Re: Review Request 69086: Moved container root construction to the isolators.

2018-11-16 Thread James Peach 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69086/
---

(Updated Nov. 17, 2018, 12:49 a.m.)


Review request for mesos, Gilbert Song, Jason Lai, Jie Yu, and Jiang Yan Xu.


Bugs: MESOS-9319
https://issues.apache.org/jira/browse/MESOS-9319


Repository: mesos


Description
---

Previously, if the container was configured with a root filesytem,
the root was populated by a combination of the `fs::chroot:prepare`
API and the various isolators. The implementation details of some
isolators had leaked into the chroot code, which had a special case
for adding GPU devices.

This change moves all the responsibility for defining the
root filesystem from the `fs::chroot::prepare()` API to the
`filesystem/linux` isolator. The `filesystem/linux` isolator is
now the single place that captures how to mount the container
pseudo-filesystems as well as how to construct a proper `/dev`
directory.

Since the `linux/filesystem` isolator is now entirely responsible
for creating and mounting the container `/dev`, any other isolators
that enable access to devices should populate device nodes in the
container devices directory and add a corresponding bind mount.


Diffs (updated)
-

  src/linux/fs.hpp 31969f6ba82bf5ee549bfdf9698a21adaa486a90 
  src/linux/fs.cpp 5cdffe1f4c7f00aee5b8f640e7cfa4a0018cfa0a 
  src/slave/containerizer/mesos/isolators/filesystem/linux.cpp 
c7d753ac2e5575a8d687600bfb9e0617fa72c990 
  src/slave/containerizer/mesos/isolators/gpu/isolator.hpp 
4645c625877d9451516133b24bd3959e0f49c0a9 
  src/slave/containerizer/mesos/isolators/gpu/isolator.cpp 
56d835779618fd965d928c6926664583e9141f79 
  src/slave/containerizer/mesos/isolators/linux/devices.cpp 
8f8ff95ec3856ba06647637a80315365d0e66e23 
  src/slave/containerizer/mesos/launch.cpp 
882bcdf89e2b0cca3d3f62e6d017849a51ceaead 


Diff: https://reviews.apache.org/r/69086/diff/11/

Changes: https://reviews.apache.org/r/69086/diff/10-11/


Testing
---

sudo make check (Fedora 28)


Thanks,

James Peach

Re: Review Request 69086: Moved container root construction to the isolators.

2018-11-09 Thread James Peach 


> On Nov. 5, 2018, 5:14 a.m., Jie Yu wrote:
> > src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
> > Lines 623-631 (patched)
> > 
> >
> > I don't think this is needed. `prepareMount` in launch.cpp will actual 
> > do this implicitly. Bindly doing rslave will cause shared mount propagation 
> > feature to not work (needed by CSI integration)

`chroot::prepare()` currently does this, which is why I kept it here. Maybe it 
is now OK to drop this since `prepareMounts()` does it better?


- James


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69086/#review210318
---


On Nov. 9, 2018, 12:53 a.m., James Peach wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69086/
> ---
> 
> (Updated Nov. 9, 2018, 12:53 a.m.)
> 
> 
> Review request for mesos, Gilbert Song, Jason Lai, Jie Yu, and Jiang Yan Xu.
> 
> 
> Bugs: MESOS-9319
> https://issues.apache.org/jira/browse/MESOS-9319
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Previously, if the container was configured with a root filesytem,
> the root was populated by a combination of the `fs::chroot:prepare`
> API and the various isolators. The implementation details of some
> isolators had leaked into the chroot code, which had a special case
> for adding GPU devices.
> 
> This change moves all the responsibility for defining the
> root filesystem from the `fs::chroot::prepare()` API to the
> `filesystem/linux` isolator. The `filesystem/linux` isolator is
> now the single place that captures how to mount the container
> pseudo-filesystems as well as how to construct a proper `/dev`
> directory.
> 
> Since the `linux/filesystem` isolator is now entirely responsible
> for creating and mounting the container `/dev`, any other isolators
> that enable access to devices should populate device nodes in the
> container devices directory and add a corresponding bind mount.
> 
> 
> Diffs
> -
> 
>   src/linux/fs.hpp 31969f6ba82bf5ee549bfdf9698a21adaa486a90 
>   src/linux/fs.cpp 5cdffe1f4c7f00aee5b8f640e7cfa4a0018cfa0a 
>   src/slave/containerizer/mesos/isolators/filesystem/linux.cpp 
> c7d753ac2e5575a8d687600bfb9e0617fa72c990 
>   src/slave/containerizer/mesos/isolators/gpu/isolator.hpp 
> 4645c625877d9451516133b24bd3959e0f49c0a9 
>   src/slave/containerizer/mesos/isolators/gpu/isolator.cpp 
> 56d835779618fd965d928c6926664583e9141f79 
>   src/slave/containerizer/mesos/isolators/linux/devices.cpp 
> 8f8ff95ec3856ba06647637a80315365d0e66e23 
>   src/slave/containerizer/mesos/launch.cpp 
> 882bcdf89e2b0cca3d3f62e6d017849a51ceaead 
> 
> 
> Diff: https://reviews.apache.org/r/69086/diff/10/
> 
> 
> Testing
> ---
> 
> sudo make check (Fedora 28)
> 
> 
> Thanks,
> 
> James Peach
> 
>

