Jie Yu created MESOS-9462:
-----------------------------
Summary: Devices in a container are inaccessible due to `nodev` on
`/var/run`.
Key: MESOS-9462
URL: https://issues.apache.org/jira/browse/MESOS-9462
Project: Mesos
Issue Type: Bug
Affects Versions: 1.8.0
Reporter: Jie Yu
A recent [patch|https://reviews.apache.org/r/69086/] (commit
ede8155d1d043137e15007c48da36ac5fa0b5124) changes the behavior of how standard
device nodes (e.g., /dev/null, etc.) are setup. It uses bind mount (from host)
now (instead of mknod).
The devices nodes are created under
`/var/run/mesos/containers/<container_id>/devices`, and then bind mounted to
the container root filesystem. This is problematic for those Linux distros that
mount `/var/run` (or `/run`) as `nodev`. For instance, CentOS 7.4:
{noformat}
[jie@core-dev ~]$ cat /proc/self/mountinfo | grep "/run\ "
24 62 0:19 / /run rw,nosuid,nodev shared:23 - tmpfs tmpfs rw,seclabel,mode=755
[jie@core-dev ~]$ cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)
{noformat}
As a result, the `/dev/null` devices in the container will inherit the `nodev`
from `/run` on the host
{noformat}
629 625 0:121
/mesos/containers/49f1da14-d741-4030-994c-0d8ed5093b13/devices/null /dev/null
rw,nosuid,nodev - tmpfs tmpfs rw,mode=755
{noformat}
This will cause "Permission Denied" error when a process in the container tries
to open the device node.
You can try to reproduce this issue using Mesos Mini
{noformat}
docker run --rm --privileged -p 5050:5050 -p 5051:5051 -p 8080:8080
mesos/mesos-mini:master-2018-12-06
{noformat}
And the, go to Marathon UI (http://localhost:8080), and launch an app using the
following config
{code}
{
"id": "/test",
"cmd": "dd if=/dev/zero of=file bs=1024 count=1 oflag=dsync",
"cpus": 1,
"mem": 128,
"disk": 128,
"instances": 1,
"container": {
"type": "MESOS",
"docker": {
"image": "ubuntu:18.04"
}
}
}
{code}
You'll see the task failed with "Permission Denied".
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
