Re: Review Request 58337: Allowed whitelist additional devices in cgroups devices subsystem.

[haosdent huang]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58337/#review172067
---


Fix it, then Ship it!




Need to update `docs/configuration.md` as well. I could fix these when commit 
it, please take a look.


src/slave/containerizer/mesos/isolators/cgroups/subsystems/devices.cpp
Lines 150-152 (patched)


I think pass a `vector whitelistDeviceEntries` 
contains default and additional entries would be more simple.



src/slave/flags.hpp
Lines 102 (patched)


Perfer `cgroups_whitelist_devices` to keep consistent with 
`DEFAULT_WHITELIST_ENTRIES`.



src/slave/flags.cpp
Lines 456 (patched)


`devcies` seems no necessary. Let's use array here directly.

```
  add(::cgroups_whitelist_devices,
  "cgroups_whitelist_devices",
  "JSON array representing the devices that will be additionally\n"
  "whitelisted by cgroups devices subsystem. This will take effect\n"
  "only when `cgroups/devices` is set in `--isolation` flag.\n"
  "Example:\n"
  "[\n"
  "{\n"
  "\"path\": \"/path/to/device\",\n"
  "\"read_access\": true,\n"
  "\"write_access\": false,\n"
  "\"mknod_access\": false\n"
  "}\n"
  "]\n"
  );
```


- haosdent huang


On April 17, 2017, 3:51 a.m., Zhongbo Tian wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58337/
> ---
> 
> (Updated April 17, 2017, 3:51 a.m.)
> 
> 
> Review request for mesos and haosdent huang.
> 
> 
> Bugs: MESOS-6791
> https://issues.apache.org/jira/browse/MESOS-6791
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Add allowed devices whitelist for cgroups/devices isolator.
> 
> 
> Diffs
> -
> 
>   src/slave/containerizer/mesos/isolators/cgroups/subsystems/devices.hpp 
> ca2727142a9f257168f3cae0958f7b4665b63cf6 
>   src/slave/containerizer/mesos/isolators/cgroups/subsystems/devices.cpp 
> 9b5cf83093796b0c0cc5057b612f80bc8b8ba72f 
>   src/slave/flags.hpp 171f67e44518e858049d002fcf037715021da265 
>   src/slave/flags.cpp 9365da2c8462a4375a99a86210b9d6ec628510fe 
> 
> 
> Diff: https://reviews.apache.org/r/58337/diff/3/
> 
> 
> Testing
> ---
> 
> For simple test:
> 
> - Launch without additional devices:
>   1. Start agent with `sudo mesos-agent --master=127.0.0.1:5050 
> --work_dir=/tmp/mesos --isolation=cgroups/devices`
>   2. try open `/dev/rtc0` and failed with permission denied. `sudo 
> mesos-execute --master=127.0.0.1:5050 --name=test --command="head -c 0 
> /dev/rtc0"`
> 
> 
> - Launch with additional devices:
>   1. Start agent with `sudo mesos-agent --master=127.0.0.1:5050 
> --work_dir=/tmp/mesos --isolation=cgroups/devices 
> --cgroups_whitelist_devices=[{'"path":"/dev/rtc0", "mknod_access":true, 
> "ad_access":true, "write_access":true}]'`
>   2. open `/dev/rtc0` successfully. `sudo mesos-execute 
> --master=127.0.0.1:5050 --name=test --command="head -c 0 /dev/rtc0"`
> 
> 
> Thanks,
> 
> Zhongbo Tian
> 
>

Re: Review Request 58337: Allowed whitelist additional devices in cgroups devices subsystem.

[Zhongbo Tian]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58337/
---

(Updated April 17, 2017, 3:51 a.m.)


Review request for mesos and haosdent huang.


Summary (updated)
-

Allowed whitelist additional devices in cgroups devices subsystem.


Bugs: MESOS-6791
https://issues.apache.org/jira/browse/MESOS-6791


Repository: mesos


Description
---

Add allowed devices whitelist for cgroups/devices isolator.


