[jira] [Commented] (MESOS-8257) Unified Containerizer "leaks" a target container mount path to the host FS when the target resolves to an absolute path
[ https://issues.apache.org/jira/browse/MESOS-8257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16810819#comment-16810819 ] Benno Evers commented on MESOS-8257: I removed the 1.8.0 target designation here and in the linked ticket since it looks like there hasn't been any recent activity here, please feel free to revert as you see fit. > Unified Containerizer "leaks" a target container mount path to the host FS > when the target resolves to an absolute path > --- > > Key: MESOS-8257 > URL: https://issues.apache.org/jira/browse/MESOS-8257 > Project: Mesos > Issue Type: Bug > Components: containerization >Affects Versions: 1.3.1, 1.4.1, 1.5.0 >Reporter: Jason Lai >Assignee: Jason Lai >Priority: Critical > Labels: bug, containerization, containerizer, mountpath > > If a target path under the root FS provisioned from an image resolves to an > absolute path, it will not appear in the container root FS after > {{pivot_root(2)}} is called. > A typical example is that when the target path is under {{/var/run}} (e.g. > {{/var/run/some-dir}}), which is usually a symlink to an absolute path of > {{/run}} in Debian images, the target path will get resolved as and created > at {{/run/some-dir}} in the host root FS, after the container root FS gets > provisioned. The target path will get unmounted after {{pivot_root(2)}} as it > is part of the old root (host FS). > A workaround is to use {{/run}} instead of {{/var/run}}, but absolute > symlinks need to be resolved within the scope of the container root FS path. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MESOS-8257) Unified Containerizer "leaks" a target container mount path to the host FS when the target resolves to an absolute path
[ https://issues.apache.org/jira/browse/MESOS-8257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16792153#comment-16792153 ] Vinod Kone commented on MESOS-8257: --- [~jasonlai] [~jieyu] Is there more to be done here? > Unified Containerizer "leaks" a target container mount path to the host FS > when the target resolves to an absolute path > --- > > Key: MESOS-8257 > URL: https://issues.apache.org/jira/browse/MESOS-8257 > Project: Mesos > Issue Type: Bug > Components: containerization >Affects Versions: 1.3.1, 1.4.1, 1.5.0 >Reporter: Jason Lai >Assignee: Jason Lai >Priority: Critical > Labels: bug, containerizer, mountpath > > If a target path under the root FS provisioned from an image resolves to an > absolute path, it will not appear in the container root FS after > {{pivot_root(2)}} is called. > A typical example is that when the target path is under {{/var/run}} (e.g. > {{/var/run/some-dir}}), which is usually a symlink to an absolute path of > {{/run}} in Debian images, the target path will get resolved as and created > at {{/run/some-dir}} in the host root FS, after the container root FS gets > provisioned. The target path will get unmounted after {{pivot_root(2)}} as it > is part of the old root (host FS). > A workaround is to use {{/run}} instead of {{/var/run}}, but absolute > symlinks need to be resolved within the scope of the container root FS path. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MESOS-8257) Unified Containerizer "leaks" a target container mount path to the host FS when the target resolves to an absolute path
[ https://issues.apache.org/jira/browse/MESOS-8257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16691278#comment-16691278 ] Jie Yu commented on MESOS-8257: --- commit b866fc3278dc4fd48d1a50493bcde1efdfa91cc7 (HEAD -> master, origin/master, origin/HEAD) Author: Jason Lai Date: Sun Nov 18 21:12:28 2018 -0800 Added unit tests for Stout `path::normalize` function in POSIX. Review: https://reviews.apache.org/r/68832/ commit 516c0bd70c50ae5aa6682b3b8675ef75d99dfc3f Author: Jason Lai Date: Sun Nov 18 21:12:06 2018 -0800 Added Stout `path::normalize` function for POSIX paths. Added `path::normalize` to normalize a given pathname and remove redundant separators and up-level references. This function follows the rules described in `path_resolution(7)` for