[mesos] 01/03: Implemented `cleanup` method for `volume/secret` isolator.

[gilbert]

This is an automated email from the ASF dual-hosted git repository.

gilbert pushed a commit to branch 1.6.x
in repository https://gitbox.apache.org/repos/asf/mesos.git

commit 124e8e71a164066ad4a366b4274c12a8415589d2
Author: Qian Zhang 
AuthorDate: Thu Aug 15 11:49:22 2019 -0700

Implemented `cleanup` method for `volume/secret` isolator.

Previously, after `volume/secret` isolator resolves a secret and write
it into a path (i.e., /.secret/) on agent host for a
container, if the container fails to launch somehow (e.g., fails in
another isolator's `prepare` method), that path on the host will never
be cleaned up. In this patch, `volume/secret` isolator is improved to
write all the resolved secrets for a container into a single directory
(i.e., /.secret/) on agent host, and the
`cleanup` method of the `volume/secret` isolator is implemented to
remove that directory when the container is destroyed.

Review: https://reviews.apache.org/r/71201/
(cherry picked from commit 8498a9b262cd145fd4966f621b91353bb162b56c)
(cherry picked from commit 304a28a95b8f89c0ed01828d1921c9f9acc93987)
---
 .../mesos/isolators/volume/secret.cpp  | 38 --
 .../mesos/isolators/volume/secret.hpp  |  3 ++
 2 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/src/slave/containerizer/mesos/isolators/volume/secret.cpp 
b/src/slave/containerizer/mesos/isolators/volume/secret.cpp
index d1bc7c5..6dc558b 100644
--- a/src/slave/containerizer/mesos/isolators/volume/secret.cpp
+++ b/src/slave/containerizer/mesos/isolators/volume/secret.cpp
@@ -31,6 +31,7 @@
 #include 
 
 #include 
+#include 
 #include 
 #include 
 
@@ -119,6 +120,18 @@ Future> 
VolumeSecretIsolatorProcess::prepare(
 return None();
   }
 
+  const string containerDir = path::join(
+  flags.runtime_dir,
+  SECRET_DIR,
+  stringify(containerId));
+
+  Try mkdir = os::mkdir(containerDir);
+  if (mkdir.isError()) {
+return Failure(
+"Failed to create container directory at '" +
+containerDir + "': " + mkdir.error());
+  }
+
   ContainerLaunchInfo launchInfo;
   launchInfo.add_clone_namespaces(CLONE_NEWNS);
 
@@ -128,7 +141,7 @@ Future> 
VolumeSecretIsolatorProcess::prepare(
 
   // TODO(Kapil): Add some UUID suffix to the secret-root dir to avoid 
conflicts
   // with user container_path.
-  Try mkdir = os::mkdir(sandboxSecretRootDir);
+  mkdir = os::mkdir(sandboxSecretRootDir);
   if (mkdir.isError()) {
 return Failure("Failed to create sandbox secret root directory at '" +
sandboxSecretRootDir + "': " + mkdir.error());
@@ -236,7 +249,7 @@ Future> 
VolumeSecretIsolatorProcess::prepare(
 }
 
 const string hostSecretPath =
-  path::join(flags.runtime_dir, SECRET_DIR, stringify(id::UUID::random()));
+  path::join(containerDir, stringify(id::UUID::random()));
 
 const string sandboxSecretPath =
   path::join(sandboxSecretRootDir,
@@ -299,6 +312,27 @@ Future> 
VolumeSecretIsolatorProcess::prepare(
 });
 }
 
+
+Future VolumeSecretIsolatorProcess::cleanup(
+const ContainerID& containerId)
+{
+  const string containerDir = path::join(
+  flags.runtime_dir,
+  SECRET_DIR,
+  stringify(containerId));
+
+  if (os::exists(containerDir)) {
+Try rmdir = os::rmdir(containerDir);
+if (rmdir.isError()) {
+  return Failure(
+  "Failed to remove the container directory '" +
+  containerDir + "': " + rmdir.error());
+}
+  }
+
+  return Nothing();
+}
+
 } // namespace slave {
 } // namespace internal {
 } // namespace mesos {
diff --git a/src/slave/containerizer/mesos/isolators/volume/secret.hpp 
b/src/slave/containerizer/mesos/isolators/volume/secret.hpp
index 2680345..9b557ed 100644
--- a/src/slave/containerizer/mesos/isolators/volume/secret.hpp
+++ b/src/slave/containerizer/mesos/isolators/volume/secret.hpp
@@ -51,6 +51,9 @@ public:
   const ContainerID& containerId,
   const mesos::slave::ContainerConfig& containerConfig);
 
+  process::Future cleanup(
+  const ContainerID& containerId) override;
+
 private:
   VolumeSecretIsolatorProcess(
   const Flags& flags,

[mesos] 01/03: Implemented `cleanup` method for `volume/secret` isolator.

