Repository: mesos Updated Branches: refs/heads/master 52214ead9 -> 1793f8f2a
Filesystem isolation check for Mesos image provisioner. Checked if the 'filesystem/linux' isolator is enabled and the 'linux' launcher is used when launching a mesos containerizer with an image under Linux. This prevents the executor from messing up with the host filesystem. The check is in `MesosContainerizerProcess::prepare()` after provisioning and before launching, since provisioning itself does not depend on the filesystem isolator. Also checked that the 'filesystem/linux' is enabled and the 'linux' launcher is used when enabling the 'docker/runtime' isolator. Review: https://reviews.apache.org/r/58939/ Project: http://git-wip-us.apache.org/repos/asf/mesos/repo Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/1793f8f2 Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/1793f8f2 Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/1793f8f2 Branch: refs/heads/master Commit: 1793f8f2a6e98757dba06d9d70d7bd3c03830cf0 Parents: 52214ea Author: Chun-Hung Hsiao <chhs...@mesosphere.io> Authored: Wed Aug 2 12:29:44 2017 -0700 Committer: Gilbert Song <songzihao1...@gmail.com> Committed: Wed Aug 2 16:36:56 2017 -0700 ---------------------------------------------------------------------- src/slave/containerizer/mesos/containerizer.cpp | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/mesos/blob/1793f8f2/src/slave/containerizer/mesos/containerizer.cpp ---------------------------------------------------------------------- diff --git a/src/slave/containerizer/mesos/containerizer.cpp b/src/slave/containerizer/mesos/containerizer.cpp index 6f100b5..ff192bb 100644 --- a/src/slave/containerizer/mesos/containerizer.cpp +++ b/src/slave/containerizer/mesos/containerizer.cpp @@ -227,6 +227,22 @@ Try<MesosContainerizer*> MesosContainerizer::create( flags_.isolation += ",environment_secret"; } +#ifdef __linux__ + if (flags_.image_providers.isSome()) { + // The 'filesystem/linux' isolator and 'linux' launcher are required + // for the mesos containerizer to support container images. + if (!strings::contains(flags_.isolation, "filesystem/linux")) { + return Error("The 'filesystem/linux' isolator must be enabled for" + " container image support."); + } + + if (flags_.launcher != "linux") { + return Error("The 'linux' launcher must be used for container" + " image support."); + } + } +#endif // __linux__ + LOG(INFO) << "Using isolation: " << flags_.isolation; // Create the launcher for the MesosContainerizer.
