[
https://issues.apache.org/jira/browse/MESOS-9529?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16809399#comment-16809399
]
Jie Yu commented on MESOS-9529:
-------------------------------
commit f88880b6a5568cc5573be8f0ac5f9dcdd48914b5 (HEAD -> master, origin/master,
origin/HEAD, proc)
Author: Jie Yu <[email protected]>
Date: Mon Apr 1 18:17:21 2019 -0700
Mounted /proc properly a container shares pid namespace with its parent.
If a container shares the same pid namespace as its parent and is not a
top level container. It might or might not share the same pid namespace
as the agent. In this case, we need to re-mount `/proc`.
One caveat here is that: in the case where this container does share the
pid namespace of the agent (because its parent shares the same pid
namespace of the agent), mounting `/proc` at the same place will result
in EBUSY.
As a result, we need to "move" (MS_MOVE) the mounts under `/proc` to a
new location and mount the `/proc` again at the old location.
See MESOS-9529 for details.
Review: https://reviews.apache.org/r/70356
commit 76e583ab6ba71e7aef020fc662c0c36d6f3d9923
Author: Jie Yu <[email protected]>
Date: Mon Apr 1 18:11:59 2019 -0700
Switched to used `/proc/1/ns/pid` to test pid namespaces.
Previously, we're using `/proc/self/ns/pid` to test pid namespaces. This
is proven to be problematic because the kernel will resolve correctly
even if the `/proc` is not re-mounted in the new pid namespace.
Review: https://reviews.apache.org/r/70355
> `/proc` should be remounted even if a nested container set
> `share_pid_namespace` to true
> ----------------------------------------------------------------------------------------
>
> Key: MESOS-9529
> URL: https://issues.apache.org/jira/browse/MESOS-9529
> Project: Mesos
> Issue Type: Bug
> Components: containerization
> Affects Versions: 1.4.2, 1.5.2, 1.6.2, 1.7.1
> Reporter: Jie Yu
> Assignee: Jie Yu
> Priority: Critical
>
> Currently, if a nested container wants to share the pid namespace of its
> parent container, we allow the framework to set
> `LinuxInfo.share_pid_namespace`.
> If the nested container does not have its own rootfs (i.e., using the host
> rootfs), the `/proc` is not re-mounted:
> https://github.com/apache/mesos/blob/1.7.x/src/slave/containerizer/mesos/isolators/namespaces/pid.cpp#L120-L126
> This is problematic because the nested container will fork host's mount
> namespace, thus inherit the `/proc` there. As a result, `/proc/<pid>` are
> still for the host pid namespace. The pid namespace of the parent container
> might be different than that of the host pid namspace.
> As a result, `ps aux` in the nested container will show all process
> information on the host pid namespace. Although, the pid namespace of the
> nested container is different than that of the host.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