[gilbert]

This is an automated email from the ASF dual-hosted git repository.

gilbert pushed a commit to branch 1.7.x
in repository https://gitbox.apache.org/repos/asf/mesos.git

commit 3046b42ff51c05b8eb896926b3e42fd2036bb5a9
Author: Qian Zhang 
AuthorDate: Thu Aug 15 11:49:22 2019 -0700

Implemented `cleanup` method for `volume/secret` isolator.

Previously, after `volume/secret` isolator resolves a secret and write
it into a path (i.e., /.secret/) on agent host for a
container, if the container fails to launch somehow (e.g., fails in
another isolator's `prepare` method), that path on the host will never
be cleaned up. In this patch, `volume/secret` isolator is improved to
write all the resolved secrets for a container into a single directory
(i.e., /.secret/) on agent host, and the
`cleanup` method of the `volume/secret` isolator is implemented to
remove that directory when the container is destroyed.

Review: https://reviews.apache.org/r/71201/
(cherry picked from commit 8498a9b262cd145fd4966f621b91353bb162b56c)
(cherry picked from commit 304a28a95b8f89c0ed01828d1921c9f9acc93987)
---
 .../mesos/isolators/volume/secret.cpp  | 38 --
 .../mesos/isolators/volume/secret.hpp  |  3 ++
 2 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/src/slave/containerizer/mesos/isolators/volume/secret.cpp 
b/src/slave/containerizer/mesos/isolators/volume/secret.cpp
index 7a9bb82..acd1d8f 100644
--- a/src/slave/containerizer/mesos/isolators/volume/secret.cpp
+++ b/src/slave/containerizer/mesos/isolators/volume/secret.cpp
@@ -31,6 +31,7 @@
 #include 
 
 #include 
+#include 
 #include 
 #include 
 
@@ -119,6 +120,18 @@ Future> 
VolumeSecretIsolatorProcess::prepare(
 return None();
   }
 
+  const string containerDir = path::join(
+  flags.runtime_dir,
+  SECRET_DIR,
+  stringify(containerId));
+
+  Try mkdir = os::mkdir(containerDir);
+  if (mkdir.isError()) {
+return Failure(
+"Failed to create container directory at '" +
+containerDir + "': " + mkdir.error());
+  }
+
   ContainerLaunchInfo launchInfo;
   launchInfo.add_clone_namespaces(CLONE_NEWNS);
 
@@ -128,7 +141,7 @@ Future> 
VolumeSecretIsolatorProcess::prepare(
 
   // TODO(Kapil): Add some UUID suffix to the secret-root dir to avoid 
conflicts
   // with user container_path.
-  Try mkdir = os::mkdir(sandboxSecretRootDir);
+  mkdir = os::mkdir(sandboxSecretRootDir);
   if (mkdir.isError()) {
 return Failure("Failed to create sandbox secret root directory at '" +
sandboxSecretRootDir + "': " + mkdir.error());
@@ -236,7 +249,7 @@ Future> 
VolumeSecretIsolatorProcess::prepare(
 }
 
 const string hostSecretPath =
-  path::join(flags.runtime_dir, SECRET_DIR, stringify(id::UUID::random()));
+  path::join(containerDir, stringify(id::UUID::random()));
 
 const string sandboxSecretPath =
   path::join(sandboxSecretRootDir,
@@ -312,6 +325,27 @@ Future> 
VolumeSecretIsolatorProcess::prepare(
 });
 }
 
+
+Future VolumeSecretIsolatorProcess::cleanup(
+const ContainerID& containerId)
+{
+  const string containerDir = path::join(
+  flags.runtime_dir,
+  SECRET_DIR,
+  stringify(containerId));
+
+  if (os::exists(containerDir)) {
+Try rmdir = os::rmdir(containerDir);
+if (rmdir.isError()) {
+  return Failure(
+  "Failed to remove the container directory '" +
+  containerDir + "': " + rmdir.error());
+}
+  }
+
+  return Nothing();
+}
+
 } // namespace slave {
 } // namespace internal {
 } // namespace mesos {
diff --git a/src/slave/containerizer/mesos/isolators/volume/secret.hpp 
b/src/slave/containerizer/mesos/isolators/volume/secret.hpp
index a166491..e3cf713 100644
--- a/src/slave/containerizer/mesos/isolators/volume/secret.hpp
+++ b/src/slave/containerizer/mesos/isolators/volume/secret.hpp
@@ -51,6 +51,9 @@ public:
   const ContainerID& containerId,
   const mesos::slave::ContainerConfig& containerConfig) override;
 
+  process::Future cleanup(
+  const ContainerID& containerId) override;
+
 private:
   VolumeSecretIsolatorProcess(
   const Flags& flags,

[mesos] 01/03: Implemented `cleanup` method for `volume/secret` isolator.