Linux. However, it only performs pure lexical processing without touching the actual filesystem. Review: https://reviews.apache.org/r/65811/ > Unified Containerizer "leaks" a target container mount path to the host FS > when the target resolves to an absolute path > --- > > Key: MESOS-8257 > URL: https://issues.apache.org/jira/browse/MESOS-8257 > Project: Mesos > Issue Type: Bug > Components: containerization >Affects Versions: 1.3.1, 1.4.1, 1.5.0 >Reporter: Jason Lai >Assignee: Jason Lai >Priority: Critical > Labels: bug, containerizer, mountpath > > If a target path under the root FS provisioned from an image resolves to an > absolute path, it will not appear in the container root FS after > {{pivot_root(2)}} is called. > A typical example is that when the target path is under {{/var/run}} (e.g. > {{/var/run/some-dir}}), which is usually a symlink to an absolute path of > {{/run}} in Debian images, the target path will get resolved as and created > at {{/run/some-dir}} in the host root FS, after the container root FS gets > provisioned. The target path will get unmounted after {{pivot_root(2)}} as it > is part of the old root (host FS). > A workaround is to use {{/run}} instead of {{/var/run}}, but absolute > symlinks need to be resolved within the scope of the container root FS path. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MESOS-8257) Unified Containerizer "leaks" a target container mount path to the host FS when the target resolves to an absolute path
[ https://issues.apache.org/jira/browse/MESOS-8257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16581694#comment-16581694 ] Chun-Hung Hsiao commented on MESOS-8257: [~jasonlai] Do you plan to land this in this week? Should this ticket block the 1.7.0 release? > Unified Containerizer "leaks" a target container mount path to the host FS > when the target resolves to an absolute path > --- > > Key: MESOS-8257 > URL: https://issues.apache.org/jira/browse/MESOS-8257 > Project: Mesos > Issue Type: Bug > Components: containerization >Affects Versions: 1.3.1, 1.4.1, 1.5.0 >Reporter: Jason Lai >Assignee: Jason Lai >Priority: Critical > Labels: bug, containerizer, mountpath > > If a target path under the root FS provisioned from an image resolves to an > absolute path, it will not appear in the container root FS after > {{pivot_root(2)}} is called. > A typical example is that when the target path is under {{/var/run}} (e.g. > {{/var/run/some-dir}}), which is usually a symlink to an absolute path of > {{/run}} in Debian images, the target path will get resolved as and created > at {{/run/some-dir}} in the host root FS, after the container root FS gets > provisioned. The target path will get unmounted after {{pivot_root(2)}} as it > is part of the old root (host FS). > A workaround is to use {{/run}} instead of {{/var/run}}, but absolute > symlinks need to be resolved within the scope of the container root FS path. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MESOS-8257) Unified Containerizer "leaks" a target container mount path to the host FS when the target resolves to an absolute path
[ https://issues.apache.org/jira/browse/MESOS-8257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16478377#comment-16478377 ] Jason Lai commented on MESOS-8257: -- After discussions with [~jieyu] on the refactoring done in {{launch.cpp}} for platform-specific support, I decided to drop some of the patches till we reach an consensus on how refactoring should be done for {{launch.cpp}}. The new patch chain for this particular task has become: * https://reviews.apache.org/r/65811 * https://reviews.apache.org/r/65812 * https://reviews.apache.org/r/65900 * https://reviews.apache.org/r/67175 * https://reviews.apache.org/r/67176 I'll add more patches for tests soon. > Unified Containerizer "leaks" a target container mount path to the host FS > when the target resolves to an absolute path > --- > > Key: MESOS-8257 > URL: https://issues.apache.org/jira/browse/MESOS-8257 > Project: Mesos > Issue Type: Bug > Components: containerization >Affects Versions: 1.3.1, 1.4.1, 1.5.0 >Reporter: Jason Lai >Assignee: Jason Lai >Priority: Critical > Labels: bug, containerizer, mountpath > > If a target path under the root FS provisioned from an image resolves to an > absolute path, it will not appear in the container root FS after > {{pivot_root(2)}} is called. > A typical example is that when the target path is under {{/var/run}} (e.g. > {{/var/run/some-dir}}), which is usually a symlink to an absolute path of > {{/run}} in Debian images, the target path will get resolved as and created > at {{/run/some-dir}} in the host root FS, after the container root FS gets > provisioned. The target path will get unmounted after {{pivot_root(2)}} as it > is part of the old root (host FS). > A workaround is to use {{/run}} instead of {{/var/run}}, but absolute > symlinks need to be resolved within the scope of the container root FS path. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MESOS-8257) Unified Containerizer "leaks" a target container mount path to the host FS when the target resolves to an absolute path
[ https://issues.apache.org/jira/browse/MESOS-8257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16454867#comment-16454867 ] Jason Lai commented on MESOS-8257: -- [~alexr]: so far we have the following patches in review: * https://reviews.apache.org/r/65811/ * https://reviews.apache.org/r/65812/ * https://reviews.apache.org/r/65898/ * https://reviews.apache.org/r/65899/ * https://reviews.apache.org/r/65900/ I'll have more patches coming up soon > Unified Containerizer "leaks" a target container mount path to the host FS > when the target resolves to an absolute path > --- > > Key: MESOS-8257 > URL: https://issues.apache.org/jira/browse/MESOS-8257 > Project: Mesos > Issue Type: Bug > Components: containerization >Affects Versions: 1.3.1, 1.4.1, 1.5.0 >Reporter: Jason Lai >Assignee: Jason Lai >Priority: Critical > Labels: bug, containerizer, mountpath > > If a target path under the root FS provisioned from an image resolves to an > absolute path, it will not appear in the container root FS after > {{pivot_root(2)}} is called. > A typical example is that when the target path is under {{/var/run}} (e.g. > {{/var/run/some-dir}}), which is usually a symlink to an absolute path of > {{/run}} in Debian images, the target path will get resolved as and created > at {{/run/some-dir}} in the host root FS, after the container root FS gets > provisioned. The target path will get unmounted after {{pivot_root(2)}} as it > is part of the old root (host FS). > A workaround is to use {{/run}} instead of {{/var/run}}, but absolute > symlinks need to be resolved within the scope of the container root FS path. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MESOS-8257) Unified Containerizer "leaks" a target container mount path to the host FS when the target resolves to an absolute path
[ https://issues.apache.org/jira/browse/MESOS-8257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16440889#comment-16440889 ] Alexander Rukletsov commented on MESOS-8257: What is the status on this one, [~jasonlai], [~jieyu]? > Unified Containerizer "leaks" a target container mount path to the host FS > when the target resolves to an absolute path > --- > > Key: MESOS-8257 > URL: https://issues.apache.org/jira/browse/MESOS-8257 > Project: Mesos > Issue Type: Bug > Components: containerization >Affects Versions: 1.3.1, 1.4.1, 1.5.0 >Reporter: Jason Lai >Assignee: Jason Lai >Priority: Critical > Labels: bug, containerizer, mountpath > > If a target path under the root FS provisioned from an image resolves to an > absolute path, it will not appear in the container root FS after > {{pivot_root(2)}} is called. > A typical example is that when the target path is under {{/var/run}} (e.g. > {{/var/run/some-dir}}), which is usually a symlink to an absolute path of > {{/run}} in Debian images, the target path will get resolved as and created > at {{/run/some-dir}} in the host root FS, after the container root FS gets > provisioned. The target path will get unmounted after {{pivot_root(2)}} as it > is part of the old root (host FS). > A workaround is to use {{/run}} instead of {{/var/run}}, but absolute > symlinks need to be resolved within the scope of the container root FS path. -- This message was sent by Atlassian JIRA (v7.6.3#76005)