[jira] [Commented] (AURORA-1768) Command `aurora task ssh` is not namespace and taskfs aware
[ https://issues.apache.org/jira/browse/AURORA-1768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15484248#comment-15484248 ] Joshua Cohen commented on AURORA-1768: -- It may be enough to just enter the executor's namespace. The task's filesystem mount is visible there. If we want to enter the process namespace we can get the pid from the checkpoint, but it's more complicated in that we need to somehow figure out *which* process's namespaces to enter. > Command `aurora task ssh` is not namespace and taskfs aware > > > Key: AURORA-1768 > URL: https://issues.apache.org/jira/browse/AURORA-1768 > Project: Aurora > Issue Type: Story > Components: Thermos >Reporter: Stephan Erb > > In order to guarantee isolation among tasks and to simplify debugging in > production environments, we should make sure commands executed via `aurora > ssh` have been isolated in the same way as the tasks itself. This implies > that we have to use the same container filesystem and enter the same > namespaces. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AURORA-1768) Command `aurora task ssh` is not namespace and taskfs aware
[
https://issues.apache.org/jira/browse/AURORA-1768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15483814#comment-15483814
]
Stephan Erb commented on AURORA-1768:
-
That's tough. The PID of the executor is available in
{{/var/lib/mesos/meta/slaves/latest/frameworks/*/executors/*/runs/latest/pids/forked.pid}}
but as the executor runs outside of the mount namespace this might not work.
> Command `aurora task ssh` is not namespace and taskfs aware
>
>
> Key: AURORA-1768
> URL: https://issues.apache.org/jira/browse/AURORA-1768
> Project: Aurora
> Issue Type: Story
> Components: Thermos
>Reporter: Stephan Erb
>
> In order to guarantee isolation among tasks and to simplify debugging in
> production environments, we should make sure commands executed via `aurora
> ssh` have been isolated in the same way as the tasks itself. This implies
> that we have to use the same container filesystem and enter the same
> namespaces.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (AURORA-1768) Command `aurora task ssh` is not namespace and taskfs aware
[
https://issues.apache.org/jira/browse/AURORA-1768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15477671#comment-15477671
]
Joshua Cohen commented on AURORA-1768:
--
This would likely involve {{aurora task ssh}} invoking some helper binary to
enter the container's namespace upon connection (similar to how it currently
just
[cd's|https://github.com/apache/aurora/blob/master/src/main/python/apache/aurora/client/api/command_runner.py#L63-L72]
into the task's sandbox).
Ideally this helper would just be {{nsenter}}, but I don't think nsenter is
guaranteed to be available on all distro's (e.g. it needs to be built from
source for Ubuntu 14.04 for use in our vagrant image). We could instead create
our own thin pex that relies on
[python-nsenter|https://github.com/zalando/python-nsenter] to enter the
necessary namespaces and then
[embed|https://github.com/apache/aurora/blob/master/build-support/embed_runner_in_executor.py]
that in the executor (and later
[extract|https://github.com/apache/aurora/blob/master/src/main/python/apache/aurora/executor/bin/thermos_executor_main.py#L192-L204)
it].
This raises the second question: how do we determine which namespace to
actually enter? I'm unsure of this exactly, but I believe it's available via
procfs at {{/proc//ns/mnt}} (or net, etc.).
> Command `aurora task ssh` is not namespace and taskfs aware
>
>
> Key: AURORA-1768
> URL: https://issues.apache.org/jira/browse/AURORA-1768
> Project: Aurora
> Issue Type: Story
> Components: Thermos
>Reporter: Stephan Erb
>
> In order to guarantee isolation among tasks and to simplify debugging in
> production environments, we should make sure commands executed via `aurora
> ssh` have been isolated in the same way as the tasks itself. This implies
> that we have to use the same container filesystem and enter the same
> namespaces.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
