[mesos] 01/03: Implemented `cleanup` method for `volume/secret` isolator.
This is an automated email from the ASF dual-hosted git repository. gilbert pushed a commit to branch 1.6.x in repository https://gitbox.apache.org/repos/asf/mesos.git commit 124e8e71a164066ad4a366b4274c12a8415589d2 Author: Qian Zhang AuthorDate: Thu Aug 15 11:49:22 2019 -0700 Implemented `cleanup` method for `volume/secret` isolator. Previously, after `volume/secret` isolator resolves a secret and write it into a path (i.e., /.secret/) on agent host for a container, if the container fails to launch somehow (e.g., fails in another isolator's `prepare` method), that path on the host will never be cleaned up. In this patch, `volume/secret` isolator is improved to write all the resolved secrets for a container into a single directory (i.e., /.secret/) on agent host, and the `cleanup` method of the `volume/secret` isolator is implemented to remove that directory when the container is destroyed. Review: https://reviews.apache.org/r/71201/ (cherry picked from commit 8498a9b262cd145fd4966f621b91353bb162b56c) (cherry picked from commit 304a28a95b8f89c0ed01828d1921c9f9acc93987) --- .../mesos/isolators/volume/secret.cpp | 38 -- .../mesos/isolators/volume/secret.hpp | 3 ++ 2 files changed, 39 insertions(+), 2 deletions(-) diff --git a/src/slave/containerizer/mesos/isolators/volume/secret.cpp b/src/slave/containerizer/mesos/isolators/volume/secret.cpp index d1bc7c5..6dc558b 100644 --- a/src/slave/containerizer/mesos/isolators/volume/secret.cpp +++ b/src/slave/containerizer/mesos/isolators/volume/secret.cpp @@ -31,6 +31,7 @@ #include #include +#include #include #include @@ -119,6 +120,18 @@ Future> VolumeSecretIsolatorProcess::prepare( return None(); } + const string containerDir = path::join( + flags.runtime_dir, + SECRET_DIR, + stringify(containerId)); + + Try mkdir = os::mkdir(containerDir); + if (mkdir.isError()) { +return Failure( +"Failed to create container directory at '" + +containerDir + "': " + mkdir.error()); + } + ContainerLaunchInfo launchInfo; launchInfo.add_clone_namespaces(CLONE_NEWNS); @@ -128,7 +141,7 @@ Future> VolumeSecretIsolatorProcess::prepare( // TODO(Kapil): Add some UUID suffix to the secret-root dir to avoid conflicts // with user container_path. - Try mkdir = os::mkdir(sandboxSecretRootDir); + mkdir = os::mkdir(sandboxSecretRootDir); if (mkdir.isError()) { return Failure("Failed to create sandbox secret root directory at '" + sandboxSecretRootDir + "': " + mkdir.error()); @@ -236,7 +249,7 @@ Future> VolumeSecretIsolatorProcess::prepare( } const string hostSecretPath = - path::join(flags.runtime_dir, SECRET_DIR, stringify(id::UUID::random())); + path::join(containerDir, stringify(id::UUID::random())); const string sandboxSecretPath = path::join(sandboxSecretRootDir, @@ -299,6 +312,27 @@ Future> VolumeSecretIsolatorProcess::prepare( }); } + +Future VolumeSecretIsolatorProcess::cleanup( +const ContainerID& containerId) +{ + const string containerDir = path::join( + flags.runtime_dir, + SECRET_DIR, + stringify(containerId)); + + if (os::exists(containerDir)) { +Try rmdir = os::rmdir(containerDir); +if (rmdir.isError()) { + return Failure( + "Failed to remove the container directory '" + + containerDir + "': " + rmdir.error()); +} + } + + return Nothing(); +} + } // namespace slave { } // namespace internal { } // namespace mesos { diff --git a/src/slave/containerizer/mesos/isolators/volume/secret.hpp b/src/slave/containerizer/mesos/isolators/volume/secret.hpp index 2680345..9b557ed 100644 --- a/src/slave/containerizer/mesos/isolators/volume/secret.hpp +++ b/src/slave/containerizer/mesos/isolators/volume/secret.hpp @@ -51,6 +51,9 @@ public: const ContainerID& containerId, const mesos::slave::ContainerConfig& containerConfig); + process::Future cleanup( + const ContainerID& containerId) override; + private: VolumeSecretIsolatorProcess( const Flags& flags,
[mesos] 01/03: Implemented `cleanup` method for `volume/secret` isolator.
