Re: Review Request 45520: Fixed the bind mount root issue in port mapping isolator.
> On March 31, 2016, 5:59 p.m., Cong Wang wrote: > > Why /var/run/netns could be in the same mount peer group with its parent? > > At least on fedora21 this is not the case. > > > > Also, why do you fix two bugs in one patch? I know you don't care about > > bisect, but even so this is still not a good practice at all. > > Jie Yu wrote: > I'll split the patch. Regarding the mount peer groups issue, here is the > test I did on fedora23: > ``` > [vagrant@localhost build]$ cat /proc/self/mountinfo > 17 58 0:17 / /sys rw,nosuid,nodev,noexec,relatime shared:6 - sysfs sysfs > rw,seclabel > 18 58 0:4 / /proc rw,nosuid,nodev,noexec,relatime shared:5 - proc proc rw > 19 58 0:6 / /dev rw,nosuid shared:2 - devtmpfs devtmpfs > rw,seclabel,size=4076012k,nr_inodes=1019003,mode=755 > 20 17 0:18 / /sys/kernel/security rw,nosuid,nodev,noexec,relatime > shared:7 - securityfs securityfs rw > 21 19 0:19 / /dev/shm rw,nosuid,nodev shared:3 - tmpfs tmpfs rw,seclabel > 22 19 0:13 / /dev/pts rw,nosuid,noexec,relatime shared:4 - devpts devpts > rw,seclabel,gid=5,mode=620,ptmxmode=000 > 23 58 0:20 / /run rw,nosuid,nodev shared:22 - tmpfs tmpfs > rw,seclabel,mode=755 > 24 17 0:21 / /sys/fs/cgroup ro,nosuid,nodev,noexec shared:8 - tmpfs tmpfs > ro,seclabel,mode=755 > 25 24 0:22 / /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime > shared:9 - cgroup cgroup > rw,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd > 26 17 0:23 / /sys/fs/pstore rw,nosuid,nodev,noexec,relatime shared:19 - > pstore pstore rw,seclabel > 27 24 0:24 / /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime > shared:10 - cgroup cgroup rw,blkio > 28 24 0:25 / /sys/fs/cgroup/net_cls,net_prio > rw,nosuid,nodev,noexec,relatime shared:11 - cgroup cgroup rw,net_cls,net_prio > 29 24 0:26 / /sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime > shared:12 - cgroup cgroup rw,freezer > 30 24 0:27 / /sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime > shared:13 - cgroup cgroup rw,memory > 31 24 0:28 / /sys/fs/cgroup/perf_event rw,nosuid,nodev,noexec,relatime > shared:14 - cgroup cgroup rw,perf_event > 32 24 0:29 / /sys/fs/cgroup/cpu,cpuacct rw,nosuid,nodev,noexec,relatime > shared:15 - cgroup cgroup rw,cpu,cpuacct > 33 24 0:30 / /sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime > shared:16 - cgroup cgroup rw,devices > 34 24 0:31 / /sys/fs/cgroup/hugetlb rw,nosuid,nodev,noexec,relatime > shared:17 - cgroup cgroup rw,hugetlb > 35 24 0:32 / /sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime > shared:18 - cgroup cgroup rw,cpuset > 56 17 0:33 / /sys/kernel/config rw,relatime shared:20 - configfs configfs > rw > 58 0 8:1 / / rw,relatime shared:1 - ext4 /dev/sda1 > rw,seclabel,data=ordered > 36 17 0:16 / /sys/fs/selinux rw,relatime shared:21 - selinuxfs selinuxfs > rw > 37 18 0:34 / /proc/sys/fs/binfmt_misc rw,relatime shared:23 - autofs > systemd-1 rw,fd=30,pgrp=1,timeout=0,minproto=5,maxproto=5,direct > 38 19 0:35 / /dev/hugepages rw,relatime shared:24 - hugetlbfs hugetlbfs > rw,seclabel > 39 19 0:15 / /dev/mqueue rw,relatime shared:25 - mqueue mqueue rw,seclabel > 40 17 0:7 / /sys/kernel/debug rw,relatime shared:26 - debugfs debugfs > rw,seclabel > 70 