Re: Review Request 69086: Moved container root construction to the isolators.

2018-11-08 Thread James Peach 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69086/
---

(Updated Nov. 9, 2018, 12:53 a.m.)


Review request for mesos, Gilbert Song, Jason Lai, Jie Yu, and Jiang Yan Xu.


Bugs: MESOS-9319
https://issues.apache.org/jira/browse/MESOS-9319


Repository: mesos


Description
---

Previously, if the container was configured with a root filesytem,
the root was populated by a combination of the `fs::chroot:prepare`
API and the various isolators. The implementation details of some
isolators had leaked into the chroot code, which had a special case
for adding GPU devices.

This change moves all the responsibility for defining the
root filesystem from the `fs::chroot::prepare()` API to the
`filesystem/linux` isolator. The `filesystem/linux` isolator is
now the single place that captures how to mount the container
pseudo-filesystems as well as how to construct a proper `/dev`
directory.

Since the `linux/filesystem` isolator is now entirely responsible
for creating and mounting the container `/dev`, any other isolators
that enable access to devices should populate device nodes in the
container devices directory and add a corresponding bind mount.


Diffs (updated)
-

  src/linux/fs.hpp 31969f6ba82bf5ee549bfdf9698a21adaa486a90 
  src/linux/fs.cpp 5cdffe1f4c7f00aee5b8f640e7cfa4a0018cfa0a 
  src/slave/containerizer/mesos/isolators/filesystem/linux.cpp 
c7d753ac2e5575a8d687600bfb9e0617fa72c990 
  src/slave/containerizer/mesos/isolators/gpu/isolator.hpp 
4645c625877d9451516133b24bd3959e0f49c0a9 
  src/slave/containerizer/mesos/isolators/gpu/isolator.cpp 
56d835779618fd965d928c6926664583e9141f79 
  src/slave/containerizer/mesos/isolators/linux/devices.cpp 
8f8ff95ec3856ba06647637a80315365d0e66e23 
  src/slave/containerizer/mesos/launch.cpp 
882bcdf89e2b0cca3d3f62e6d017849a51ceaead 


Diff: https://reviews.apache.org/r/69086/diff/9/

Changes: https://reviews.apache.org/r/69086/diff/8-9/


Testing
---

sudo make check (Fedora 28)


Thanks,

James Peach

Re: Review Request 69086: Moved container root construction to the isolators.

2018-11-08 Thread James Peach 


> On Nov. 3, 2018, 6:49 p.m., James Peach wrote:
> > src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
> > Lines 146 (patched)
> > 
> >
> > This mount fails with user namespaces:
> > ```
> > Failed to prepare mounts: Failed to mount 
> > '{"flags":15,"source":"sysfs","target":"/srv/mesos/work/provisioner/containers/ac807664-4109-409e-8cfb-a4285009598b/backends/overlay/rootfses/2b851cdf-08e2-456f-99bd-f5ff5011c678/sys","type":"sysfs"}':
> >  Operation not permitted
> > ```
> > 
> > I was carrying an out of tree hack for that.