This is an automated email from the ASF dual-hosted git repository. gilbert pushed a commit to branch 1.7.x in repository https://gitbox.apache.org/repos/asf/mesos.git commit 3046b42ff51c05b8eb896926b3e42fd2036bb5a9 Author: Qian Zhang AuthorDate: Thu Aug 15 11:49:22 2019 -0700 Implemented `cleanup` method for `volume/secret` isolator. Previously, after `volume/secret` isolator resolves a secret and write it into a path (i.e., /.secret/) on agent host for a container, if the container fails to launch somehow (e.g., fails in another isolator's `prepare` method), that path on the host will never be cleaned up. In this patch, `volume/secret` isolator is improved to write all the resolved secrets for a container into a single directory (i.e., /.secret/) on agent host, and the `cleanup` method of the `volume/secret` isolator is implemented to remove that directory when the container is destroyed. Review: https://reviews.apache.org/r/71201/ (cherry picked from commit 8498a9b262cd145fd4966f621b91353bb162b56c) (cherry picked from commit 304a28a95b8f89c0ed01828d1921c9f9acc93987) --- .../mesos/isolators/volume/secret.cpp | 38 -- .../mesos/isolators/volume/secret.hpp | 3 ++ 2 files changed, 39 insertions(+), 2 deletions(-) diff --git a/src/slave/containerizer/mesos/isolators/volume/secret.cpp b/src/slave/containerizer/mesos/isolators/volume/secret.cpp index 7a9bb82..acd1d8f 100644 --- a/src/slave/containerizer/mesos/isolators/volume/secret.cpp +++ b/src/slave/containerizer/mesos/isolators/volume/secret.cpp @@ -31,6 +31,7 @@ #include #include +#include #include #include @@ -119,6 +120,18 @@ Future> VolumeSecretIsolatorProcess::prepare( return None(); } + const string containerDir = path::join( + flags.runtime_dir, + SECRET_DIR, + stringify(containerId)); + + Try mkdir = os::mkdir(containerDir); + if (mkdir.isError()) { +return Failure( +"Failed to create container directory at '" + +containerDir + "': " + mkdir.error()); + } + ContainerLaunchInfo launchInfo; launchInfo.add_clone_namespaces(CLONE_NEWNS); @@ -128,7 +141,7 @@ Future> VolumeSecretIsolatorProcess::prepare( // TODO(Kapil): Add some UUID suffix to the secret-root dir to avoid conflicts // with user container_path. - Try mkdir = os::mkdir(sandboxSecretRootDir); + mkdir = os::mkdir(sandboxSecretRootDir); if (mkdir.isError()) { return Failure("Failed to create sandbox secret root directory at '" + sandboxSecretRootDir + "': " + mkdir.error()); @@ -236,7 +249,7 @@ Future> VolumeSecretIsolatorProcess::prepare( } const string hostSecretPath = - path::join(flags.runtime_dir, SECRET_DIR, stringify(id::UUID::random())); + path::join(containerDir, stringify(id::UUID::random())); const string sandboxSecretPath = path::join(sandboxSecretRootDir, @@ -312,6 +325,27 @@ Future> VolumeSecretIsolatorProcess::prepare( }); } + +Future VolumeSecretIsolatorProcess::cleanup( +const ContainerID& containerId) +{ + const string containerDir = path::join( + flags.runtime_dir, + SECRET_DIR, + stringify(containerId)); + + if (os::exists(containerDir)) { +Try rmdir = os::rmdir(containerDir); +if (rmdir.isError()) { + return Failure( + "Failed to remove the container directory '" + + containerDir + "': " + rmdir.error()); +} + } + + return Nothing(); +} + } // namespace slave { } // namespace internal { } // namespace mesos { diff --git a/src/slave/containerizer/mesos/isolators/volume/secret.hpp b/src/slave/containerizer/mesos/isolators/volume/secret.hpp index a166491..e3cf713 100644 --- a/src/slave/containerizer/mesos/isolators/volume/secret.hpp +++ b/src/slave/containerizer/mesos/isolators/volume/secret.hpp @@ -51,6 +51,9 @@ public: const ContainerID& containerId, const mesos::slave::ContainerConfig& containerConfig) override; + process::Future cleanup( + const ContainerID& containerId) override; + private: VolumeSecretIsolatorProcess( const Flags& flags,
[mesos] 01/03: Implemented `cleanup` method for `volume/secret` isolator.
