> On March 31, 2016, 5:59 p.m., Cong Wang wrote: > > Why /var/run/netns could be in the same mount peer group with its parent? > > At least on fedora21 this is not the case. > > > > Also, why do you fix two bugs in one patch? I know you don't care about > > bisect, but even so this is still not a good practice at all. > > Jie Yu wrote: > I'll split the patch. Regarding the mount peer groups issue, here is the > test I did on fedora23: > ``` > [vagrant@localhost build]$ cat /proc/self/mountinfo > 17 58 0:17 / /sys rw,nosuid,nodev,noexec,relatime shared:6 - sysfs sysfs > rw,seclabel > 18 58 0:4 / /proc rw,nosuid,nodev,noexec,relatime shared:5 - proc proc rw > 19 58 0:6 / /dev rw,nosuid shared:2 - devtmpfs devtmpfs > rw,seclabel,size=4076012k,nr_inodes=1019003,mode=755 > 20 17 0:18 / /sys/kernel/security rw,nosuid,nodev,noexec,relatime > shared:7 - securityfs securityfs rw > 21 19 0:19 / /dev/shm rw,nosuid,nodev shared:3 - tmpfs tmpfs rw,seclabel > 22 19 0:13 / /dev/pts rw,nosuid,noexec,relatime shared:4 - devpts devpts > rw,seclabel,gid=5,mode=620,ptmxmode=000 > 23 58 0:20 / /run rw,nosuid,nodev shared:22 - tmpfs tmpfs > rw,seclabel,mode=755 > 24 17 0:21 / /sys/fs/cgroup ro,nosuid,nodev,noexec shared:8 - tmpfs tmpfs > ro,seclabel,mode=755 > 25 24 0:22 / /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime > shared:9 - cgroup cgroup > rw,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd > 26 17 0:23 / /sys/fs/pstore rw,nosuid,nodev,noexec,relatime shared:19 - > pstore pstore rw,seclabel > 27 24 0:24 / /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime > shared:10 - cgroup cgroup rw,blkio > 28 24 0:25 / /sys/fs/cgroup/net_cls,net_prio > rw,nosuid,nodev,noexec,relatime shared:11 - cgroup cgroup rw,net_cls,net_prio > 29 24 0:26 / /sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime > shared:12 - cgroup cgroup rw,freezer > 30 24 0:27 / /sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime > shared:13 - cgroup cgroup rw,memory > 31 24 0:28 / /sys/fs/cgroup/perf_event rw,nosuid,nodev,noexec,relatime > shared:14 - cgroup cgroup rw,perf_event > 32 24 0:29 / /sys/fs/cgroup/cpu,cpuacct rw,nosuid,nodev,noexec,relatime > shared:15 - cgroup cgroup rw,cpu,cpuacct > 33 24 0:30 / /sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime > shared:16 - cgroup cgroup rw,devices > 34 24 0:31 / /sys/fs/cgroup/hugetlb rw,nosuid,nodev,noexec,relatime > shared:17 - cgroup cgroup rw,hugetlb > 35 24 0:32 / /sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime > shared:18 - cgroup cgroup rw,cpuset > 56 17 0:33 / /sys/kernel/config rw,relatime shared:20 - configfs configfs > rw > 58 0 8:1 / / rw,relatime shared:1 - ext4 /dev/sda1 > rw,seclabel,data=ordered > 36 17 0:16 / /sys/fs/selinux rw,relatime shared:21 - selinuxfs selinuxfs > rw > 37 18 0:34 / /proc/sys/fs/binfmt_misc rw,relatime shared:23 - autofs > systemd-1 rw,fd=30,pgrp=1,timeout=0,minproto=5,maxproto=5,direct > 38 19 0:35 / /dev/hugepages rw,relatime shared:24 - hugetlbfs hugetlbfs > rw,seclabel > 39 19 0:15 / /dev/mqueue rw,relatime shared:25 - mqueue mqueue rw,seclabel > 40 17 0:7 / /sys/kernel/debug rw,relatime shared:26 - debugfs debugfs > rw,seclabel > 70 23 0:36 / /run/user/1001 rw,nosuid,nodev,relatime shared:27 - tmpfs > tmpfs rw,seclabel,size=817560k,mode=700,uid=1001,gid=1001 > [vagrant@localhost build]$ sudo mount^C > [vagrant@localhost build]$ sudo mkdir /run/netns > [vagrant@localhost build]$ sudo mount --bind /run/netns /run/netns > [vagrant@localhost build]$ cat /proc/self/mountinfo > 17 58 0:17 / /sys rw,nosuid,nodev,noexec,relatime shared:6 - sysfs sysfs > rw,seclabel > 18 58 0:4 / /proc