I'll continue to carry an out of tree hack for this.


- James


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69086/#review210313
---


On Oct. 30, 2018, 9:03 p.m., James Peach wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69086/
> ---
> 
> (Updated Oct. 30, 2018, 9:03 p.m.)
> 
> 
> Review request for mesos, Gilbert Song, Jason Lai, Jie Yu, and Jiang Yan Xu.
> 
> 
> Bugs: MESOS-9319
> https://issues.apache.org/jira/browse/MESOS-9319
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Previously, if the container was configured with a root filesytem,
> the root was populated by a combination of the `fs::chroot:prepare`
> API and the various isolators. The implementation details of some
> isolators had leaked into the chroot code, which had a special case
> for adding GPU devices.
> 
> This change moves all the responsibility for defining the
> root filesystem from the `fs::chroot::prepare()` API to the
> `filesystem/linux` isolator. The `filesystem/linux` isolator is
> now the single place that captures how to mount the container
> pseudo-filesystems as well as how to construct a proper `/dev`
> directory.
> 
> Since the `linux/filesystem` isolator is now entirely responsible
> for creating and mounting the container `/dev`, any other isolators
> that enable access to devices should populate device nodes in the
> container devices directory and add a corresponding bind mount.
> 
> 
> Diffs
> -
> 
>   src/linux/fs.hpp 31969f6ba82bf5ee549bfdf9698a21adaa486a90 
>   src/linux/fs.cpp 5cdffe1f4c7f00aee5b8f640e7cfa4a0018cfa0a 
>   src/slave/containerizer/mesos/isolators/filesystem/linux.cpp 
> c7d753ac2e5575a8d687600bfb9e0617fa72c990 
>   src/slave/containerizer/mesos/isolators/gpu/isolator.hpp 
> 4645c625877d9451516133b24bd3959e0f49c0a9 
>   src/slave/containerizer/mesos/isolators/gpu/isolator.cpp 
> 56d835779618fd965d928c6926664583e9141f79 
>   src/slave/containerizer/mesos/isolators/linux/devices.cpp 
> 8f8ff95ec3856ba06647637a80315365d0e66e23 
>   src/slave/containerizer/mesos/launch.cpp 
> 7193da0a094df3e441e185c62b3a0379a0bdc4a2 
> 
> 
> Diff: https://reviews.apache.org/r/69086/diff/8/
> 
> 
> Testing
> ---
> 
> sudo make check (Fedora 28)
> 
> 
> Thanks,
> 
> James Peach
> 
>

Re: Review Request 69086: Moved container root construction to the isolators.

2018-11-05 Thread James Peach 


> On Nov. 5, 2018, 5:14 a.m., Jie Yu wrote:
> > src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
> > Lines 73-80 (patched)
> > 
> >
> > I would prefer simply use `ContainerMountInfo`, instead of introducing 
> > another struct.

Yeh, but you can't do aggregate initialization for protobugs, which means that 
we can't enumerate a table of mounts for the chroot. I'm open to suggestions 
here :)