This is an automated email from the ASF dual-hosted git repository. gilbert pushed a commit to branch 1.8.x in repository https://gitbox.apache.org/repos/asf/mesos.git commit 304a28a95b8f89c0ed01828d1921c9f9acc93987 Author: Qian Zhang AuthorDate: Thu Aug 15 11:49:22 2019 -0700 Implemented `cleanup` method for `volume/secret` isolator. Previously, after `volume/secret` isolator resolves a secret and write it into a path (i.e., /.secret/) on agent host for a container, if the container fails to launch somehow (e.g., fails in another isolator's `prepare` method), that path on the host will never be cleaned up. In this patch, `volume/secret` isolator is improved to write all the resolved secrets for a container into a single directory (i.e., /.secret/) on agent host, and the `cleanup` method of the `volume/secret` isolator is implemented to remove that directory when the container is destroyed. Review: https://reviews.apache.org/r/71201/ (cherry picked from commit 8498a9b262cd145fd4966f621b91353bb162b56c) --- .../mesos/isolators/volume/secret.cpp | 38 -- .../mesos/isolators/volume/secret.hpp | 3 ++ 2 files changed, 39 insertions(+), 2 deletions(-) diff --git a/src/slave/containerizer/mesos/isolators/volume/secret.cpp b/src/slave/containerizer/mesos/isolators/volume/secret.cpp index 7a9bb82..acd1d8f 100644 --- a/src/slave/containerizer/mesos/isolators/volume/secret.cpp +++ b/src/slave/containerizer/mesos/isolators/volume/secret.cpp @@ -31,6 +31,7 @@ #include #include +#include #include #include @@ -119,6 +120,18 @@ Future> VolumeSecretIsolatorProcess::prepare( return None(); } + const string containerDir = path::join( + flags.runtime_dir, + SECRET_DIR, + stringify(containerId)); + + Try mkdir = os::mkdir(containerDir); + if (mkdir.isError()) { +return Failure( +"Failed to create container directory at '" + +containerDir + "': " + mkdir.error()); + } + ContainerLaunchInfo launchInfo; launchInfo.add_clone_namespaces(CLONE_NEWNS); @@ -128,7 +141,7 @@ Future> VolumeSecretIsolatorProcess::prepare( // TODO(Kapil): Add some UUID suffix to the secret-root dir to avoid conflicts // with user container_path. - Try mkdir = os::mkdir(sandboxSecretRootDir); + mkdir = os::mkdir(sandboxSecretRootDir); if (mkdir.isError()) { return Failure("Failed to create sandbox secret root directory at '" + sandboxSecretRootDir + "': " + mkdir.error()); @@ -236,7 +249,7 @@ Future> VolumeSecretIsolatorProcess::prepare( } const string hostSecretPath = - path::join(flags.runtime_dir, SECRET_DIR, stringify(id::UUID::random())); + path::join(containerDir, stringify(id::UUID::random())); const string sandboxSecretPath = path::join(sandboxSecretRootDir, @@ -312,6 +325,27 @@ Future> VolumeSecretIsolatorProcess::prepare( }); } + +Future VolumeSecretIsolatorProcess::cleanup( +const ContainerID& containerId) +{ + const string containerDir = path::join( + flags.runtime_dir, + SECRET_DIR, + stringify(containerId)); + + if (os::exists(containerDir)) { +Try rmdir = os::rmdir(containerDir); +if (rmdir.isError()) { + return Failure( + "Failed to remove the container directory '" + + containerDir + "': " + rmdir.error()); +} + } + + return Nothing(); +} + } // namespace slave { } // namespace internal { } // namespace mesos { diff --git a/src/slave/containerizer/mesos/isolators/volume/secret.hpp b/src/slave/containerizer/mesos/isolators/volume/secret.hpp index a166491..e3cf713 100644 --- a/src/slave/containerizer/mesos/isolators/volume/secret.hpp +++ b/src/slave/containerizer/mesos/isolators/volume/secret.hpp @@ -51,6 +51,9 @@ public: const ContainerID& containerId, const mesos::slave::ContainerConfig& containerConfig) override; + process::Future cleanup( + const ContainerID& containerId) override; + private: VolumeSecretIsolatorProcess( const Flags& flags,
[mesos] 01/03: Implemented `cleanup` method for `volume/secret` isolator.