23 0:36 / /run/user/1001 rw,nosuid,nodev,relatime shared:27 - tmpfs > tmpfs rw,seclabel,size=817560k,mode=700,uid=1001,gid=1001 > [vagrant@localhost build]$ sudo mount^C > [vagrant@localhost build]$ sudo mkdir /run/netns > [vagrant@localhost build]$ sudo mount --bind /run/netns /run/netns > [vagrant@localhost build]$ cat /proc/self/mountinfo > 17 58 0:17 / /sys rw,nosuid,nodev,noexec,relatime shared:6 - sysfs sysfs > rw,seclabel > 18 58 0:4 / /proc rw,nosuid,nodev,noexec,relatime shared:5 - proc proc rw > 19 58 0:6 / /dev rw,nosuid shared:2 - devtmpfs devtmpfs > rw,seclabel,size=4076012k,nr_inodes=1019003,mode=755 > 20 17 0:18 / /sys/kernel/security rw,nosuid,nodev,noexec,relatime > shared:7 - securityfs securityfs rw > 21 19 0:19 / /dev/shm rw,nosuid,nodev shared:3 - tmpfs tmpfs rw,seclabel > 22 19 0:13 / /dev/pts rw,nosuid,noexec,relatime shared:4 - devpts devpts > rw,seclabel,gid=5,mode=620,ptmxmode=000 > 23 58 0:20 / /run rw,nosuid,nodev shared:22 - tmpfs tmpfs > rw,seclabel,mode=755 > 24 17 0:21 / /sys/fs/cgroup ro,nosuid,nodev,noexec shared:8 - tmpfs tmpfs > ro,seclabel,mode=755 > 25 24 0:22 / /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime > shared:9 - cgroup cgroup > rw,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd > 26 17 0:23 / /sys/fs/pstore rw,nosuid,nodev,noexec,relatime shared:19 - > pstore pstore rw,seclabel > 27 24 0:24 / /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime > shared:10 - cgroup cgroup rw,blkio > 28 24 0:25 / /sys/fs/cgroup/net_cls,net_prio > rw,nosuid,nodev,noexec,relatime shared:11 - cgroup cgroup rw,net_
Re: Review Request 45520: Fixed the bind mount root issue in port mapping isolator.
> On March 31, 2016, 5:59 p.m., Cong Wang wrote: > > Why /var/run/netns could be in the same mount peer group with its parent? > > At least on fedora21 this is not the case. > > > > Also, why do you fix two bugs in one patch? I know you don't care about > > bisect, but even so this is still not a good practice at all. > > Jie Yu wrote: > I'll split the patch. Regarding the mount peer groups issue, here is the > test I did on fedora23: > ``` > [vagrant@localhost build]$ cat /proc/self/mountinfo > 17 58 0:17 / /sys rw,nosuid,nodev,noexec,relatime shared:6 - sysfs sysfs > rw,seclabel > 18 58 0:4 / /proc rw,nosuid,nodev,noexec,relatime shared:5 - proc proc rw > 19 58 0:6 / /dev rw,nosuid shared:2 - devtmpfs devtmpfs > rw,seclabel,size=4076012k,nr_inodes=1019003,mode=755 > 20 17 0:18 / /sys/kernel/security rw,nosuid,nodev,noexec,relatime > shared:7 - securityfs securityfs rw > 21 19 0:19 / /dev/shm rw,nosuid,nodev shared:3 - tmpfs tmpfs rw,seclabel > 22 19 0:13 / /dev/pts rw,nosuid,noexec,relatime shared:4 - devpts devpts > rw,seclabel,gid=5,mode=620,ptmxmode=000 > 23 58 0:20 / /run rw,nosuid,nodev shared:22 - tmpfs tmpfs > rw,seclabel,mode=755 > 24 17 0:21 / /sys/fs/cgroup ro,nosuid,nodev,noexec shared:8 - tmpfs tmpfs > ro,seclabel,mode=755 > 25 24 0:22 / /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime > shared:9 - cgroup cgroup > rw,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd > 26 17 0:23 / /sys/fs/pstore rw,nosuid,nodev,noexec,relatime shared:19 - > pstore pstore rw,seclabel > 27 24 0:24 / /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime > shared:10 - cgroup cgroup rw,blkio > 28 24 0:25 / /sys/fs/cgroup/net_cls,net_prio > rw,nosuid,nodev,noexec,relatime shared:11 - cgroup cgroup rw,net_cls,net_prio > 29 24 0:26 / /sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime > shared:12 - cgroup cgroup rw,freezer > 30 24 0:27 / /sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime > shared:13 - cgroup cgroup rw,memory > 31 24 0:28 / /sys/fs/cgroup/perf_event rw,nosuid,nodev,noexec,relatime > shared:14 - cgroup cgroup rw,perf_event > 32 24 0:29 / /sys/fs/cgroup/cpu,cpuacct rw,nosuid,nodev,noexec,relatime > shared:15 - cgroup cgroup rw,cpu,cpuacct > 33 24 0:30 / /sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime > shared:16 - cgroup cgroup rw,devices > 34 24 0:31 / /sys/fs/cgroup/hugetlb rw,nosuid,nodev,noexec,relatime > shared:17 - cgroup cgroup rw,hugetlb > 35 24 0:32 / /sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime > shared:18 - cgroup cgroup rw,cpuset > 56 17 0:33 / /sys/kernel/config rw,relatime shared:20 - configfs configfs > rw > 58 0 8:1 / / rw,relatime shared:1 - ext4 /dev/sda1 > rw,seclabel,data=ordered > 36 17 0:16 / /sys/fs/selinux rw,relatime shared:21 - selinuxfs selinuxfs > rw > 37 18 0:34 / /proc/sys/fs/binfmt_misc rw,relatime shared:23 - autofs > systemd-1 rw,fd=30,pgrp=1,timeout=0,minproto=5,maxproto=5,direct > 38 19 0:35 / /dev/hugepages rw,relatime shared:24 - hugetlbfs hugetlbfs > rw,seclabel > 39 19 0:15 / /dev/mqueue rw,relatime shared:25 - mqueue mqueue rw,seclabel > 40 17 0:7 / /sys/kernel/debug rw,relatime shared:26 - debugfs debugfs > rw,seclabel > 70 23 0:36 / /run/user/1001 rw,nosuid,nodev,relatime shared:27 - tmpfs > tmpfs rw,seclabel,size=817560k,mode=700,uid=1001,gid=1001 > [vagrant@localhost build]$ sudo mount^C > [vagrant@localhost build]$ sudo mkdir /run/netns > [vagrant@localhost build]$ sudo mount --bind /run/netns /run/netns > [vagrant@localhost build]$ cat /proc/self/mountinfo > 17 58 0:17 / /sys rw,nosuid,nodev,noexec,relatime shared:6 - sysfs sysfs > rw,seclabel > 18 58 0:4 / /proc rw,nosuid,nodev,noexec,relatime shared:5 - proc proc rw > 19 58 0:6 / /dev rw,nosuid shared:2 - devtmpfs devtmpfs > rw,seclabel,size=4076012k,nr_inodes=1019003,mode=755 > 20 17 0:18 / /sys/kernel/security rw,nosuid,nodev,noexec,relatime > shared:7 - securityfs securityfs rw > 21 19 0:19 / /dev/shm rw,nosuid,nodev shared:3 - tmpfs tmpfs rw,seclabel > 22 19 0:13 / /dev/pts rw,nosuid,noexec,relatime shared:4 - devpts devpts > rw,seclabel,gid=5,mode=620,ptmxmode=000 > 23 58 0:20 / /run rw,nosuid,nodev shared:22 - tmpfs tmpfs > rw,seclabel,mode=755 > 24 17 0:21 / /sys/fs/cgroup ro,nosuid,nodev,noexec shared:8 - tmpfs tmpfs > ro,seclabel,mode=755 > 25 24 0:22 / /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime > shared:9 - cgroup cgroup > rw,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd > 26 17 0:23 / /sys/fs/pstore rw,nosuid,nodev,noexec,relatime shared:19 - > pstore pstore rw,seclabel > 27 24 0:24 / /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime > shared:10 - cgroup cgroup rw,blkio > 28 24 0:25 / /sys/fs/cgroup/net_cls,net_prio > rw,nosuid,nodev,noexec,relatime shared:11 - cgroup cgroup rw,net_
Re: Review Request 45520: Fixed the bind mount root issue in port mapping isolator.
