[jira] [Commented] (MESOS-9788) Configurable IPC namespace and shared memory in `namespaces/ipc` isolator

2019-07-19 Thread Gilbert Song (JIRA) 


[ 
https://issues.apache.org/jira/browse/MESOS-9788?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16889201#comment-16889201
 ] 

Gilbert Song commented on MESOS-9788:
-

commit 02b6467f9e8035166f400e0112015ac56c9281b6
Author: Qian Zhang 
Date:   Fri Jul 19 15:06:08 2019 -0700

Added a test `ROOT_DebugContainerWithPrivateIPCMode`.

Review: https://reviews.apache.org/r/71122/

commit 5032ea381dd2d532d781ba1d2c9fd3a600e7883a
Author: Qian Zhang 
Date:   Fri Jul 19 15:06:06 2019 -0700

Added a test `ROOT_NonePrivateIPCModeWithShmSize`.

Review: https://reviews.apache.org/r/71121/

commit e58f4b97b5d13ccc18ad9b1632d7e6409bdd0c55
Author: Qian Zhang 
Date:   Fri Jul 19 15:06:03 2019 -0700

Added two validations in `namespaces/ipc` isolator.

1. Do not support specifying the size of /dev/shm when the IPC mode
   is not `PRIVATE`.
2. Do not support private IPC mode for debug containers.

Review: https://reviews.apache.org/r/71120/

> Configurable IPC namespace and shared memory in `namespaces/ipc` isolator
> -
>
> Key: MESOS-9788
> URL: https://issues.apache.org/jira/browse/MESOS-9788
> Project: Mesos
>  Issue Type: Task
>  Components: containerization
>Reporter: Qian Zhang
>Assignee: Qian Zhang
>Priority: Major
>  Labels: containerization
> Fix For: 1.9.0
>
>
> See [design 
> doc|https://docs.google.com/document/d/10t1jf97vrejUWEVSvxGtqw4vhzfPef41JMzb5jw7l1s/edit?usp=sharing]
>  for the background of this improvement and how we are going to implement it.



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

[jira] [Created] (MESOS-9899) Using a symlink as the agent's work directory results in non-removal of persistent volume mounts.

2019-07-19 Thread Joseph Wu (JIRA) 
Joseph Wu created MESOS-9899:


 Summary: Using a symlink as the agent's work directory results in 
non-removal of persistent volume mounts.
 Key: MESOS-9899
 URL: https://issues.apache.org/jira/browse/MESOS-9899
 Project: Mesos
  Issue Type: Bug
Affects Versions: 1.8.0, 1.7.0, 1.6.0
Reporter: Joseph Wu


The directory layout of the agent's information places created persistent 
volumes under the agent's {{--work_dir}}:
{code}
//   root ('--work_dir' flag)
//   |-- volumes
//   |   |-- roles
//   |   |-- 
//   |   |--  (persistent volume)
{code}

When these persistent volumes are used, they will (on Linux) generally be 
mounted underneath the sandbox directory (also located under {{--work_dir}}).  
Upon termination of use, persistent volumes are unmounted by reading the mount 
table, and checking if any mount targets are under the sandbox:
{code}
  // Reverse unmount order to handle nested mount points.
  foreach (const fs::MountInfoTable::Entry& entry,
   adaptor::reverse(table->entries)) {
// NOTE: All persistent volumes are mounted at targets under the
// container's work directory. We unmount all the persistent
// volumes before unmounting the sandbox/work directory mount.
if (strings::startsWith(entry.target, sandbox)) {
  LOG(INFO) << "Unmounting volume '" << entry.target
<< "' for container " << containerId;
{code}

---

However, when an agent's work directory is placed under a symlink, the same 
code above might not find any persistent volumes to remove.  This is because 
the mount table shows the real location on disk, but the sandbox expects the 
symlinked location.

For example, suppose:
* The {{--work_dir}} is {{/var/run/mesos}}.
* {{/var/run/mesos}} is a symlink pointing to {{/tmp/link}}.

The agent will create sandboxes under paths like 
{{/var/run/mesos/slave/.../framework/.../...}}.  The mount table however, will 
show mount targets like {{/tmp/link/slave/.../framework/.../...}}.  Since the 
mount table target does not start with the sandbox path, the 
{{filesystem/linux}} isolator will not find any persistent volumes to clean up. 
 The agent's garbage collector will also fail here, because it tries to unmount 
any persistent volumes under the agent's work directory.
{code}
  foreach (const fs::MountInfoTable::Entry& entry,
   adaptor::reverse(mountTable->entries)) {
// Ignore mounts whose targets are not under `workDir`.
if (!strings::startsWith(
path::join(entry.target, ""),
path::join(_workDir, ""))) {
continue;
}
{code}



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)