mesos-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gilb...@apache.org
Subject [mesos] 03/10: Updated `volume/sandbox_path` isolator to honor volume mode.
Date Tue, 14 Aug 2018 23:57:55 GMT
This is an automated email from the ASF dual-hosted git repository.

gilbert pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git

commit 1631ce9a69f23dbc51985d00436715c11812f89f
Author: Qian Zhang <zhq527725@gmail.com>
AuthorDate: Tue Aug 14 16:19:21 2018 -0700

    Updated `volume/sandbox_path` isolator to honor volume mode.
    
    Review: https://reviews.apache.org/r/68214/
---
 .../containerizer/mesos/isolators/volume/sandbox_path.cpp  | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/slave/containerizer/mesos/isolators/volume/sandbox_path.cpp b/src/slave/containerizer/mesos/isolators/volume/sandbox_path.cpp
index 4896c68..21d9528 100644
--- a/src/slave/containerizer/mesos/isolators/volume/sandbox_path.cpp
+++ b/src/slave/containerizer/mesos/isolators/volume/sandbox_path.cpp
@@ -379,12 +379,26 @@ Future<Option<ContainerLaunchInfo>> VolumeSandboxPathIsolatorProcess::prepare(
       mount->set_source(source);
       mount->set_target(target);
       mount->set_flags(MS_BIND | MS_REC);
+
+      // If the mount needs to be read-only, do a remount.
+      if (volume.mode() == Volume::RO) {
+        mount = launchInfo.add_mounts();
+        mount->set_target(target);
+        mount->set_flags(MS_BIND | MS_RDONLY | MS_REMOUNT);
+      }
 #endif // __linux__
     } else {
       LOG(INFO) << "Linking SANDBOX_PATH volume from "
                 << "'" << source << "' to '" << target << "'
"
                 << "for container " << containerId;
 
+      // NOTE: We cannot enforce read-only access given the symlink without
+      // changing the source so we just log a warning here.
+      if (volume.mode() == Volume::RO) {
+        LOG(WARNING) << "Allowing read-write access to read-only volume '"
+                     << source << "' of container " << containerId;
+      }
+
       Try<Nothing> symlink = ::fs::symlink(source, target);
       if (symlink.isError()) {
         return Failure(


Mime
View raw message