[jira] [Commented] (MESOS-9769) Add direct containerized support for filesystem operations.
[ https://issues.apache.org/jira/browse/MESOS-9769?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16861582#comment-16861582 ] Gilbert Song commented on MESOS-9769: - commit 1961e41a61def2b7baca7563c0b7e1855880b55c Author: Qian Zhang Date: Tue Jun 11 15:50:47 2019 -0700 Improved container-specific cgroups test by checking `cpu.shares`. This is to ensure the symbolic links (see below as an example) we create for the container exist. ln -s /sys/fs/cgroup/cpu,cpuacct /sys/fs/cgroup/cpu Review: https://reviews.apache.org/r/70827/ commit f24c54e85e08bc9c8b118cce29ad487661a0ffc6 Author: Qian Zhang Date: Tue Jun 11 15:50:43 2019 -0700 Supported file operations for command tasks. Review: https://reviews.apache.org/r/70826/ > Add direct containerized support for filesystem operations. > --- > > Key: MESOS-9769 > URL: https://issues.apache.org/jira/browse/MESOS-9769 > Project: Mesos > Issue Type: Improvement > Components: containerization >Reporter: James Peach >Assignee: James Peach >Priority: Major > Fix For: 1.9.0 > > > When setting up the container filesystems, we use `pre_exec_commands` to make > ABI symlinks and other things. The problem with this is that, depending of > the order of operations, we may not have the full security policy in place > yet, but since we are running in the context of the container's mount > namespaces, the programs we execute are under the control of whoever built > the container image. > [~jieyu] and I previously discussed adding filesystem operations to the > `ContainerLaunchInfo`. Just `ln` would be sufficient for the `cgroups` and > `linux/filesystem` isolators. Secrets and port mapping isolators need more, > so we should discuss and file new tickets if necessary. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MESOS-9769) Add direct containerized support for filesystem operations.
[ https://issues.apache.org/jira/browse/MESOS-9769?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16860494#comment-16860494 ] Qian Zhang commented on MESOS-9769: --- In the above patch, the command executor was missed to update for `ContainerFileOperation` support, I posted a patch to fix it: https://reviews.apache.org/r/70826/ > Add direct containerized support for filesystem operations. > --- > > Key: MESOS-9769 > URL: https://issues.apache.org/jira/browse/MESOS-9769 > Project: Mesos > Issue Type: Improvement > Components: containerization >Reporter: James Peach >Assignee: James Peach >Priority: Major > Fix For: 1.9.0 > > > When setting up the container filesystems, we use `pre_exec_commands` to make > ABI symlinks and other things. The problem with this is that, depending of > the order of operations, we may not have the full security policy in place > yet, but since we are running in the context of the container's mount > namespaces, the programs we execute are under the control of whoever built > the container image. > [~jieyu] and I previously discussed adding filesystem operations to the > `ContainerLaunchInfo`. Just `ln` would be sufficient for the `cgroups` and > `linux/filesystem` isolators. Secrets and port mapping isolators need more, > so we should discuss and file new tickets if necessary. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
