[
https://issues.apache.org/jira/browse/MESOS-8507?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Yan Xu updated MESOS-8507:
--
Description:
In the current SLRP implementation the reservations for new SLRP/CSI backed
volumes are checkpointed under {{/slaves/latest/resource_providers}} so
when the agent runs into incompatible configuration changes (the kinds that
cannot be addressed by MESOS-1739), the operator has to remove the symlink and
then the reservations are gone.
Then the agent recovers with a new {{SlaveInfo}} and new SLRPs are created to
recover the CSI volumes. These CSI volumes will not have reservations and thus
will be offered to frameworks of any role, potentially with the data already
written by the previous owner.
The framework doesn't have any control over this and any chance to clean up
before the volumes are re-offered, which is undesired for security reasons.
was:
In the current SLRP implementation the reservations for new SLRP/CSI backed
volumes are checkpointed under {{/slaves/latest/resource_providers}} so
when the agent runs into incompatible configuration changes (the kinds that
cannot be addressed by **MESOS-1739), the operator has to remove the symlink
and then the reservations are gone.
Then the agent recovers with a new {{SlaveInfo}} and new SLRPs are created to
recover the CSI volumes. These CSI volumes will not have reservations and thus
will be offered to frameworks of any role, potentially with the data already
written by the previous owner.
The framework doesn't have any control over this and any chance to clean up
before the volumes are re-offered, which is undesired for security reasons.
> SLRP discards reservations when the agent is discarded, which could lead to
> leaked volumes.
> ---
>
> Key: MESOS-8507
> URL: https://issues.apache.org/jira/browse/MESOS-8507
> Project: Mesos
> Issue Type: Bug
>Reporter: Yan Xu
>Priority: Major
>
> In the current SLRP implementation the reservations for new SLRP/CSI backed
> volumes are checkpointed under {{/slaves/latest/resource_providers}} so
> when the agent runs into incompatible configuration changes (the kinds that
> cannot be addressed by MESOS-1739), the operator has to remove the symlink
> and then the reservations are gone.
> Then the agent recovers with a new {{SlaveInfo}} and new SLRPs are created to
> recover the CSI volumes. These CSI volumes will not have reservations and
> thus will be offered to frameworks of any role, potentially with the data
> already written by the previous owner.
>
> The framework doesn't have any control over this and any chance to clean up
> before the volumes are re-offered, which is undesired for security reasons.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