rw,nosuid,nodev,noexec,relatime shared:5 - proc proc rw > 19 58 0:6 / /dev rw,nosuid shared:2 - devtmpfs devtmpfs > rw,seclabel,size=4076012k,nr_inodes=1019003,mode=755 > 20 17 0:18 / /sys/kernel/security rw,nosuid,nodev,noexec,relatime > shared:7 - securityfs securityfs rw > 21 19 0:19 / /dev/shm rw,nosuid,nodev shared:3 - tmpfs tmpfs rw,seclabel > 22 19 0:13 / /dev/pts rw,nosuid,noexec,relatime shared:4 - devpts devpts > rw,seclabel,gid=5,mode=620,ptmxmode=000 > 23 58 0:20 / /run rw,nosuid,nodev shared:22 - tmpfs tmpfs > rw,seclabel,mode=755 > 24 17 0:21 / /sys/fs/cgroup ro,nosuid,nodev,noexec shared:8 - tmpfs tmpfs > ro,seclabel,mode=755 > 25 24 0:22 / /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime > shared:9 - cgroup cgroup > rw,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd > 26 17 0:23 / /sys/fs/pstore rw,nosuid,nodev,noexec,relatime shared:19 - > pstore pstore rw,seclabel > 27 24 0:24 / /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime > shared:10 - cgroup cgroup rw,blkio > 28 24 0:25 / /sys/fs/cgroup/net_cls,net_prio > rw,nosuid,nodev,noexec,relatime shared:11 - cgroup cgroup rw,net_cls,net_prio > 29 24 0:26 / /sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime > shared:12 - cgroup cgroup rw,freezer > 30 24 0:27 / /sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime > shared:13 - cgroup cgroup rw,memory > 31 24 0:28 / /sys/fs/cgroup/perf_event rw,nosuid,nodev,noexec,relatime > shared:14 - cgroup cgroup rw,perf_event > 32 24 0:29 / /sys/fs/cgroup/cpu,cpuacct rw,nosuid,nodev,noexec,relatime > shared:15 - cgroup cgroup rw,cpu,cpuacct > 33 24 0:30 / /sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime > shared:16 - cgroup cgroup rw,devices > 34 24 0:31 / /sys/fs/cgroup/hugetlb rw,nosuid,nodev,noexec,relatime > shared:17 - cgroup cgroup rw,hugetlb > 35 24 0:32 / /sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime > shared:18 - cgroup cgroup rw,cpuset > 56 17 0:33 / /sys/kernel/config rw,relatime shared:20 - configfs configfs > rw > 58 0 8:1 / / rw,relatime shared:1 - ext4 /dev/sda1 > rw,seclabel,data=ordered > 36 17 0:16 / /sys/fs/selinux rw,relatime shared:21 - selinuxfs selinuxfs > rw > 37 18 0:34 / /proc/sys/fs/binfmt_misc rw,relatime shared:23 - autofs > systemd-1 rw,fd=30,pgrp=1,timeout=0,minproto=5,maxproto=5,direct > 38 19 0:35 / /dev/hugepages rw,relatime shared:24 - hugetlbfs hugetlbfs > rw,seclabel > 39 19 0:15 / /dev/mqueue rw,relatime shared:25 - mqueue mqueue rw,seclabel > 40 17 0:7 / /sys/kernel/debug rw,relatime shared:26 - debugfs debugfs > rw,seclabel > 70 23 0:36 / /run/user/1001 rw,nosuid,nodev,relatime shared:27 - tmpfs > tmpfs rw,seclabel,size=817560k,mode=700,uid=1001,gid=1001 > 72 23 0:20 /netns /run/netns rw,nosuid,nodev shared:22 - tmpfs tmpfs > rw,seclabel,mode=755 > [vagrant@localhost build]$ sudo mount --make-shared /run/netns > [vagrant@localhost build]$ cat /proc/self/mountinfo > 17 58 0:17 / /sys rw,nosuid,nodev,noexec,relatime shared:6 - sysfs sysfs > rw,seclabel > 18 58 0:4 / /proc rw,nosuid,nodev,noexec,relatime shared:5 - proc proc rw > 19 58 0:6 / /dev rw,nosuid shared:2 - devtmpfs devtmpfs > rw,seclabel,size=4076012k,nr_inodes=1019003,mode=755 > 20 17 0:18 / /sys/kernel/security rw,nosuid,nodev,noexec,relatime > shared:7 - securityfs securityfs rw > 21 19 0:19 / /dev/shm rw,nosuid,nodev shared:3 - tmpfs tmpfs rw,seclabel > 22 19 0:13 / /dev/pts rw,nosuid,noexec,relatime shared:4 - devpts devpts > rw,seclabel,gid=5,mode=620,ptmxmode=000 > 23 58 0:20 / /run rw,nosuid,nodev shared:22 - tmpfs tmpfs > rw,seclabel,mode=755 > 24 17 0:21 / /sys/fs/cgroup ro,nosuid,nodev,noexec shared:8 - tmpfs tmpfs > ro,seclabel,mode=755 > 25 24 0:22 / /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime > shared:9 - cgroup cgroup > rw,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd > 26 17 0:23 / /sys/fs/pstore rw,nosuid,nodev,noexec,relatime shared:19 - > pstore pstore rw,seclabel > 27 24 0:24 / /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime > shared:10 - cgroup cgroup rw,blkio > 28 24 0:25 / /sys/fs/cgroup/net_cls,net_prio > rw,nosuid,nodev,noexec,relatime shared:11 - cgroup cgroup rw,net_cls,net_prio > 29 24 0:26 / /sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime > shared:12 - cgroup cgroup rw,freezer > 30 24 0:27 / /sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime > shared:13 - cgroup cgroup rw,memory > 31 24 0:28 / /sys/fs/cgroup/perf_event rw,nosuid,nodev,noexec,relatime > shared:14 - cgroup cgroup rw,perf_event > 32 24 0:29 / /sys/fs/cgroup/cpu,cpuacct rw,nosuid,nodev,noexec,relatime > shared:15 - cgroup cgroup rw,cpu,cpuacct > 33 24 0:30 / /sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime > shared:16 - cgroup cgroup rw,devices > 34 24 0:31 / /sys/fs/cgroup/hugetlb rw,nosuid,nodev,noexec,relatime > shared:17 - cgroup cgroup rw,hugetlb > 35 24 0:32 / /sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime > shared:18 - cgroup cgroup rw,cpuset > 56 17 0:33 / /sys/kernel/config rw,relatime shared:20 - configfs configfs > rw > 58 0 8:1 / / rw,relatime shared:1 - ext4 /dev/sda1 > rw,seclabel,data=ordered > 36 17 0:16 / /sys/fs/selinux rw,relatime shared:21 - selinuxfs selinuxfs > rw > 37 18 0:34 / /proc/sys/fs/binfmt_misc rw,relatime shared:23 - autofs > systemd-1 rw,fd=30,pgrp=1,timeout=0,minproto=5,maxproto=5,direct > 38 19 0:35 / /dev/hugepages rw,relatime shared:24 - hugetlbfs hugetlbfs > rw,seclabel > 39 19 0:15 / /dev/mqueue rw,relatime shared:25 - mqueue mqueue rw,seclabel > 40 17 0:7 / /sys/kernel/debug rw,relatime shared:26 - debugfs debugfs > rw,seclabel > 70 23 0:36 / /run/user/1001 rw,nosuid,nodev,relatime shared:27 - tmpfs > tmpfs rw,seclabel,size=817560k,mode=700,uid=1001,gid=1001 > 72 23 0:20 /netns /run/netns rw,nosuid,nodev shared:22 - tmpfs tmpfs > rw,seclabel,mode=755 > ```
My point is who makes the peer group change? Is that the distro? If not, admin/user can always do whatever they want, it doesn't make much sense to fix a user-spefic case. If it is distro, we have to fix it, like the symlink case. - Cong ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/45520/#review126372 ----------------------------------------------------------- On March 31, 2016, 1:47 a.m., Jie Yu wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/45520/ > ----------------------------------------------------------- > > (Updated March 31, 2016, 1:47 a.m.) > > > Review request for mesos, Ian Downes and Cong Wang. > > > Bugs: MESOS-4662 > https://issues.apache.org/jira/browse/MESOS-4662 > > > Repository: mesos > > > Description > ------- > > Fixed the bind mount root issue in port mapping isolator. This patch fixed > two issues: > 1) no long assume /var/run/netns is a realpath > 2) made sure /var/run/netns is a shared mount in its own mount peer group > > > Diffs > ----- > > src/slave/containerizer/mesos/isolators/network/port_mapping.hpp > 0fe2f486eb733acf738c1c61fc44f820d7401afc > src/slave/containerizer/mesos/isolators/network/port_mapping.cpp > 323c84a3d960a196d8ba87f753814e9d43a07957 > src/tests/containerizer/port_mapping_tests.cpp > e062daa9fcfc776144b48325daa1f1284c5e59a4 > > Diff: https://reviews.apache.org/r/45520/diff/ > > > Testing > ------- > > sudo make check on Fedora23 > > > Thanks, > > Jie Yu > >