Diffs
-

  src/slave/containerizer/mesos/isolators/cgroups/subsystems/devices.hpp 
ca2727142a9f257168f3cae0958f7b4665b63cf6 
  src/slave/containerizer/mesos/isolators/cgroups/subsystems/devices.cpp 
9b5cf83093796b0c0cc5057b612f80bc8b8ba72f 
  src/slave/flags.hpp 171f67e44518e858049d002fcf037715021da265 
  src/slave/flags.cpp 9365da2c8462a4375a99a86210b9d6ec628510fe 


Diff: https://reviews.apache.org/r/58337/diff/3/


Testing (updated)
---

For simple test:

- Launch without additional devices:
  1. Start agent with `sudo mesos-agent --master=127.0.0.1:5050 
--work_dir=/tmp/mesos --isolation=cgroups/devices`
  2. try open `/dev/rtc0` and failed with permission denied. `sudo 
mesos-execute --master=127.0.0.1:5050 --name=test --command="head -c 0 
/dev/rtc0"`


- Launch with additional devices:
  1. Start agent with `sudo mesos-agent --master=127.0.0.1:5050 
--work_dir=/tmp/mesos --isolation=cgroups/devices 
--cgroups_whitelist_devices=[{'"path":"/dev/rtc0", "mknod_access":true, 
"ad_access":true, "write_access":true}]'`
  2. open `/dev/rtc0` successfully. `sudo mesos-execute --master=127.0.0.1:5050 
--name=test --command="head -c 0 /dev/rtc0"`


Thanks,

Zhongbo Tian

Re: Review Request 58443: Unit test for file/symlink/directory overwriting in provisioners.

[Jie Yu]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58443/#review172065
---




src/tests/containerizer/provisioner_docker_tests.cpp
Lines 729 (patched)


Not yours, but I think we should rename ProvisionerDockerPullerTest to 
ProvisionerDockerTest, and rename ProvisionerDockerWhiteoutTest to 
ProvisionerDockerBackendTest. We don't need this new test fixture. We should 
just re-use ProvisionerDockerBackendTest (which iterates all available 
backends).
```
ProvisionerDockerBackendTest.XXX_Whiteout
ProvisionerDockerBackendTest.XXX_Overwrite
```

Let's pull the test renaming into a separate patch.


- Jie Yu


On April 15, 2017, 12:46 a.m., Chun-Hung Hsiao wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58443/
> ---
> 
> (Updated April 15, 2017, 12:46 a.m.)
> 
> 
> Review request for mesos, Gilbert Song, Jie Yu, and Vinod Kone.
> 
> 
> Bugs: MESOS-5028 and MESOS-6327
> https://issues.apache.org/jira/browse/MESOS-5028
> https://issues.apache.org/jira/browse/MESOS-6327
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> The test is based on the following image:
>   https://hub.docker.com/r/chhsiao/overwrite/
> 
> 
> Diffs
> -
> 
>   src/tests/containerizer/provisioner_docker_tests.cpp 
> b0a4d21a26e084d72b915156e9408826252ef083 
> 
> 
> Diff: https://reviews.apache.org/r/58443/diff/2/
> 
> 
> Testing
> ---
> 
> sudo make check
> 
> 
> Thanks,
> 
> Chun-Hung Hsiao
> 
>

Re: Review Request 58408: Overwriting Directories with Files in Copy Provisioner.

[Jie Yu]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58408/#review172055
---




src/slave/containerizer/mesos/provisioner/backends/copy.cpp
Lines 165 (patched)


Let's use `Option removePath` here, instead of relying on 
removePath being an empty string. We always prefer more explicit check.



src/slave/containerizer/mesos/provisioner/backends/copy.cpp
Line 166 (original), 177 (patched)


Not yours, but I think `Path(whiteout)` is not necessary. We should just 
use `whiteout.dirname()`



src/slave/containerizer/mesos/provisioner/backends/copy.cpp
Lines 193 (patched)


What if `node->fts_info` is things like `FTS_DNR`, `FTS_ERR`, `FTS_NS`, 
etc. Do we accidentally remove directories?

I think we should explicitly check all fts_info type. I also think that we 
should return Failure if we encounter error conditions like FTS_ERR, FTS_NDR. 
(This is not your fault, ths original code does not handle that).


