----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/69086/#review210313 -----------------------------------------------------------
src/slave/containerizer/mesos/isolators/filesystem/linux.cpp Lines 146 (patched) <https://reviews.apache.org/r/69086/#comment294959> This mount fails with user namespaces: ``` Failed to prepare mounts: Failed to mount '{"flags":15,"source":"sysfs","target":"/srv/mesos/work/provisioner/containers/ac807664-4109-409e-8cfb-a4285009598b/backends/overlay/rootfses/2b851cdf-08e2-456f-99bd-f5ff5011c678/sys","type":"sysfs"}': Operation not permitted ``` I was carrying an out of tree hack for that. - James Peach On Oct. 30, 2018, 9:03 p.m., James Peach wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/69086/ > ----------------------------------------------------------- > > (Updated Oct. 30, 2018, 9:03 p.m.) > > > Review request for mesos, Gilbert Song, Jason Lai, Jie Yu, and Jiang Yan Xu. > > > Bugs: MESOS-9319 > https://issues.apache.org/jira/browse/MESOS-9319 > > > Repository: mesos > > > Description > ------- > > Previously, if the container was configured with a root filesytem, > the root was populated by a combination of the `fs::chroot:prepare` > API and the various isolators. The implementation details of some > isolators had leaked into the chroot code, which had a special case > for adding GPU devices. > > This change moves all the responsibility for defining the > root filesystem from the `fs::chroot::prepare()` API to the > `filesystem/linux` isolator. The `filesystem/linux` isolator is > now the single place that captures how to mount the container > pseudo-filesystems as well as how to construct a proper `/dev` > directory. > > Since the `linux/filesystem` isolator is now entirely responsible > for creating and mounting the container `/dev`, any other isolators > that enable access to devices can simply populate device nodes in > the container devices directory. After this change, the container > `/dev` is mounted read-only so that this cannot be used to escape > any disk quota. > > > Diffs > ----- > > src/linux/fs.hpp 31969f6ba82bf5ee549bfdf9698a21adaa486a90 > src/linux/fs.cpp 5cdffe1f4c7f00aee5b8f640e7cfa4a0018cfa0a > src/slave/containerizer/mesos/isolators/filesystem/linux.cpp > c7d753ac2e5575a8d687600bfb9e0617fa72c990 > src/slave/containerizer/mesos/isolators/gpu/isolator.hpp > 4645c625877d9451516133b24bd3959e0f49c0a9 > src/slave/containerizer/mesos/isolators/gpu/isolator.cpp > 56d835779618fd965d928c6926664583e9141f79 > src/slave/containerizer/mesos/isolators/linux/devices.cpp > 8f8ff95ec3856ba06647637a80315365d0e66e23 > src/slave/containerizer/mesos/launch.cpp > 7193da0a094df3e441e185c62b3a0379a0bdc4a2 > > > Diff: https://reviews.apache.org/r/69086/diff/6/ > > > Testing > ------- > > sudo make check (Fedora 28) > > > Thanks, > > James Peach > >