Re: Review Request 51266: Unshared the mount namespace when launching mesos-containerizer.

2016-08-26 Thread haosdent huang 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/51266/
---

(Updated Aug. 26, 2016, 2:43 p.m.)


Review request for mesos, Alexander Rukletsov, Benjamin Mahler, Gastón Kleiman, 
Gilbert Song, Jie Yu, and Timothy Chen.


Bugs: MESOS-5727
https://issues.apache.org/jira/browse/MESOS-5727


Repository: mesos


Description
---

When launching a task from the mesos-executor, ensure that the mount
namespace is not shared between the task and the executor if the task
specifies rootfs. Otherwise, `pivot_root` in the mesos-containerizer
binary would affect the mount namespace of the executor and possibly
prevent it from accessing some binaries or libraries.


Diffs
-

  src/launcher/posix/executor.cpp 50b9b305a5f722a2407f333a849683d32ac7abff 

Diff: https://reviews.apache.org/r/51266/diff/


Testing
---

Test by running

```
sudo GLOG_v=1 ./bin/mesos-tests.sh --gtest_filter="HealthCheckTest.*" --verbose
```


Thanks,

haosdent huang

Re: Review Request 51266: Unshared the mount namespace when launching mesos-containerizer.

2016-08-26 Thread haosdent huang 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/51266/
---

(Updated Aug. 26, 2016, 2:10 p.m.)


Review request for mesos, Alexander Rukletsov, Benjamin Mahler, Gastón Kleiman, 
Gilbert Song, Jie Yu, and Timothy Chen.


Changes
---

Rebase.


Repository: mesos


Description (updated)
---

When launching a task from the mesos-executor, ensure that the mount
namespace is not shared between the task and the executor if the task
specifies rootfs. Otherwise, `pivot_root` in the mesos-containerizer
binary would affect the mount namespace of the executor and possibly
prevent it from accessing some binaries or libraries.


Diffs (updated)
-

  src/launcher/posix/executor.cpp 50b9b305a5f722a2407f333a849683d32ac7abff 

Diff: https://reviews.apache.org/r/51266/diff/


Testing
---

Test by running

```
sudo GLOG_v=1 ./bin/mesos-tests.sh --gtest_filter="HealthCheckTest.*" --verbose
```


Thanks,

haosdent huang

Re: Review Request 51266: Unshared the mount namespace when launching mesos-containerizer.

2016-08-26 Thread haosdent huang 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/51266/
---

(Updated Aug. 26, 2016, 10:56 a.m.)


Review request for mesos, Alexander Rukletsov, Benjamin Mahler, Gastón Kleiman, 
Gilbert Song, Jie Yu, and Timothy Chen.


Repository: mesos


Description (updated)
---

When launching a task from the mesos-executor, ensure that the mount
namespace is not shared between the task and the executor if the task
specifies rootfs. Otherwise, `pivot_root` in the mesos-containerizer
binary would affect the mount namespace of the executor and possibly
prevent it from accessing some binaries or libraries.


Diffs
-

  src/launcher/posix/executor.cpp 43573cacee4e681d4327a7ed7c43b4ee263aa175 

Diff: https://reviews.apache.org/r/51266/diff/


Testing
---

Test by running

```
sudo GLOG_v=1 ./bin/mesos-tests.sh --gtest_filter="HealthCheckTest.*" --verbose
```


Thanks,

haosdent huang

Re: Review Request 51266: Unshared the mount namespace when launching mesos-containerizer.

2016-08-26 Thread Alexander Rukletsov 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/51266/#review146933
---


Ship it!




Ship It!

- Alexander Rukletsov


On Aug. 25, 2016, 1:24 p.m., haosdent huang wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/51266/
> ---
> 
> (Updated Aug. 25, 2016, 1:24 p.m.)
> 
> 
> Review request for mesos, Alexander Rukletsov, Benjamin Mahler, Gastón 
> Kleiman, Gilbert Song, Jie Yu, and Timothy Chen.
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> When launching mesos-containerizer in the mesos-executor, we need to
> ensure mesos-executor unshare the mount namespace with
> mesos-containerizer. Otherwise, the mount and pivot_root operations in
> mesos-containerizer would affect the running context of
> mesos-executor.
> 
> 
> Diffs
> -
> 
>   src/launcher/posix/executor.cpp 43573cacee4e681d4327a7ed7c43b4ee263aa175 
> 
> Diff: https://reviews.apache.org/r/51266/diff/
> 
> 
> Testing
> ---
> 
> Test by running
> 
> ```
> sudo GLOG_v=1 ./bin/mesos-tests.sh --gtest_filter="HealthCheckTest.*" 
> --verbose
> ```
> 
> 
> Thanks,
> 
> haosdent huang
> 
>

Re: Review Request 51266: Unshared the mount namespace when launching mesos-containerizer.

