jay Guo
>
> Consider following case: both {{framework1}} and {{framework2}} subscribe to
> {{roleX}}, {{principal}} is allowed to view {{roleX}} and {{ framework1}},
> but *NOT* {{framework2}}, therefore, {{/role}} endpoint should only contain
> {{framework1}}, but not both frameworks.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Comment Edited] (MESOS-7097) Framework credentials can be used to register as an agent.
[ https://issues.apache.org/jira/browse/MESOS-7097?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15924752#comment-15924752 ] Yan Xu edited comment on MESOS-7097 at 3/17/17 5:22 PM: https://reviews.apache.org/r/57520/ https://reviews.apache.org/r/57534/ https://reviews.apache.org/r/57535/ https://reviews.apache.org/r/57710 https://reviews.apache.org/r/57730/ https://reviews.apache.org/r/57731/ was (Author: xujyan): https://reviews.apache.org/r/57520/ https://reviews.apache.org/r/57534/ https://reviews.apache.org/r/57535/ https://reviews.apache.org/r/57710 > Framework credentials can be used to register as an agent. > -- > > Key: MESOS-7097 > URL: https://issues.apache.org/jira/browse/MESOS-7097 > Project: Mesos > Issue Type: Bug >Reporter: Yan Xu >Assignee: Yan Xu > > Mesos uses the same credentials for all default http authenticators and the > crammd5 authenticator, across clients that include frameworks, agents and > operators. All authenticated clients are treated the same until the > authorizer kicks in when handling specific actions. > There's currently not an ACL that limits who can/cannot register as agents so > whoever obtains the framework credentials can freely do so. The ability to > register as agents should be limited to the entities with the agent > credentials/principles. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (MESOS-6443) Display maintenance information in the webui.
[ https://issues.apache.org/jira/browse/MESOS-6443?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15930059#comment-15930059 ] pawan commented on MESOS-6443: -- Has the maintenance.html made it into the mesos-1.2.0 tar ball ? I cant see it in the package, also it throws a 404 on the ui. Could someone please check and comment ? > Display maintenance information in the webui. > - > > Key: MESOS-6443 > URL: https://issues.apache.org/jira/browse/MESOS-6443 > Project: Mesos > Issue Type: Improvement > Components: webui >Reporter: Tomasz Janiszewski >Assignee: Tomasz Janiszewski >Priority: Minor > Fix For: 1.2.0 > > Attachments: mesos_webui_maintenance_schedule.png > > > Add new tab with Maintenance schedule. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Assigned] (MESOS-7259) Remove deprecated ACLs `SetQuota` and `RemoveQuota`
[
https://issues.apache.org/jira/browse/MESOS-7259?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alexander Rojas reassigned MESOS-7259:
--
Assignee: Alexander Rojas
> Remove deprecated ACLs `SetQuota` and `RemoveQuota`
> ---
>
> Key: MESOS-7259
> URL: https://issues.apache.org/jira/browse/MESOS-7259
> Project: Mesos
> Issue Type: Bug
>Reporter: Alexander Rojas
>Assignee: Alexander Rojas
>
> The ACLs {{SetQuota}} and {{RemoveQuota}} where marked for deprecation more
> than six months ago, where they were replaced for the more convenient
> {{UpdateQuota}} ACL. The deprecation cycle for these actions is finally due
> while at the same time removing will make easier to implement the
> hierarchical role feature in a generic way.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Created] (MESOS-7259) Remove deprecated ACLs `SetQuota` and `RemoveQuota`
Alexander Rojas created MESOS-7259:
--
Summary: Remove deprecated ACLs `SetQuota` and `RemoveQuota`
Key: MESOS-7259
URL: https://issues.apache.org/jira/browse/MESOS-7259
Project: Mesos
Issue Type: Bug
Reporter: Alexander Rojas
The ACLs {{SetQuota}} and {{RemoveQuota}} where marked for deprecation more
than six months ago, where they were replaced for the more convenient
{{UpdateQuota}} ACL. The deprecation cycle for these actions is finally due
while at the same time removing will make easier to implement the hierarchical
role feature in a generic way.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
