Return-Path: X-Original-To: apmail-mesos-dev-archive@www.apache.org Delivered-To: apmail-mesos-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 0FFED17212 for ; Fri, 26 Sep 2014 01:17:58 +0000 (UTC) Received: (qmail 97742 invoked by uid 500); 26 Sep 2014 01:17:57 -0000 Delivered-To: apmail-mesos-dev-archive@mesos.apache.org Received: (qmail 97678 invoked by uid 500); 26 Sep 2014 01:17:57 -0000 Mailing-List: contact dev-help@mesos.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@mesos.apache.org Delivered-To: mailing list dev@mesos.apache.org Received: (qmail 97664 invoked by uid 99); 26 Sep 2014 01:17:57 -0000 Received: from reviews-vm.apache.org (HELO reviews.apache.org) (140.211.11.40) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 26 Sep 2014 01:17:57 +0000 Received: from reviews.apache.org (localhost [127.0.0.1]) by reviews.apache.org (Postfix) with ESMTP id BE7BC1DDA84; Fri, 26 Sep 2014 01:17:54 +0000 (UTC) Content-Type: multipart/alternative; boundary="===============4841732685637016291==" MIME-Version: 1.0 Subject: Re: Review Request 25865: Pid namespace isolator for the MesosContainerizer. From: "Vinod Kone" To: "Vinod Kone" , "Jie Yu" Cc: "mesos" , "Ian Downes" Date: Fri, 26 Sep 2014 01:17:54 -0000 Message-ID: <20140926011754.15006.8647@reviews.apache.org> X-ReviewBoard-URL: https://reviews.apache.org Auto-Submitted: auto-generated Sender: "Vinod Kone" X-ReviewGroup: mesos X-ReviewRequest-URL: https://reviews.apache.org/r/25865/ X-Sender: "Vinod Kone" References: <20140923233927.15006.24902@reviews.apache.org> In-Reply-To: <20140923233927.15006.24902@reviews.apache.org> Reply-To: "Vinod Kone" X-ReviewRequest-Repository: mesos-git --===============4841732685637016291== MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/25865/#review54637 ----------------------------------------------------------- src/slave/containerizer/isolators/namespaces/pid.hpp s/NamespacesPid/PidNamespace/ ? src/slave/containerizer/isolators/namespaces/pid.hpp kill new line. src/slave/containerizer/isolators/namespaces/pid.cpp Comment? src/slave/containerizer/isolators/namespaces/pid.cpp As mentioned in the previous review, instead of requiring users/operators to know this dependency, we should just automatically use fileystem/shared isoator when using pid or network isolation. src/slave/containerizer/isolators/namespaces/pid.cpp Who is calling this method? src/slave/containerizer/isolators/namespaces/pid.cpp // Cleanup orphans. ? src/slave/containerizer/isolators/namespaces/pid.cpp if you use hashset, you can just do !containerers.contain(). src/slave/containerizer/isolators/namespaces/pid.cpp Why not just call cleanup() here? src/slave/containerizer/isolators/namespaces/pid.cpp Can you also say why in the comment? Presumably because you dont want containers to see other containers runninng in the system? src/slave/containerizer/isolators/namespaces/pid.cpp Add a comment that you are doing this for the ability to cleanup orphans during recovery? Also, what is the need for manual cleanup or orphans? src/slave/containerizer/linux_launcher.cpp why is this pulled out? src/tests/isolator_tests.cpp s/NamespacesPidIsolatorTest/PidNamespaceIsolatorTest/ src/tests/isolator_tests.cpp you are writing to files, not stdout and stderr right? - Vinod Kone On Sept. 23, 2014, 11:39 p.m., Ian Downes wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/25865/ > ----------------------------------------------------------- > > (Updated Sept. 23, 2014, 11:39 p.m.) > > > Review request for mesos, Jie Yu and Vinod Kone. > > > Repository: mesos-git > > > Description > ------- > > Add namespaces/pid to --isolation slave flag. Places executor into a pid namespace so it and all descendants will be contained in the namespace. Requires the filesystem/shared isolator so /proc and /sys are remounted to reflect the different namespace. > > > Diffs > ----- > > src/Makefile.am 9b973e5503e30180045e270220987ba647da8038 > src/slave/containerizer/isolators/filesystem/shared.cpp PRE-CREATION > src/slave/containerizer/isolators/namespaces/pid.hpp PRE-CREATION > src/slave/containerizer/isolators/namespaces/pid.cpp PRE-CREATION > src/slave/containerizer/linux_launcher.cpp f7bc894830a7ca3f55465dacc7b653cdc2d7758b > src/slave/containerizer/mesos/containerizer.cpp 9d083294caa5c5a47ba3ceaa1b57346144cb795c > src/tests/isolator_tests.cpp c38f87632cb6984543cb3767dbd656cde7459610 > > Diff: https://reviews.apache.org/r/25865/diff/ > > > Testing > ------- > > Added test that command in pid namespaced container is in a different namespace and that the command is 'init' (verifies remount of /proc). > > > Thanks, > > Ian Downes > > --===============4841732685637016291==--