- Jie Yu


On April 14, 2017, 6:51 p.m., Chun-Hung Hsiao wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58408/
> ---
> 
> (Updated April 14, 2017, 6:51 p.m.)
> 
> 
> Review request for mesos, Gilbert Song, Jie Yu, and Vinod Kone.
> 
> 
> Bugs: MESOS-5028
> https://issues.apache.org/jira/browse/MESOS-5028
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> When a layer overwrites a directory with a regular file or symbolic link
> (or vice versa), the old dir/file need to be removed before copying the
> layer into the rootfs. This is processed together with whiteout:
> The copy provisioner find all files to remove, including files
> marked as whiteout and the files described above, and remove them
> before the copy process.
> 
> 
> Diffs
> -
> 
>   src/slave/containerizer/mesos/provisioner/backends/copy.cpp 
> 584cc6524f81cc1bc231b105507dbfe51fec991d 
> 
> 
> Diff: https://reviews.apache.org/r/58408/diff/3/
> 
> 
> Testing
> ---
> 
> make check
> Manually tested on the following images:
>   https://hub.docker.com/r/gilbertsong/whiteout/
>   https://hub.docker.com/r/chhsiao/overwrite/
> 
> 
> Thanks,
> 
> Chun-Hung Hsiao
> 
>

Re: Review Request 58337: Add allowed devices whitelist for cgroups/devices isolator.

[haosdent huang]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58337/#review172062
---



Sorry for the delay, basically this patch LGTM. But I need to test this tmr and 
then could go head. Thanks a lot @windreamer's contributions!

- haosdent huang


On April 12, 2017, 4:17 a.m., Zhongbo Tian wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58337/
> ---
> 
> (Updated April 12, 2017, 4:17 a.m.)
> 
> 
> Review request for mesos and haosdent huang.
> 
> 
> Bugs: MESOS-6791
> https://issues.apache.org/jira/browse/MESOS-6791
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Add allowed devices whitelist for cgroups/devices isolator.
> 
> 
> Diffs
> -
> 
>   src/slave/containerizer/mesos/isolators/cgroups/subsystems/devices.hpp 
> ca2727142a9f257168f3cae0958f7b4665b63cf6 
>   src/slave/containerizer/mesos/isolators/cgroups/subsystems/devices.cpp 
> 9b5cf83093796b0c0cc5057b612f80bc8b8ba72f 
>   src/slave/flags.hpp 171f67e44518e858049d002fcf037715021da265 
>   src/slave/flags.cpp 9365da2c8462a4375a99a86210b9d6ec628510fe 
> 
> 
> Diff: https://reviews.apache.org/r/58337/diff/3/
> 
> 
> Testing
> ---
> 
> For simple test:
> 
> - Launch without additional devices:
>   1. Start agent with `sudo mesos-agent --master=127.0.0.1:5050 
> --work_dir=/tmp/mesos --isolation=cgroups/devices`
>   2. try open `/dev/rtc0` and failed with permission denied. `sudo 
> mesos-execute --master=127.0.0.1:5050 --name=test --command="head -c 0 
> /dev/rtc0"`
> 
> 
> - Launch with additional devices:
>   1. Start agent with `sudo mesos-agent --master=127.0.0.1:5050 
> --work_dir=/tmp/mesos --isolation=cgroups/devices 
> --cgroups_allowed_devices='{"devices":[{"path":"/dev/rtc0", 
> "mknod_access":true, "read_access":true, "write_access":true}]}'`
>   2. open `/dev/rtc0` successfully. `sudo mesos-execute 
> --master=127.0.0.1:5050 --name=test --command="head -c 0 /dev/rtc0"`
> 
> 
> Thanks,
> 
> Zhongbo Tian
> 
>

Re: Review Request 58200: Fix mesos runs with docker(pid namespace mismatch).

[haosdent huang]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58200/#review172061
---


Fix it, then Ship it!




Ship It!


src/slave/containerizer/docker.cpp
Lines 361-368 (patched)


`SYS_PTRACE` is required to inspect the namesapces of other processes.

