> On March 20, 2016, 7:08 p.m., Jie Yu wrote: > > src/slave/containerizer/mesos/isolators/network/cni/cni.cpp, lines 206-212 > > <https://reviews.apache.org/r/44706/diff/2/?file=1307515#file1307515line206> > > > > I suggest we save a rootDir in the isolator process. We can easily > > switch to use a flag later. Also, we need to call 'realpath' here to make > > sure it's a realpath. > > > > We also need to make sure ROOT_DIR is a self bind mounted directory > > (slave+shared) so that namespace bind mount does not leak into containers. > > Qian Zhang wrote: > Do you mean we call `realpath()` to get the real path of the const string > `ROOT_DIR` first and then call `mkdir` with the real path as its parameter to > create the directory? > > And can you please elaborate why the namespace bind mount can be leaked > into containers if we do not make `ROOT_DIR` as a self bind mounted > directory? I just want to know the rationale behind it :-)
I had the same question (about slave+shared bind mount). So read this https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt . Very interesting, and a valid comment. - Avinash ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/44706/#review124460 ----------------------------------------------------------- On March 20, 2016, 4:27 p.m., Qian Zhang wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/44706/ > ----------------------------------------------------------- > > (Updated March 20, 2016, 4:27 p.m.) > > > Review request for mesos, Avinash sridharan, Gilbert Song, and Jie Yu. > > > Bugs: MESOS-4759 > https://issues.apache.org/jira/browse/MESOS-4759 > > > Repository: mesos > > > Description > ------- > > Implemented isolate() method of "network/cni" isolator. > > > Diffs > ----- > > src/slave/containerizer/mesos/isolators/network/cni/cni.hpp PRE-CREATION > src/slave/containerizer/mesos/isolators/network/cni/cni.cpp PRE-CREATION > > Diff: https://reviews.apache.org/r/44706/diff/ > > > Testing > ------- > > make check > > > Thanks, > > Qian Zhang > >