- James


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69086/#review210318
---


On Oct. 30, 2018, 9:03 p.m., James Peach wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69086/
> ---
> 
> (Updated Oct. 30, 2018, 9:03 p.m.)
> 
> 
> Review request for mesos, Gilbert Song, Jason Lai, Jie Yu, and Jiang Yan Xu.
> 
> 
> Bugs: MESOS-9319
> https://issues.apache.org/jira/browse/MESOS-9319
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Previously, if the container was configured with a root filesytem,
> the root was populated by a combination of the `fs::chroot:prepare`
> API and the various isolators. The implementation details of some
> isolators had leaked into the chroot code, which had a special case
> for adding GPU devices.
> 
> This change moves all the responsibility for defining the
> root filesystem from the `fs::chroot::prepare()` API to the
> `filesystem/linux` isolator. The `filesystem/linux` isolator is
> now the single place that captures how to mount the container
> pseudo-filesystems as well as how to construct a proper `/dev`
> directory.
> 
> Since the `linux/filesystem` isolator is now entirely responsible
> for creating and mounting the container `/dev`, any other isolators
> that enable access to devices can simply populate device nodes in
> the container devices directory. After this change, the container
> `/dev` is mounted read-only so that this cannot be used to escape
> any disk quota.
> 
> 
> Diffs
> -
> 
>   src/linux/fs.hpp 31969f6ba82bf5ee549bfdf9698a21adaa486a90 
>   src/linux/fs.cpp 5cdffe1f4c7f00aee5b8f640e7cfa4a0018cfa0a 
>   src/slave/containerizer/mesos/isolators/filesystem/linux.cpp 
> c7d753ac2e5575a8d687600bfb9e0617fa72c990 
>   src/slave/containerizer/mesos/isolators/gpu/isolator.hpp 
> 4645c625877d9451516133b24bd3959e0f49c0a9 
>   src/slave/containerizer/mesos/isolators/gpu/isolator.cpp 
> 56d835779618fd965d928c6926664583e9141f79 
>   src/slave/containerizer/mesos/isolators/linux/devices.cpp 
> 8f8ff95ec3856ba06647637a80315365d0e66e23 
>   src/slave/containerizer/mesos/launch.cpp 
> 7193da0a094df3e441e185c62b3a0379a0bdc4a2 
> 
> 
> Diff: https://reviews.apache.org/r/69086/diff/6/
> 
> 
> Testing
> ---
> 
> sudo make check (Fedora 28)
> 
> 
> Thanks,
> 
> James Peach
> 
>

Re: Review Request 69086: Moved container root construction to the isolators.

2018-11-04 Thread Jie Yu 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69086/#review210318
---




src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
Lines 73-80 (patched)


I would prefer simply use `ContainerMountInfo`, instead of introducing 
another struct.



src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
Lines 179 (patched)


You don't need this function if you use `ContainerMountInfo` directly



src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
Lines 181 (patched)


Please fix indentation (2 spaces)



src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
Lines 623-631 (patched)


I don't think this is needed. `prepareMount` in launch.cpp will actual do 
this implicitly. Bindly doing rslave will cause shared mount propagation 
feature to not work (needed by CSI integration)



src/slave/containerizer/mesos/launch.cpp
Line 466 (original), 471 (patched)


Do we still need this function? Looks like this is just a verification now. 
Can you simply move the logic to the main `execute()` method?


- Jie Yu


On Oct. 30, 2018, 9:03 p.m., James Peach wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69086/
> ---
> 
> (Updated Oct. 30, 2018, 9:03 p.m.)
> 
> 
> Review request for mesos, Gilbert Song, Jason Lai, Jie Yu, and Jiang Yan Xu.
> 
> 
> Bugs: MESOS-9319
> https://issues.apache.org/jira/browse/MESOS-9319
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Previously, if the container was configured with a root filesytem,
> the root was populated by a combination of the `fs::chroot:prepare`
> API and the various isolators. The implementation details of some
> isolators had leaked into the chroot code, which had a special case
> for adding GPU devices.
> 
> This change moves all the responsibility for defining the
> root filesystem from the `fs::chroot::prepare()` API to the
> `filesystem/linux` isolator. The `filesystem/linux` isolator is
> now the single place that captures how to mount the container
> pseudo-filesystems as well as how to construct a proper `/dev`
> directory.
> 
> Since the `linux/filesystem` isolator is now entirely responsible
> for creating and mounting the container `/dev`, any other isolators
> that enable access to devices can simply populate device nodes in
> the container devices directory. After this change, the container
> `/dev` is mounted read-only so that this cannot be used to escape
> any disk quota.
> 
> 
> Diffs
> -
> 
>   src/linux/fs.hpp 31969f6ba82bf5ee549bfdf9698a21adaa486a90 
>   src/linux/fs.cpp 5cdffe1f4c7f00aee5b8f640e7cfa4a0018cfa0a 
>   src/slave/containerizer/mesos/isolators/filesystem/linux.cpp 
> c7d753ac2e5575a8d687600bfb9e0617fa72c990 
>   src/slave/containerizer/mesos/isolators/gpu/isolator.hpp 
> 4645c625877d9451516133b24bd3959e0f49c0a9 
>   src/slave/containerizer/mesos/isolators/gpu/isolator.cpp 
> 56d835779618fd965d928c6926664583e9141f79 
>   src/slave/containerizer/mesos/isolators/linux/devices.cpp 
> 8f8ff95ec3856ba06647637a80315365d0e66e23 
>   src/slave/containerizer/mesos/launch.cpp 
> 7193da0a094df3e441e185c62b3a0379a0bdc4a2 
> 
> 
> Diff: https://reviews.apache.org/r/69086/diff/6/
> 
> 
> Testing
> ---
> 
> sudo make check (Fedora 28)
> 
> 
> Thanks,
> 
> James Peach
> 
>

Re: Review Request 69086: Moved container root construction to the isolators.