I change to 

```
+// `--pid=host` is required for `mesos-docker-executor` to find
+// the pid of the task in `/proc` when running
+// `mesos-docker-executor` in a separate docker container.
+Parameter* pidParameter = dockerInfo.add_parameters();
+pidParameter ->set_key("pid");
+pidParameter->set_value("host");
+
+// `--cap-add=SYS_ADMIN` and `--cap-add=SYS_PTRACE` are required
+// for `mesos-docker-executor` to enter the namespaces of the task
+// during health checking when running `mesos-docker-executor` in a
+// separate docker container.
+Parameter* capAddParameter = dockerInfo.add_parameters();
+capAddParameter->set_key("cap-add");
+capAddParameter->set_value("SYS_ADMIN");
+capAddParameter = dockerInfo.add_parameters();
+capAddParameter->set_key("cap-add");
+capAddParameter->set_value("SYS_PTRACE");
```


- haosdent huang


On April 16, 2017, 9:26 a.m., Deshi Xiao wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58200/
> ---
> 
> (Updated April 16, 2017, 9:26 a.m.)
> 
> 
> Review request for mesos, Alexander Rukletsov and haosdent huang.
> 
> 
> Bugs: MESOS-7210
> https://issues.apache.org/jira/browse/MESOS-7210
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Becuase MESOS HTTP checks doesn't work when mesos runs with
> --docker_mesos_image ( pid namespace mismatch ).So let docker
> executor run with container add host pid mapping(--pid=host)
> 
> 
> Diffs
> -
> 
>   src/slave/containerizer/docker.cpp be1a298b12374bced44e2467cb7e90a1599abb8f 
> 
> 
> Diff: https://reviews.apache.org/r/58200/diff/4/
> 
> 
> Testing
> ---
> 
> 1. Build the image with latest code. Let's name the image with `mesos-build` 
> here.
> 
> 2. Launch mesos master.
> 
> ```
> $ docker run \
>   -it \
>   --pid host \
>   --net host \
>   --privileged \
>   -v /var/run/docker.sock:/var/run/docker.sock \
>   -v /sys/fs/cgroup:/sys/fs/cgroup \
>   mesos-build \
>   mesos-master \
>   --hostname=127.0.0.1 \
>   --ip=127.0.0.1 \
>   --port=5050 \
>   --work_dir=/tmp/mesos
> ```
> 
> 3. Launch mesos agent.
> 
> ```
> $ docker run \
>   -it \
>   --pid host \
>   --net host \
>   --privileged \
>   -v /var/run/docker.sock:/var/run/docker.sock \
>   -v /sys/fs/cgroup:/sys/fs/cgroup \
>   mesos-build \
>   mesos-agent \
>   --hostname=127.0.0.1 \
>   --ip=127.0.0.1 \
>   --master=127.0.0.1:5050 \
>   --systemd_enable_support=false \
>   --work_dir=/tmp/mesos \
>   --containerizers=docker,mesos \
>   --docker_mesos_image=mesos-build
> ```
> 
> 4. Launch task with health check.
> 
> Define the task with health check.
> 
> ```
> $ cat /tmp/task.json
> {
>   "name": "test-health-check",
>   "task_id": {"value" : "test-health-check"},
>   "agent_id": {"value" : ""},
>   "resources": [
> {
>   "name": "cpus",
>   "type": "SCALAR",
>   "scalar": {
> "value": 0.1
>   },
>   "role": "*"
> },
> {
>   "name": "mem",
>   "type": "SCALAR",
>   "scalar": {
> "value": 32
>   },
>   "role": "*"
> }
>   ],
>   "command": {
> "value": "sleep 1000"
>   },
>   "container": {
> "type": "DOCKER",
> "volumes": [],
> "docker": {
>   "image": "mesos-build",
>   "network": "HOST"
> }
>   },
>   "health_check": {
> "type": "HTTP",
> "http": {
>   "scheme": "http",
>   "port": 5050
> },
> "gracePeriodSeconds": 300,
> "intervalSeconds": 60,
> "timeoutSeconds": 20,
> "maxConsecutiveFailures": 3
>   }
> }
> ```
> 
> Lauch task
> 
> ```
> $ mesos-execute --master=127.0.0.1:5050 --task=/tmp/task.json
> ```
> 
> And verified the healthy status of task is correct.
> 
> ```
> I0407 16:29:57.258509 88767 health_checker.cpp:123] Entered the net namespace 
> of task (pid: '88727') successfully
> I0407 16:29:57.334801 88643 health_checker.cpp:395] Performed HTTP health 
> check for task 'test-health-check' in 86.311186ms
> I0407 16:29:57.334872 88643 health_checker.cpp:319] HTTP health check for 
> task 'test-health-check' passed
> ```
> 
> 
> Thanks,
> 
> Deshi Xiao
> 
>

Re: Review Request 58200: Fix mesos runs with docker(pid namespace mismatch).

