[
https://issues.apache.org/jira/browse/MESOS-1094?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13939714#comment-13939714
]
Timothy St. Clair edited comment on MESOS-1094 at 3/20/14 2:10 PM:
-------------------------------------------------------------------
Example Below:
-------------------------------------------------
Simplified cmake goo:
check_function_exists("unshare" HAVE_UNSHARE)
check_symbol_exists(MS_PRIVATE "sys/mount.h" HAVE_MS_PRIVATE)
check_symbol_exists(MS_SHARED "sys/mount.h" HAVE_MS_SHARED)
check_symbol_exists(MS_SLAVE "sys/mount.h" HAVE_MS_SLAVE)
check_symbol_exists(MS_REC "sys/mount.h" HAVE_MS_REC)
...
drop config.h
-------------------------------------------------
pseudo_condor_code.cpp
-------------------------------------------------
#include "config.h"
#ifdef HAVE_UNSHARE
int rc=0;
// unshare to create new namespace.
if ( ( rc = ::unshare(CLONE_NEWNS|CLONE_FS) ) ) {
dprintf(D_ALWAYS, "Failed to unshare the mount namespace errno\n");
}
#if defined(HAVE_MS_SLAVE) && defined(HAVE_MS_REC)
else {
////////////////////////////////////////////////////////
// slave mount hide the per-process hide the namespace
// @ see http://timothysc.github.com/blog/2013/02/22/perprocess/
////////////////////////////////////////////////////////
if ( ( rc = ::mount("", "/", "dontcare", MS_REC|MS_SLAVE, "") ) ) {
dprintf(D_ALWAYS, "Failed to unshare the mount namespace\n");
}
}
#endif
was (Author: tstclair):
Example Below:
-------------------------------------------------
Simplified cmake goo:
check_function_exists("unshare" HAVE_UNSHARE)
check_symbol_exists(MS_PRIVATE "sys/mount.h" HAVE_MS_PRIVATE)
check_symbol_exists(MS_SHARED "sys/mount.h" HAVE_MS_SHARED)
check_symbol_exists(MS_SLAVE "sys/mount.h" HAVE_MS_SLAVE)
check_symbol_exists(MS_REC "sys/mount.h" HAVE_MS_REC)
...
drop config.h
-------------------------------------------------
pseudo_condor_code.cpp
-------------------------------------------------
#ifdef HAVE_UNSHARE
int rc=0;
// unshare to create new namespace.
if ( ( rc = ::unshare(CLONE_NEWNS|CLONE_FS) ) ) {
dprintf(D_ALWAYS, "Failed to unshare the mount namespace errno\n");
}
#if defined(HAVE_MS_SLAVE) && defined(HAVE_MS_REC)
else {
////////////////////////////////////////////////////////
// slave mount hide the per-process hide the namespace
// @ see http://timothysc.github.com/blog/2013/02/22/perprocess/
////////////////////////////////////////////////////////
if ( ( rc = ::mount("", "/", "dontcare", MS_REC|MS_SLAVE, "") ) ) {
dprintf(D_ALWAYS, "Failed to unshare the mount namespace\n");
}
}
#endif
> Introduce pid namespace abstraction to subprocess
> -------------------------------------------------
>
> Key: MESOS-1094
> URL: https://issues.apache.org/jira/browse/MESOS-1094
> Project: Mesos
> Issue Type: Improvement
> Reporter: Niklas Quarfot Nielsen
> Assignee: Niklas Quarfot Nielsen
>
> Introducing PID namespacing could simplify signal escalation and process
> control in for example the command executor and pluggable containerizer.
> Along the lines of the Fork Exec abstraction in stout, I suggest that we add
> an abstraction for Linux namespaces.
> LinuxNamespace(PID /* | IPC | mount | ...*/, Fork(Exec("sleep 10"))
> It would be guarded or add convenience methods to ensure system support, for
> example bool LinuxNamespace::supports(PID /* | IPC | ... */) or simply let
> the namespace fall back to regular fork/exec.
> I have a proof-of-concept version of the command executor which use PID
> namespaces (in combination with delay/escalation), and it feels like details
> around stack allocation and management could be captured in a new abstraction
> and make it a neat and nice subsystem to use.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