2016-08-25 Thread haosdent huang 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/51266/
---

(Updated Aug. 25, 2016, 1:24 p.m.)


Review request for mesos, Alexander Rukletsov, Benjamin Mahler, Gastón Kleiman, 
Gilbert Song, Jie Yu, and Timothy Chen.


Changes
---

Rebase.


Repository: mesos


Description
---

When launching mesos-containerizer in the mesos-executor, we need to
ensure mesos-executor unshare the mount namespace with
mesos-containerizer. Otherwise, the mount and pivot_root operations in
mesos-containerizer would affect the running context of
mesos-executor.


Diffs (updated)
-

  src/launcher/posix/executor.cpp 43573cacee4e681d4327a7ed7c43b4ee263aa175 

Diff: https://reviews.apache.org/r/51266/diff/


Testing
---

Test by running

```
sudo GLOG_v=1 ./bin/mesos-tests.sh --gtest_filter="HealthCheckTest.*" --verbose
```


Thanks,

haosdent huang

Re: Review Request 51266: Unshared the mount namespace when launching mesos-containerizer.

2016-08-25 Thread haosdent huang 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/51266/
---

(Updated Aug. 25, 2016, 12:33 p.m.)


Review request for mesos, Alexander Rukletsov, Benjamin Mahler, Gastón Kleiman, 
Gilbert Song, Jie Yu, and Timothy Chen.


Changes
---

Rebase.


Repository: mesos


Description (updated)
---

When launching mesos-containerizer in the mesos-executor, we need to
ensure mesos-executor unshare the mount namespace with
mesos-containerizer. Otherwise, the mount and pivot_root operations in
mesos-containerizer would affect the running context of
mesos-executor.


Diffs (updated)
-

  src/launcher/posix/executor.cpp 43573cacee4e681d4327a7ed7c43b4ee263aa175 

Diff: https://reviews.apache.org/r/51266/diff/


Testing
---

Test by running

```
sudo GLOG_v=1 ./bin/mesos-tests.sh --gtest_filter="HealthCheckTest.*" --verbose
```


Thanks,

haosdent huang

Re: Review Request 51266: Unshared the mount namespace when launching mesos-containerizer.

2016-08-25 Thread haosdent huang 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/51266/
---

(Updated Aug. 25, 2016, 10:28 a.m.)


Review request for mesos, Alexander Rukletsov, Benjamin Mahler, Gastón Kleiman, 
Gilbert Song, Jie Yu, and Timothy Chen.


Changes
---

Rebase.


Repository: mesos


Description (updated)
---

When launching mesos-containerizer with rootfs in the mesos-executor,
we need to ensure mesos-executor unshare the mount namespace with
mesos-containerizer. Otherwise, the mount and pivot_root operations in
mesos-containerizer would affect the running context of
mesos-executor.


Diffs
-

  src/launcher/posix/executor.cpp 43573cacee4e681d4327a7ed7c43b4ee263aa175 

Diff: https://reviews.apache.org/r/51266/diff/


Testing
---

Test by running

```
sudo GLOG_v=1 ./bin/mesos-tests.sh --gtest_filter="HealthCheckTest.*" --verbose
```


Thanks,

haosdent huang

Re: Review Request 51266: Unshared the mount namespace when launching mesos-containerizer.

2016-08-25 Thread haosdent huang 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/51266/
---

(Updated Aug. 25, 2016, 10:26 a.m.)


Review request for mesos, Alexander Rukletsov, Benjamin Mahler, Gastón Kleiman, 
Gilbert Song, Jie Yu, and Timothy Chen.


Changes
---

Address @alexr's comment.


Repository: mesos


Description
---

When launching mesos-containerizer in the mesos-executor, we need to
ensure mesos-executor unshare the mount namespace with
mesos-containerizer. Otherwise, the mount and pivot_root operations in
mesos-containerizer would affect the running context of
mesos-executor.


Diffs (updated)
-

  src/launcher/posix/executor.cpp 43573cacee4e681d4327a7ed7c43b4ee263aa175 

Diff: https://reviews.apache.org/r/51266/diff/


Testing
---

Test by running

```
sudo GLOG_v=1 ./bin/mesos-tests.sh --gtest_filter="HealthCheckTest.*" --verbose
```


Thanks,

haosdent huang

Re: Review Request 51266: Unshared the mount namespace when launching mesos-containerizer.