[Deshi Xiao]

> On 四月 8, 2017, 11:38 a.m., haosdent huang wrote:
> > src/slave/containerizer/docker.cpp
> > Lines 366 (patched)
> > 
> >
> > I think it is fine to use priviliged to lauch mesos-executor. But after 
> > discussed with @xiaods, let me find if we could avoid to use privileged via 
> > --cap-add.

add new pr to fix it, it works in my side workround.


- Deshi


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58200/#review171402
---


On 四月 16, 2017, 9:26 a.m., Deshi Xiao wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58200/
> ---
> 
> (Updated 四月 16, 2017, 9:26 a.m.)
> 
> 
> Review request for mesos, Alexander Rukletsov and haosdent huang.
> 
> 
> Bugs: MESOS-7210
> https://issues.apache.org/jira/browse/MESOS-7210
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Becuase MESOS HTTP checks doesn't work when mesos runs with
> --docker_mesos_image ( pid namespace mismatch ).So let docker
> executor run with container add host pid mapping(--pid=host)
> 
> 
> Diffs
> -
> 
>   src/slave/containerizer/docker.cpp be1a298b12374bced44e2467cb7e90a1599abb8f 
> 
> 
> Diff: https://reviews.apache.org/r/58200/diff/4/
> 
> 
> Testing
> ---
> 
> 1. Build the image with latest code. Let's name the image with `mesos-build` 
> here.
> 
> 2. Launch mesos master.
> 
> ```
> $ docker run \
>   -it \
>   --pid host \
>   --net host \
>   --privileged \
>   -v /var/run/docker.sock:/var/run/docker.sock \
>   -v /sys/fs/cgroup:/sys/fs/cgroup \
>   mesos-build \
>   mesos-master \
>   --hostname=127.0.0.1 \
>   --ip=127.0.0.1 \
>   --port=5050 \
>   --work_dir=/tmp/mesos
> ```
> 
> 3. Launch mesos agent.
> 
> ```
> $ docker run \
>   -it \
>   --pid host \
>   --net host \
>   --privileged \
>   -v /var/run/docker.sock:/var/run/docker.sock \
>   -v /sys/fs/cgroup:/sys/fs/cgroup \
>   mesos-build \
>   mesos-agent \
>   --hostname=127.0.0.1 \
>   --ip=127.0.0.1 \
>   --master=127.0.0.1:5050 \
>   --systemd_enable_support=false \
>   --work_dir=/tmp/mesos \
>   --containerizers=docker,mesos \
>   --docker_mesos_image=mesos-build
> ```
> 
> 4. Launch task with health check.
> 
> Define the task with health check.
> 
> ```
> $ cat /tmp/task.json
> {
>   "name": "test-health-check",
>   "task_id": {"value" : "test-health-check"},
>   "agent_id": {"value" : ""},
>   "resources": [
> {
>   "name": "cpus",
>   "type": "SCALAR",
>   "scalar": {
> "value": 0.1
>   },
>   "role": "*"
> },
> {
>   "name": "mem",
>   "type": "SCALAR",
>   "scalar": {
> "value": 32
>   },
>   "role": "*"
> }
>   ],
>   "command": {
> "value": "sleep 1000"
>   },
>   "container": {
> "type": "DOCKER",
> "volumes": [],
> "docker": {
>   "image": "mesos-build",
>   "network": "HOST"
> }
>   },
>   "health_check": {
> "type": "HTTP",
> "http": {
>   "scheme": "http",
>   "port": 5050
> },
> "gracePeriodSeconds": 300,
> "intervalSeconds": 60,
> "timeoutSeconds": 20,
> "maxConsecutiveFailures": 3
>   }
> }
> ```
> 
> Lauch task
> 
> ```
> $ mesos-execute --master=127.0.0.1:5050 --task=/tmp/task.json
> ```
> 
> And verified the healthy status of task is correct.
> 
> ```
> I0407 16:29:57.258509 88767 health_checker.cpp:123] Entered the net namespace 
> of task (pid: '88727') successfully
> I0407 16:29:57.334801 88643 health_checker.cpp:395] Performed HTTP health 
> check for task 'test-health-check' in 86.311186ms
> I0407 16:29:57.334872 88643 health_checker.cpp:319] HTTP health check for 
> task 'test-health-check' passed
> ```
> 
> 
> Thanks,
> 
> Deshi Xiao
> 
>