[gilbert]

This is an automated email from the ASF dual-hosted git repository.

gilbert pushed a commit to branch 1.8.x
in repository https://gitbox.apache.org/repos/asf/mesos.git

commit 304a28a95b8f89c0ed01828d1921c9f9acc93987
Author: Qian Zhang 
AuthorDate: Thu Aug 15 11:49:22 2019 -0700

Implemented `cleanup` method for `volume/secret` isolator.

Previously, after `volume/secret` isolator resolves a secret and write
it into a path (i.e., /.secret/) on agent host for a
container, if the container fails to launch somehow (e.g., fails in
another isolator's `prepare` method), that path on the host will never
be cleaned up. In this patch, `volume/secret` isolator is improved to
write all the resolved secrets for a container into a single directory
(i.e., /.secret/) on agent host, and the
`cleanup` method of the `volume/secret` isolator is implemented to
remove that directory when the container is destroyed.

Review: https://reviews.apache.org/r/71201/
(cherry picked from commit 8498a9b262cd145fd4966f621b91353bb162b56c)
---
 .../mesos/isolators/volume/secret.cpp  | 38 --
 .../mesos/isolators/volume/secret.hpp  |  3 ++
 2 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/src/slave/containerizer/mesos/isolators/volume/secret.cpp 
b/src/slave/containerizer/mesos/isolators/volume/secret.cpp
index 7a9bb82..acd1d8f 100644
--- a/src/slave/containerizer/mesos/isolators/volume/secret.cpp
+++ b/src/slave/containerizer/mesos/isolators/volume/secret.cpp
@@ -31,6 +31,7 @@
 #include 
 
 #include 
+#include 
 #include 
 #include 
 
@@ -119,6 +120,18 @@ Future> 
VolumeSecretIsolatorProcess::prepare(
 return None();
   }
 
+  const string containerDir = path::join(
+  flags.runtime_dir,
+  SECRET_DIR,
+  stringify(containerId));
+
+  Try mkdir = os::mkdir(containerDir);
+  if (mkdir.isError()) {
+return Failure(
+"Failed to create container directory at '" +
+containerDir + "': " + mkdir.error());
+  }
+
   ContainerLaunchInfo launchInfo;
   launchInfo.add_clone_namespaces(CLONE_NEWNS);
 
@@ -128,7 +141,7 @@ Future> 
VolumeSecretIsolatorProcess::prepare(
 
   // TODO(Kapil): Add some UUID suffix to the secret-root dir to avoid 
conflicts
   // with user container_path.
-  Try mkdir = os::mkdir(sandboxSecretRootDir);
+  mkdir = os::mkdir(sandboxSecretRootDir);
   if (mkdir.isError()) {
 return Failure("Failed to create sandbox secret root directory at '" +
sandboxSecretRootDir + "': " + mkdir.error());
@@ -236,7 +249,7 @@ Future> 
VolumeSecretIsolatorProcess::prepare(
 }
 
 const string hostSecretPath =
-  path::join(flags.runtime_dir, SECRET_DIR, stringify(id::UUID::random()));
+  path::join(containerDir, stringify(id::UUID::random()));
 
 const string sandboxSecretPath =
   path::join(sandboxSecretRootDir,
@@ -312,6 +325,27 @@ Future> 
VolumeSecretIsolatorProcess::prepare(
 });
 }
 
+
+Future VolumeSecretIsolatorProcess::cleanup(
+const ContainerID& containerId)
+{
+  const string containerDir = path::join(
+  flags.runtime_dir,
+  SECRET_DIR,
+  stringify(containerId));
+
+  if (os::exists(containerDir)) {
+Try rmdir = os::rmdir(containerDir);
+if (rmdir.isError()) {
+  return Failure(
+  "Failed to remove the container directory '" +
+  containerDir + "': " + rmdir.error());
+}
+  }
+
+  return Nothing();
+}
+
 } // namespace slave {
 } // namespace internal {
 } // namespace mesos {
diff --git a/src/slave/containerizer/mesos/isolators/volume/secret.hpp 
b/src/slave/containerizer/mesos/isolators/volume/secret.hpp
index a166491..e3cf713 100644
--- a/src/slave/containerizer/mesos/isolators/volume/secret.hpp
+++ b/src/slave/containerizer/mesos/isolators/volume/secret.hpp
@@ -51,6 +51,9 @@ public:
   const ContainerID& containerId,
   const mesos::slave::ContainerConfig& containerConfig) override;
 
+  process::Future cleanup(
+  const ContainerID& containerId) override;
+
 private:
   VolumeSecretIsolatorProcess(
   const Flags& flags,

[mesos] 01/03: Implemented `cleanup` method for `volume/secret` isolator.