2018-11-03 Thread James Peach 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69086/#review210313
---




src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
Lines 146 (patched)


This mount fails with user namespaces:
```
Failed to prepare mounts: Failed to mount 
'{"flags":15,"source":"sysfs","target":"/srv/mesos/work/provisioner/containers/ac807664-4109-409e-8cfb-a4285009598b/backends/overlay/rootfses/2b851cdf-08e2-456f-99bd-f5ff5011c678/sys","type":"sysfs"}':
 Operation not permitted
```

I was carrying an out of tree hack for that.


- James Peach


On Oct. 30, 2018, 9:03 p.m., James Peach wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69086/
> ---
> 
> (Updated Oct. 30, 2018, 9:03 p.m.)
> 
> 
> Review request for mesos, Gilbert Song, Jason Lai, Jie Yu, and Jiang Yan Xu.
> 
> 
> Bugs: MESOS-9319
> https://issues.apache.org/jira/browse/MESOS-9319
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Previously, if the container was configured with a root filesytem,
> the root was populated by a combination of the `fs::chroot:prepare`
> API and the various isolators. The implementation details of some
> isolators had leaked into the chroot code, which had a special case
> for adding GPU devices.
> 
> This change moves all the responsibility for defining the
> root filesystem from the `fs::chroot::prepare()` API to the
> `filesystem/linux` isolator. The `filesystem/linux` isolator is
> now the single place that captures how to mount the container
> pseudo-filesystems as well as how to construct a proper `/dev`
> directory.
> 
> Since the `linux/filesystem` isolator is now entirely responsible
> for creating and mounting the container `/dev`, any other isolators
> that enable access to devices can simply populate device nodes in
> the container devices directory. After this change, the container
> `/dev` is mounted read-only so that this cannot be used to escape
> any disk quota.
> 
> 
> Diffs
> -
> 
>   src/linux/fs.hpp 31969f6ba82bf5ee549bfdf9698a21adaa486a90 
>   src/linux/fs.cpp 5cdffe1f4c7f00aee5b8f640e7cfa4a0018cfa0a 
>   src/slave/containerizer/mesos/isolators/filesystem/linux.cpp 
> c7d753ac2e5575a8d687600bfb9e0617fa72c990 
>   src/slave/containerizer/mesos/isolators/gpu/isolator.hpp 
> 4645c625877d9451516133b24bd3959e0f49c0a9 
>   src/slave/containerizer/mesos/isolators/gpu/isolator.cpp 
> 56d835779618fd965d928c6926664583e9141f79 
>   src/slave/containerizer/mesos/isolators/linux/devices.cpp 
> 8f8ff95ec3856ba06647637a80315365d0e66e23 
>   src/slave/containerizer/mesos/launch.cpp 
> 7193da0a094df3e441e185c62b3a0379a0bdc4a2 
> 
> 
> Diff: https://reviews.apache.org/r/69086/diff/6/
> 
> 
> Testing
> ---
> 
> sudo make check (Fedora 28)
> 
> 
> Thanks,
> 
> James Peach
> 
>

Re: Review Request 69086: Moved container root construction to the isolators.

2018-10-30 Thread James Peach 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69086/
---

(Updated Oct. 30, 2018, 9:03 p.m.)


Review request for mesos, Gilbert Song, Jason Lai, Jie Yu, and Jiang Yan Xu.


Bugs: MESOS-9319
https://issues.apache.org/jira/browse/MESOS-9319


Repository: mesos


Description
---

Previously, if the container was configured with a root filesytem,
the root was populated by a combination of the `fs::chroot:prepare`
API and the various isolators. The implementation details of some
isolators had leaked into the chroot code, which had a special case
for adding GPU devices.