Re: Review Request 58200: Fix mesos runs with docker(pid namespace mismatch).

[Deshi Xiao]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58200/
---

(Updated 四月 16, 2017, 9:26 a.m.)


Review request for mesos, Alexander Rukletsov and haosdent huang.


Changes
---

use alternative cap-add SYS_ADMIN


Bugs: MESOS-7210
https://issues.apache.org/jira/browse/MESOS-7210


Repository: mesos


Description
---

Becuase MESOS HTTP checks doesn't work when mesos runs with
--docker_mesos_image ( pid namespace mismatch ).So let docker
executor run with container add host pid mapping(--pid=host)


Diffs (updated)
-

  src/slave/containerizer/docker.cpp be1a298b12374bced44e2467cb7e90a1599abb8f 


Diff: https://reviews.apache.org/r/58200/diff/4/

Changes: https://reviews.apache.org/r/58200/diff/3-4/


Testing
---

1. Build the image with latest code. Let's name the image with `mesos-build` 
here.

2. Launch mesos master.

```
$ docker run \
-it \
--pid host \
--net host \
--privileged \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /sys/fs/cgroup:/sys/fs/cgroup \
mesos-build \
mesos-master \
--hostname=127.0.0.1 \
--ip=127.0.0.1 \
--port=5050 \
--work_dir=/tmp/mesos
```

3. Launch mesos agent.

```
$ docker run \
-it \
--pid host \
--net host \
--privileged \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /sys/fs/cgroup:/sys/fs/cgroup \
mesos-build \
mesos-agent \
--hostname=127.0.0.1 \
--ip=127.0.0.1 \
--master=127.0.0.1:5050 \
--systemd_enable_support=false \
--work_dir=/tmp/mesos \
--containerizers=docker,mesos \
--docker_mesos_image=mesos-build
```

4. Launch task with health check.

Define the task with health check.

```
$ cat /tmp/task.json
{
  "name": "test-health-check",
  "task_id": {"value" : "test-health-check"},
  "agent_id": {"value" : ""},
  "resources": [
{
  "name": "cpus",
  "type": "SCALAR",
  "scalar": {
"value": 0.1
  },
  "role": "*"
},
{
  "name": "mem",
  "type": "SCALAR",
  "scalar": {
"value": 32
  },
  "role": "*"
}
  ],
  "command": {
"value": "sleep 1000"
  },
  "container": {
"type": "DOCKER",
"volumes": [],
"docker": {
  "image": "mesos-build",
  "network": "HOST"
}
  },
  "health_check": {
"type": "HTTP",
"http": {
  "scheme": "http",
  "port": 5050
},
"gracePeriodSeconds": 300,
"intervalSeconds": 60,
"timeoutSeconds": 20,
"maxConsecutiveFailures": 3
  }
}
```

Lauch task

```
$ mesos-execute --master=127.0.0.1:5050 --task=/tmp/task.json
```

And verified the healthy status of task is correct.

```
I0407 16:29:57.258509 88767 health_checker.cpp:123] Entered the net namespace 
of task (pid: '88727') successfully
I0407 16:29:57.334801 88643 health_checker.cpp:395] Performed HTTP health check 
for task 'test-health-check' in 86.311186ms
I0407 16:29:57.334872 88643 health_checker.cpp:319] HTTP health check for task 
'test-health-check' passed
```


Thanks,

Deshi Xiao