> On March 31, 2016, 5:59 p.m., Cong Wang wrote: > > Why /var/run/netns could be in the same mount peer group with its parent? > > At least on fedora21 this is not the case. > > > > Also, why do you fix two bugs in one patch? I know you don't care about > > bisect, but even so this is still not a good practice at all. I'll split the patch. Regarding the mount peer groups issue, here is the test I did on fedora23: ``` [vagrant@localhost build]$ cat /proc/self/mountinfo 17 58 0:17 / /sys rw,nosuid,nodev,noexec,relatime shared:6 - sysfs sysfs rw,seclabel 18 58 0:4 / /proc rw,nosuid,nodev,noexec,relatime shared:5 - proc proc rw 19 58 0:6 / /dev rw,nosuid shared:2 - devtmpfs devtmpfs rw,seclabel,size=4076012k,nr_inodes=1019003,mode=755 20 17 0:18 / /sys/kernel/security rw,nosuid,nodev,noexec,relatime shared:7 - securityfs securityfs rw 21 19 0:19 / /dev/shm rw,nosuid,nodev shared:3 - tmpfs tmpfs rw,seclabel 22 19 0:13 / /dev/pts rw,nosuid,noexec,relatime shared:4 - devpts devpts rw,seclabel,gid=5,mode=620,ptmxmode=000 23 58 0:20 / /run rw,nosuid,nodev shared:22 - tmpfs tmpfs rw,seclabel,mode=755 24 17 0:21 / /sys/fs/cgroup ro,nosuid,nodev,noexec shared:8 - tmpfs tmpfs ro,seclabel,mode=755 25 24 0:22 / /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime shared:9 - cgroup cgroup rw,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd 26 17 0:23 / /sys/fs/pstore rw,nosuid,nodev,noexec,relatime shared:19 - pstore pstore rw,seclabel 27 24 0:24 / /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime shared:10 - cgroup cgroup rw,blkio 28 24 0:25 / /sys/fs/cgroup/net_cls,net_prio rw,nosuid,nodev,noexec,relatime shared:11 - cgroup cgroup rw,net_cls,net_prio 29 24 0:26 / /sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime shared:12 - cgroup cgroup rw,freezer 30 24 0:27 / /sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime shared:13 - cgroup cgroup rw,memory 31 24 0:28 / /sys/fs/cgroup/perf_event rw,nosuid,nodev,noexec,relatime shared:14 - cgroup cgroup rw,perf_event 32 24 0:29 / /sys/fs/cgroup/cpu,cpuacct rw,nosuid,nodev,noexec,relatime shared:15 - cgroup cgroup rw,cpu,cpuacct 33 24 0:30 / /sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime shared:16 - cgroup cgroup rw,devices 34 24 0:31 / /sys/fs/cgroup/hugetlb rw,nosuid,nodev,noexec,relatime shared:17 - cgroup cgroup rw,hugetlb 35 24 0:32 / /sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime shared:18 - cgroup cgroup rw,cpuset 56 17 0:33 / /sys/kernel/config rw,relatime shared:20 - configfs configfs rw 58 0 8:1 / / rw,relatime shared:1 - ext4 /dev/sda1 rw,seclabel,data=ordered 36 17 0:16 / /sys/fs/selinux rw,relatime shared:21 - selinuxfs selinuxfs rw 37 18 0:34 / /proc/sys/fs/binfmt_misc rw,relatime shared:23 - autofs systemd-1 rw,fd=30,pgrp=1,timeout=0,minproto=5,maxproto=5,direct 38 19 0:35 / /dev/hugepages rw,relatime shared:24 - hugetlbfs hugetlbfs rw,seclabel 39 19 0:15 / /dev/mqueue rw,relatime shared:25 - mqueue mqueue rw,seclabel 40 17 0:7 / /sys/kernel/debug rw,relatime shared:26 - debugfs debugfs rw,seclabel 70 23 0:36 / /run/user/1001 rw,nosuid,nodev,relatime shared:27 - tmpfs tmpfs rw,seclabel,size=817560k,mode=700,uid=1001,gid=1001 [vagrant@localhost build]$ sudo mount^C [vagrant@localhost build]$ sudo mkdir /run/netns [vagrant@localhost build]$ sudo mount --bind /run/netns /run/netns [vagrant@localhost build]$ cat /proc/self/mountinfo 17 58 0:17 / /sys rw,nosuid,nodev,noexec,relatime shared:6 - sysfs sysfs rw,seclabel 18 58 0:4 / /proc rw,nosuid,nodev,noexec,relatime shared:5 - proc proc rw 19 58 0:6 / /dev rw,nosuid shared:2 - devtmpfs devtmpfs rw,seclabel,size=4076012k,nr_inodes=1019003,mode=755 20 17 0:18 / /sys/kernel/security rw,nosuid,nodev,noexec,relatime shared:7 - securityfs securityfs rw 21 19 0:19 / /dev/shm rw,nosuid,nodev shared:3 - tmpfs tmpfs rw,seclabel 22 19 0:13 / /dev/pts rw,nosuid,noexec,relatime shared:4 - devpts devpts rw,seclabel,gid=5,mode=620,ptmxmode=000 23 58 0:20 / /run rw,nosuid,nodev shared:22 - tmpfs tmpfs rw,seclabel,mode=755 24 17 0:21 / /sys/fs/cgroup ro,nosuid,nodev,noexec shared:8 - tmpfs tmpfs ro,seclabel,mode=755 25 24 0:22 / /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime shared:9 - cgroup cgroup rw,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd 26 17 0:23 / /sys/fs/pstore rw,nosuid,nodev,noexec,relatime shared:19 - pstore pstore rw,seclabel 27 24 0:24 / /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime shared:10 - cgroup cgroup rw,blkio 28 24 0:25 / /sys/fs/cgroup/net_cls,net_prio rw,nosuid,nodev,noexec,relatime shared:11 - cgroup cgroup rw,net_cls,net_prio 29 24 0:26 / /sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime shared:12 - cgroup cgroup rw,freezer 30 24 0:27 / /sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime shared:13 - cgroup cgroup rw,memory 31 24 0:28 / /sys/fs/cgroup/perf_event rw,nosuid,nodev,noexec,relatime shared:14 - cgroup cgroup rw,perf_event 32 24 0:29 / /sys/fs/cgroup/cpu,cpuacc
Re: Review Request 45520: Fixed the bind mount root issue in port mapping isolator.
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/45520/#review126372 --- Why /var/run/netns could be in the same mount peer group with its parent? At least on fedora21 this is not the case. Also, why do you fix two bugs in one patch? I know you don't care about bisect, but even so this is still not a good practice at all. - Cong Wang On March 31, 2016, 1:47 a.m., Jie Yu wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/45520/ > --- > > (Updated March 31, 2016, 1:47 a.m.) > > > Review request for mesos, Ian Downes and Cong Wang. > > > Bugs: MESOS-4662 > https://issues.apache.org/jira/browse/MESOS-4662 > > > Repository: mesos > > > Description > --- > > Fixed the bind mount root issue in port mapping isolator. This patch fixed > two issues: > 1) no long assume /var/run/netns is a realpath > 2) made sure /var/run/netns is a shared mount in its own mount peer group > > > Diffs > - > > src/slave/containerizer/mesos/isolators/network/port_mapping.hpp > 0fe2f486eb733acf738c1c61fc44f820d7401afc > src/slave/containerizer/mesos/isolators/network/port_mapping.cpp > 323c84a3d960a196d8ba87f753814e9d43a07957 > src/tests/containerizer/port_mapping_tests.cpp > e062daa9fcfc776144b48325daa1f1284c5e59a4 > > Diff: https://reviews.apache.org/r/45520/diff/ > > > Testing > --- > > sudo make check on Fedora23 > > > Thanks, > > Jie Yu > >
Re: Review Request 45520: Fixed the bind mount root issue in port mapping isolator.
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/45520/#review126259 --- Patch looks great! Reviews applied: [45520] Passed command: export OS='ubuntu:14.04' CONFIGURATION='--verbose' COMPILER='gcc' ENVIRONMENT='GLOG_v=1 MESOS_VERBOSE=1'; ./support/docker_build.sh - Mesos ReviewBot On March 31, 2016, 1:47 a.m., Jie Yu wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/45520/ > --- > > (Updated March 31, 2016, 1:47 a.m.) > > > Review request for mesos, Ian Downes and Cong Wang. > > > Bugs: MESOS-4662 > https://issues.apache.org/jira/browse/MESOS-4662 > > > Repository: mesos > > > Description > --- > > Fixed the bind mount root issue in port mapping isolator. This patch fixed > two issues: > 1) no long assume /var/run/netns is a realpath > 2) made sure /var/run/netns is a shared mount in its own mount peer group > > > Diffs > - > > src/slave/containerizer/mesos/isolators/network/port_mapping.hpp > 0fe2f486eb733acf738c1c61fc44f820d7401afc > src/slave/containerizer/mesos/isolators/network/port_mapping.cpp > 323c84a3d960a196d8ba87f753814e9d43a07957 > src/tests/containerizer/port_mapping_tests.cpp > e062daa9fcfc776144b48325daa1f1284c5e59a4 > > Diff: https://reviews.apache.org/r/45520/diff/ > > > Testing > --- > > sudo make check on Fedora23 > > > Thanks, > > Jie Yu > >
