mesos-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ian Downes" <ian.dow...@gmail.com>
Subject Re: Review Request 31444: Support chrooting in MesosContainerizer launch helper.
Date Wed, 04 Mar 2015 02:03:06 GMT


> On Feb. 27, 2015, 10:27 a.m., Jie Yu wrote:
> > src/slave/containerizer/mesos/launch.cpp, lines 375-376
> > <https://reviews.apache.org/r/31444/diff/1/?file=876502#file876502line375>
> >
> >     Some of my findings regarding pivot_root. It's quite subtle:)
> >     
> >     This works:
> >     ```
> >     [vagrant@localhost ~]$ sudo unshare -m
> >     [root@localhost vagrant]# ls
> >     busybox
> >     [root@localhost vagrant]# mount --make-rslave /
> >     [root@localhost vagrant]# mount --bind busybox/ busybox/
> >     [root@localhost vagrant]# mount --make-private busybox/
> >     [root@localhost vagrant]# cd busybox/
> >     [root@localhost busybox]# pivot_root . mnt
> >     ```
> >     
> >     This does not work:
> >     ```
> >     [root@localhost vagrant]# unshare -m
> >     [root@localhost vagrant]# mount --make-rslave /
> >     [root@localhost vagrant]# cd busybox/
> >     [root@localhost busybox]# mount --bind . .
> >     [root@localhost busybox]# mount --make-private .
> >     [root@localhost busybox]# pivot_root . mnt/
> >     pivot_root: failed to change root from `.' to `mnt/': Device or resource busy
> >     ```

The first part works but doesn't enable propagation of mounts from the host to the container,
e.g., as persistent resources are added and removed by the slave. 

I can eliminate the old_root bind mount in favor of a bind mount of the new_root, but it must
be a slave, rather than private, i.e., as you've got but "mount --make-slave busybox/". Could
you please verify that works under your setup?


- Ian


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/31444/#review74382
-----------------------------------------------------------


On Feb. 25, 2015, 2:48 p.m., Ian Downes wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/31444/
> -----------------------------------------------------------
> 
> (Updated Feb. 25, 2015, 2:48 p.m.)
> 
> 
> Review request for mesos, Chi Zhang, Dominic Hamon, Jay Buffington, and Jie Yu.
> 
> 
> Bugs: MESOS-2350
>     https://issues.apache.org/jira/browse/MESOS-2350
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Optionally take a path that the launch helper should chroot to before exec'ing the executor.
It is assumed that the work directory is mounted to the appropriate location under the chroot.
In particular, the path to the executor must be relative to the chroot.
> 
> Configuration that should be private to the chroot is done during the launch, e.g. mounting
proc and statically configuring basic devices. It is assumed that other configuration, e.g.,
preparing the image, mounting in volumes or persistent resources, is done by the caller.
> 
> Mounts can be made to the chroot (e.g., updating the volumes or persistent resources)
and they will propagate in to the container but mounts made inside the container will not
propagate out to the host.
> 
> It currently assumes that at least {{chroot}}/tmp is writeable and that mount points
{{chroot}}/{tmp,dev,proc,sys} exist in the chroot.
> 
> This is specific to Linux.
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/mesos/launch.hpp 7c8b535746b5ce9add00afef86fdb6faefb5620e 
>   src/slave/containerizer/mesos/launch.cpp 2f2d60e2011f60ec711d3b29fd2c157e30c83c34 
> 
> Diff: https://reviews.apache.org/r/31444/diff/
> 
> 
> Testing
> -------
> 
> Manual testing only so far. This is harder to automate because we need a self-contained
chroot to execute something in... Suggestions welcome.
> 
> 
> Thanks,
> 
> Ian Downes
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message