This change moves all the responsibility for defining the
root filesystem from the `fs::chroot::prepare()` API to the
`filesystem/linux` isolator. The `filesystem/linux` isolator is
now the single place that captures how to mount the container
pseudo-filesystems as well as how to construct a proper `/dev`
directory.

Since the `linux/filesystem` isolator is now entirely responsible
for creating and mounting the container `/dev`, any other isolators
that enable access to devices can simply populate device nodes in
the container devices directory. After this change, the container
`/dev` is mounted read-only so that this cannot be used to escape
any disk quota.


Diffs (updated)
-

  src/linux/fs.hpp 31969f6ba82bf5ee549bfdf9698a21adaa486a90 
  src/linux/fs.cpp 5cdffe1f4c7f00aee5b8f640e7cfa4a0018cfa0a 
  src/slave/containerizer/mesos/isolators/filesystem/linux.cpp 
c7d753ac2e5575a8d687600bfb9e0617fa72c990 
  src/slave/containerizer/mesos/isolators/gpu/isolator.hpp 
4645c625877d9451516133b24bd3959e0f49c0a9 
  src/slave/containerizer/mesos/isolators/gpu/isolator.cpp 
56d835779618fd965d928c6926664583e9141f79 
  src/slave/containerizer/mesos/isolators/linux/devices.cpp 
8f8ff95ec3856ba06647637a80315365d0e66e23 
  src/slave/containerizer/mesos/launch.cpp 
7193da0a094df3e441e185c62b3a0379a0bdc4a2 


Diff: https://reviews.apache.org/r/69086/diff/5/

Changes: https://reviews.apache.org/r/69086/diff/4-5/


Testing
---

sudo make check (Fedora 28)


Thanks,

James Peach

Re: Review Request 69086: Moved container root construction to the isolators.

2018-10-29 Thread James Peach 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69086/
---

(Updated Oct. 29, 2018, 11:59 p.m.)


Review request for mesos, Gilbert Song, Jason Lai, Jie Yu, and Jiang Yan Xu.


Summary (updated)
-

Moved container root construction to the isolators.


Bugs: MESOS-9319
https://issues.apache.org/jira/browse/MESOS-9319


Repository: mesos


Description (updated)
---

Previously, if the container was configured with a root filesytem,
the root was populated by a combination of the `fs::chroot:prepare`
API and the various isolators. The implementation details of some
isolators had leaked into the chroot code, which had a special case
for adding GPU devices.

This change moves all the responsibility for defining the
root filesystem from the `fs::chroot::prepare()` API to the
`filesystem/linux` isolator. The `filesystem/linux` isolator is
now the single place that captures how to mount the container
pseudo-filesystems as well as how to construct a proper `/dev`
directory.

Since the `linux/filesystem` isolator is now entirely responsible
for creating and mounting the container `/dev`, any other isolators
that enable access to devices can simply populate device nodes in
the container devices directory. After this change, the container
`/dev` is mounted read-only so that this cannot be used to escape
any disk quota.


Diffs (updated)
-

  src/linux/fs.hpp 31969f6ba82bf5ee549bfdf9698a21adaa486a90 
  src/linux/fs.cpp 3a58bf9a44c4e1d454f3d754952705b1fd0a0b1d 
  src/slave/containerizer/mesos/isolators/filesystem/linux.cpp 
c7d753ac2e5575a8d687600bfb9e0617fa72c990 
  src/slave/containerizer/mesos/isolators/gpu/isolator.hpp 
4645c625877d9451516133b24bd3959e0f49c0a9 
  src/slave/containerizer/mesos/isolators/gpu/isolator.cpp 
56d835779618fd965d928c6926664583e9141f79 
  src/slave/containerizer/mesos/isolators/linux/devices.cpp 
8f8ff95ec3856ba06647637a80315365d0e66e23 
  src/slave/containerizer/mesos/launch.cpp 
7193da0a094df3e441e185c62b3a0379a0bdc4a2 


Diff: https://reviews.apache.org/r/69086/diff/4/

Changes: https://reviews.apache.org/r/69086/diff/3-4/


Testing
---

sudo make check (Fedora 28)


Thanks,

James Peach