This is an automated email from the ASF dual-hosted git repository. gilbert pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/mesos.git commit 8498a9b262cd145fd4966f621b91353bb162b56c Author: Qian Zhang AuthorDate: Thu Aug 15 11:49:22 2019 -0700 Implemented `cleanup` method for `volume/secret` isolator. Previously, after `volume/secret` isolator resolves a secret and write it into a path (i.e., /.secret/) on agent host for a container, if the container fails to launch somehow (e.g., fails in another isolator's `prepare` method), that path on the host will never be cleaned up. In this patch, `volume/secret` isolator is improved to write all the resolved secrets for a container into a single directory (i.e., /.secret/) on agent host, and the `cleanup` method of the `volume/secret` isolator is implemented to remove that directory when the container is destroyed. Review: https://reviews.apache.org/r/71201/ --- .../mesos/isolators/volume/secret.cpp | 38 -- .../mesos/isolators/volume/secret.hpp | 3 ++ 2 files changed, 39 insertions(+), 2 deletions(-) diff --git a/src/slave/containerizer/mesos/isolators/volume/secret.cpp b/src/slave/containerizer/mesos/isolators/volume/secret.cpp index 4bbcc7a..5131ecb 100644 --- a/src/slave/containerizer/mesos/isolators/volume/secret.cpp +++ b/src/slave/containerizer/mesos/isolators/volume/secret.cpp @@ -33,6 +33,7 @@ #include #include +#include #include #include @@ -128,6 +129,18 @@ Future> VolumeSecretIsolatorProcess::prepare( return None(); } + const string containerDir = path::join( + flags.runtime_dir, + SECRET_DIR, + stringify(containerId)); + + Try mkdir = os::mkdir(containerDir); + if (mkdir.isError()) { +return Failure( +"Failed to create container directory at '" + +containerDir + "': " + mkdir.error()); + } + ContainerLaunchInfo launchInfo; launchInfo.add_clone_namespaces(CLONE_NEWNS); @@ -137,7 +150,7 @@ Future> VolumeSecretIsolatorProcess::prepare( // TODO(Kapil): Add some UUID suffix to the secret-root dir to avoid conflicts // with user container_path. - Try mkdir = os::mkdir(sandboxSecretRootDir); + mkdir = os::mkdir(sandboxSecretRootDir); if (mkdir.isError()) { return Failure("Failed to create sandbox secret root directory at '" + sandboxSecretRootDir + "': " + mkdir.error()); @@ -238,7 +251,7 @@ Future> VolumeSecretIsolatorProcess::prepare( } const string hostSecretPath = - path::join(flags.runtime_dir, SECRET_DIR, stringify(id::UUID::random())); + path::join(containerDir, stringify(id::UUID::random())); const string sandboxSecretPath = path::join(sandboxSecretRootDir, @@ -290,6 +303,27 @@ Future> VolumeSecretIsolatorProcess::prepare( }); } + +Future VolumeSecretIsolatorProcess::cleanup( +const ContainerID& containerId) +{ + const string containerDir = path::join( + flags.runtime_dir, + SECRET_DIR, + stringify(containerId)); + + if (os::exists(containerDir)) { +Try rmdir = os::rmdir(containerDir); +if (rmdir.isError()) { + return Failure( + "Failed to remove the container directory '" + + containerDir + "': " + rmdir.error()); +} + } + + return Nothing(); +} + } // namespace slave { } // namespace internal { } // namespace mesos { diff --git a/src/slave/containerizer/mesos/isolators/volume/secret.hpp b/src/slave/containerizer/mesos/isolators/volume/secret.hpp index a166491..e3cf713 100644 --- a/src/slave/containerizer/mesos/isolators/volume/secret.hpp +++ b/src/slave/containerizer/mesos/isolators/volume/secret.hpp @@ -51,6 +51,9 @@ public: const ContainerID& containerId, const mesos::slave::ContainerConfig& containerConfig) override; + process::Future cleanup( + const ContainerID& containerId) override; + private: VolumeSecretIsolatorProcess( const Flags& flags,