2016-08-25 Thread haosdent huang 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/51266/
---

(Updated Aug. 25, 2016, 10:22 a.m.)


Review request for mesos, Alexander Rukletsov, Benjamin Mahler, Gastón Kleiman, 
Gilbert Song, Jie Yu, and Timothy Chen.


Changes
---

Remove extra `ifdef`


Repository: mesos


Description
---

When launching mesos-containerizer in the mesos-executor, we need to
ensure mesos-executor unshare the mount namespace with
mesos-containerizer. Otherwise, the mount and pivot_root operations in
mesos-containerizer would affect the running context of
mesos-executor.


Diffs (updated)
-

  src/launcher/posix/executor.cpp 43573cacee4e681d4327a7ed7c43b4ee263aa175 

Diff: https://reviews.apache.org/r/51266/diff/


Testing
---

Test by running

```
sudo GLOG_v=1 ./bin/mesos-tests.sh --gtest_filter="HealthCheckTest.*" --verbose
```


Thanks,

haosdent huang

Re: Review Request 51266: Unshared the mount namespace when launching mesos-containerizer.

2016-08-25 Thread haosdent huang 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/51266/
---

(Updated Aug. 25, 2016, 10:19 a.m.)


Review request for mesos, Alexander Rukletsov, Benjamin Mahler, Gastón Kleiman, 
Gilbert Song, Jie Yu, and Timothy Chen.


Changes
---

Rebase.


Repository: mesos


Description
---

When launching mesos-containerizer in the mesos-executor, we need to
ensure mesos-executor unshare the mount namespace with
mesos-containerizer. Otherwise, the mount and pivot_root operations in
mesos-containerizer would affect the running context of
mesos-executor.


Diffs (updated)
-

  src/launcher/posix/executor.cpp 43573cacee4e681d4327a7ed7c43b4ee263aa175 

Diff: https://reviews.apache.org/r/51266/diff/


Testing
---

Test by running

```
sudo GLOG_v=1 ./bin/mesos-tests.sh --gtest_filter="HealthCheckTest.*" --verbose
```


Thanks,

haosdent huang

Re: Review Request 51266: Unshared the mount namespace when launching mesos-containerizer.

2016-08-25 Thread haosdent huang 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/51266/
---

(Updated Aug. 25, 2016, 10:12 a.m.)


Review request for mesos, Alexander Rukletsov, Benjamin Mahler, Gastón Kleiman, 
Gilbert Song, Jie Yu, and Timothy Chen.


Repository: mesos


Description
---

When launching mesos-containerizer in the mesos-executor, we need to
ensure mesos-executor unshare the mount namespace with
mesos-containerizer. Otherwise, the mount and pivot_root operations in
mesos-containerizer would affect the running context of
mesos-executor.


Diffs (updated)
-

  src/launcher/posix/executor.cpp 43573cacee4e681d4327a7ed7c43b4ee263aa175 

Diff: https://reviews.apache.org/r/51266/diff/


Testing
---

Test by running

```
sudo GLOG_v=1 ./bin/mesos-tests.sh --gtest_filter="HealthCheckTest.*" --verbose
```


Thanks,

haosdent huang

Re: Review Request 51266: Unshared the mount namespace when launching mesos-containerizer.

2016-08-24 Thread haosdent huang 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/51266/
---

(Updated Aug. 24, 2016, 5:28 p.m.)


Review request for mesos, Alexander Rukletsov, Benjamin Mahler, Gastón Kleiman, 
Gilbert Song, Jie Yu, and Timothy Chen.


Changes
---

Updated `Testing Done` field.


Repository: mesos


Description
---

When launching mesos-containerizer in the mesos-executor, we need to
ensure mesos-executor unshare the mount namespace with
mesos-containerizer. Otherwise, the mount and pivot_root operations in
mesos-containerizer would affect the running context of
mesos-executor.


Diffs
-

  src/launcher/posix/executor.cpp 43573cacee4e681d4327a7ed7c43b4ee263aa175 

Diff: https://reviews.apache.org/r/51266/diff/


Testing (updated)
---

Test by running

```
sudo GLOG_v=1 ./bin/mesos-tests.sh --gtest_filter="HealthCheckTest.*" --verbose
```


Thanks,

haosdent huang

Re: Review Request 51266: Unshared the mount namespace when launching mesos-containerizer.

2016-08-24 Thread haosdent huang 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/51266/
---

(Updated Aug. 24, 2016, 5:22 p.m.)


Review request for mesos, Alexander Rukletsov, Benjamin Mahler, Gastón Kleiman, 
Gilbert Song, Jie Yu, and Timothy Chen.


Changes
---

Rebase.