[gilbert]

This is an automated email from the ASF dual-hosted git repository.

gilbert pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git

commit 8498a9b262cd145fd4966f621b91353bb162b56c
Author: Qian Zhang 
AuthorDate: Thu Aug 15 11:49:22 2019 -0700

Implemented `cleanup` method for `volume/secret` isolator.

Previously, after `volume/secret` isolator resolves a secret and write
it into a path (i.e., /.secret/) on agent host for a
container, if the container fails to launch somehow (e.g., fails in
another isolator's `prepare` method), that path on the host will never
be cleaned up. In this patch, `volume/secret` isolator is improved to
write all the resolved secrets for a container into a single directory
(i.e., /.secret/) on agent host, and the
`cleanup` method of the `volume/secret` isolator is implemented to
remove that directory when the container is destroyed.

Review: https://reviews.apache.org/r/71201/
---
 .../mesos/isolators/volume/secret.cpp  | 38 --
 .../mesos/isolators/volume/secret.hpp  |  3 ++
 2 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/src/slave/containerizer/mesos/isolators/volume/secret.cpp 
b/src/slave/containerizer/mesos/isolators/volume/secret.cpp
index 4bbcc7a..5131ecb 100644
--- a/src/slave/containerizer/mesos/isolators/volume/secret.cpp
+++ b/src/slave/containerizer/mesos/isolators/volume/secret.cpp
@@ -33,6 +33,7 @@
 #include 
 
 #include 
+#include 
 #include 
 #include 
 
@@ -128,6 +129,18 @@ Future> 
VolumeSecretIsolatorProcess::prepare(
 return None();
   }
 
+  const string containerDir = path::join(
+  flags.runtime_dir,
+  SECRET_DIR,
+  stringify(containerId));
+
+  Try mkdir = os::mkdir(containerDir);
+  if (mkdir.isError()) {
+return Failure(
+"Failed to create container directory at '" +
+containerDir + "': " + mkdir.error());
+  }
+
   ContainerLaunchInfo launchInfo;
   launchInfo.add_clone_namespaces(CLONE_NEWNS);
 
@@ -137,7 +150,7 @@ Future> 
VolumeSecretIsolatorProcess::prepare(
 
   // TODO(Kapil): Add some UUID suffix to the secret-root dir to avoid 
conflicts
   // with user container_path.
-  Try mkdir = os::mkdir(sandboxSecretRootDir);
+  mkdir = os::mkdir(sandboxSecretRootDir);
   if (mkdir.isError()) {
 return Failure("Failed to create sandbox secret root directory at '" +
sandboxSecretRootDir + "': " + mkdir.error());
@@ -238,7 +251,7 @@ Future> 
VolumeSecretIsolatorProcess::prepare(
 }
 
 const string hostSecretPath =
-  path::join(flags.runtime_dir, SECRET_DIR, stringify(id::UUID::random()));
+  path::join(containerDir, stringify(id::UUID::random()));
 
 const string sandboxSecretPath =
   path::join(sandboxSecretRootDir,
@@ -290,6 +303,27 @@ Future> 
VolumeSecretIsolatorProcess::prepare(
 });
 }
 
+
+Future VolumeSecretIsolatorProcess::cleanup(
+const ContainerID& containerId)
+{
+  const string containerDir = path::join(
+  flags.runtime_dir,
+  SECRET_DIR,
+  stringify(containerId));
+
+  if (os::exists(containerDir)) {
+Try rmdir = os::rmdir(containerDir);
+if (rmdir.isError()) {
+  return Failure(
+  "Failed to remove the container directory '" +
+  containerDir + "': " + rmdir.error());
+}
+  }
+
+  return Nothing();
+}
+
 } // namespace slave {
 } // namespace internal {
 } // namespace mesos {
diff --git a/src/slave/containerizer/mesos/isolators/volume/secret.hpp 
b/src/slave/containerizer/mesos/isolators/volume/secret.hpp
index a166491..e3cf713 100644
--- a/src/slave/containerizer/mesos/isolators/volume/secret.hpp
+++ b/src/slave/containerizer/mesos/isolators/volume/secret.hpp
@@ -51,6 +51,9 @@ public:
   const ContainerID& containerId,
   const mesos::slave::ContainerConfig& containerConfig) override;
 
+  process::Future cleanup(
+  const ContainerID& containerId) override;
+
 private:
   VolumeSecretIsolatorProcess(
   const Flags& flags,