Repository: mesos


Description
---

When launching mesos-containerizer in the mesos-executor, we need to
ensure mesos-executor unshare the mount namespace with
mesos-containerizer. Otherwise, the mount and pivot_root operations in
mesos-containerizer would affect the running context of
mesos-executor.


Diffs (updated)
-

  src/launcher/posix/executor.cpp 43573cacee4e681d4327a7ed7c43b4ee263aa175 

Diff: https://reviews.apache.org/r/51266/diff/


Testing
---


Thanks,

haosdent huang

Re: Review Request 51266: Unshared the mount namespace when launching mesos-containerizer.

2016-08-24 Thread haosdent huang 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/51266/
---

(Updated Aug. 24, 2016, 4:47 p.m.)


Review request for mesos, Alexander Rukletsov, Benjamin Mahler, Gastón Kleiman, 
Gilbert Song, Jie Yu, and Timothy Chen.


Changes
---

Address alexr's comment.


Repository: mesos


Description
---

When launching mesos-containerizer in the mesos-executor, we need to
ensure mesos-executor unshare the mount namespace with
mesos-containerizer. Otherwise, the mount and pivot_root operations in
mesos-containerizer would affect the running context of
mesos-executor.


Diffs (updated)
-

  src/launcher/posix/executor.cpp 43573cacee4e681d4327a7ed7c43b4ee263aa175 

Diff: https://reviews.apache.org/r/51266/diff/


Testing
---


Thanks,

haosdent huang

Re: Review Request 51266: Unshared the mount namespace when launching mesos-containerizer.

2016-08-24 Thread Alexander Rukletsov 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/51266/#review146649
---


Fix it, then Ship it!





src/launcher/posix/executor.cpp (lines 97 - 98)


Let's rephrase a bit. How about:
Ensure that mount namespace of the executor is not affected by changes in 
its task's namespace, e.g. pivot_root called as part of the task setup in 
mesos-containerizer binary.


- Alexander Rukletsov


On Aug. 21, 2016, 6:42 p.m., haosdent huang wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/51266/
> ---
> 
> (Updated Aug. 21, 2016, 6:42 p.m.)
> 
> 
> Review request for mesos, Alexander Rukletsov, Benjamin Mahler, Gastón 
> Kleiman, Gilbert Song, Jie Yu, and Timothy Chen.
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> When launching mesos-containerizer in the mesos-executor, we need to
> ensure mesos-executor unshare the mount namespace with
> mesos-containerizer. Otherwise, the mount and pivot_root operations in
> mesos-containerizer would affect the running context of
> mesos-executor.
> 
> 
> Diffs
> -
> 
>   src/launcher/posix/executor.cpp 43573cacee4e681d4327a7ed7c43b4ee263aa175 
> 
> Diff: https://reviews.apache.org/r/51266/diff/
> 
> 
> Testing
> ---
> 
> 
> Thanks,
> 
> haosdent huang
> 
>

Re: Review Request 51266: Unshared the mount namespace when launching mesos-containerizer.

2016-08-21 Thread haosdent huang 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/51266/
---

(Updated Aug. 21, 2016, 6:42 p.m.)


Review request for mesos, Alexander Rukletsov, Benjamin Mahler, Gastón Kleiman, 
Gilbert Song, Jie Yu, and Timothy Chen.


Changes
---

Rebase.


Repository: mesos


Description
---

When launching mesos-containerizer in the mesos-executor, we need to
ensure mesos-executor unshare the mount namespace with
mesos-containerizer. Otherwise, the mount and pivot_root operations in
mesos-containerizer would affect the running context of
mesos-executor.


Diffs (updated)
-

  src/launcher/posix/executor.cpp 43573cacee4e681d4327a7ed7c43b4ee263aa175 

Diff: https://reviews.apache.org/r/51266/diff/


Testing
---


Thanks,

haosdent huang

Review Request 51266: Unshared the mount namespace when launching mesos-containerizer.

2016-08-21 Thread haosdent huang 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/51266/
---

Review request for mesos, Alexander Rukletsov, Benjamin Mahler, Gastón Kleiman, 
Gilbert Song, Jie Yu, and Timothy Chen.


Repository: mesos


Description
---

When launching mesos-containerizer in the mesos-executor, we need to
ensure mesos-executor unshare the mount namespace with
mesos-containerizer. Otherwise, the mount and pivot_root operations in
mesos-containerizer would affect the running context of
mesos-executor.


Diffs
-

  src/launcher/posix/executor.cpp 43573cacee4e681d4327a7ed7c43b4ee263aa175 

Diff: https://reviews.apache.org/r/51266/diff/


Testing
---


Thanks,

haosdent huang